Skip to content

Latest commit

 

History

History
122 lines (109 loc) · 13.8 KB

SECURITY_NOTES.md

File metadata and controls

122 lines (109 loc) · 13.8 KB

Security Notes

This file contains misc security notes.

ECDH Invalid Point Attack

When an ECDH key agreement is carried out it is possible to derive a private key by initiating an ECDH using a carefully chosen set of points (ECC Public Keys) existing on a low order curve.

The defence against this attack is to verify that the presented point is on the expected curve prior to carrying out the scalar multiplication used to compute the ECDH shared secret and to reject points not on the expected curve. Alas, this turns out to be non-trivial (and probably very slow) in the JavaCard realm because of the limited number of crypto primitives supported by javacardx.framework.math.BigNumber.

The current implementation of OpenFIPS201 permits limiting the crypto operations available to a key (see issue #29) and so we recommend that users:

  • Confirm that the cards or tokens they use actively defend against the attack
  • Never enable the keyAgreement role in conjunction with either of the sign or authenticate roles for any given ECC key object.

Information about this attack can be found here

Recommendation

Test points that can be used to confirm the defence are included below. The points can be formed into APDUs by prepending the points with the following bytes:

  • Curve P256 - 008711 477C4582008541
  • Curve P384 - 008714 677C6582008561

Test Points

Curve: P-256 - VALID points
04b2cd1ffd35be0df9330f8eee8212ea99cfac4f027659fa65b57aa7b5c84729687bbd298f68f24cab97b2013808870820769b9e0771b038106f14f7b94b2b698f
04b27d6ade15ac3ae47b1c66556f3f5a56e1f4d54448e287c746b25f3c79e1cc195cc0529d6d8eef73b5dd62e51137df259b530b5a1af5ff393a7eb0aaeb6ad308
04d8f02ac719cc5da33e573b1bc70b5f21ae4e70ffcf9ca880bceb6b913c29b773b442500c64b8249b1587e95b6f8dacd50439eba5a5139a35a2f27487285d4c5d
04d4a13e1a8f3301c9646f7652e5e6fa1d3b73dbbb83271e1db27e495d8f197b5bcd1d69ab4c98ddbdeac1025d29618b55b72723beb8fe148302a7c51168492302
04902263dd4865ef64bb01f32d77ae6d54d4e65f6a8e593ddb08c21a7daa4765839114e0b8577188740f8ba8d5cb6f2c23062f3b6bed45f005b4bfd339f0729f55
0470651bc4ef38fd1025efb9d4ba6847ecca9e4d10de08d7a91296e4881c31b65bf4cf6bfae2394cc12355178c9663bd7344ed4c5b84470406f2ef8df9229d5ac6
04f51c743a5bfd52957c7db242b0b03b24753e0cdebfb7e248358db5aab916db575facfe6fa09bf244fb1affc45e5f4941353879669f668cabcba0b5a74b3ac510
0489d43acdb9e39c412d7acd531d4389c18399c43257209b774612ae4ff5eed1d47af66c639eb814661deb202a9d3234f8146b0bad7ba65b020058ae54c39e4642
0483030492220c3cdbfefc6bedc26468b1a1ef12e4a278736c8009798e720dfc2fcd01ea5a2eed6d85c16d183731f96e2b220520b6b5f3a6da50f4a6c3f7af3a9f
0411d9f33bde6ea57ca33f5c5c6b84748b62f8361e2926fa414c074716f13ac6fc1eef72ac622bf527f50c0f9dc55a22d387e04f59d87d2d635e6aeb875f5e35f4
Curve: P-256 - INVALID points
0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
040000000000000000000000000000000000000000000000000000000000000000ffffffff00000001000000000000000000000000fffffffffffffffffffffffe
040000000000000000000000000000000000000000000000000000000000000000ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
0400000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000
0400000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000001
040000000000000000000000000000000000000000000000000000000000000001ffffffff00000001000000000000000000000000fffffffffffffffffffffffe
040000000000000000000000000000000000000000000000000000000000000001ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
04ffffffff00000001000000000000000000000000fffffffffffffffffffffffe0000000000000000000000000000000000000000000000000000000000000000
04ffffffff00000001000000000000000000000000fffffffffffffffffffffffe0000000000000000000000000000000000000000000000000000000000000001
04ffffffff00000001000000000000000000000000fffffffffffffffffffffffeffffffff00000001000000000000000000000000fffffffffffffffffffffffe
04ffffffff00000001000000000000000000000000fffffffffffffffffffffffeffffffff00000001000000000000000000000000ffffffffffffffffffffffff
04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000
04ffffffff00000001000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000001
04ffffffff00000001000000000000000000000000ffffffffffffffffffffffffffffffff00000001000000000000000000000000fffffffffffffffffffffffe
04ffffffff00000001000000000000000000000000ffffffffffffffffffffffffffffffff00000001000000000000000000000000ffffffffffffffffffffffff

The following invalid P256 points were created by generating valid points and 1 added to the X coordinate

046b26d6898d83d59ecbf4f2f67b9e9dfbf7b7f53a29edbbb9d5f552ec9bc764a1b26eb362bc08f76f9236c29abda0f18c0dda139f95894170aa4465530a537104
044de81f34becb40dfe9c624a13415f2df7aec87b90c7231706ec48fdaca0445a00187d6f4b77989059481c5b96c5d20a90c5ce23368a588073037320f9572a35e
0403c442c3dd5a180c81ee2c4e60bb0b1ca446602027dd7be69f4f0e4a17a7c2627472d7f0782e5f655a259773e458a4e870434f52f21243ca62af81a793d23e0d
044d31e67a77652837801855982d790ece87ea155b11e50836513684cc7dc8c6a74b824cf3e33d7712ce324a496fa58035a75ef8ed729d087af0a747e502ad8e9d
0413a449f555a34a22692d772694f61e94fa033477923f4a9336bb326f60842f3b94535ab888ae77e063581e1c0c0d8f15aeb598b1b9c7995608fb4edfa156c712
04f88d8c4597cc06236ba90fc41a198513dfb4965344c5cf786d4bbe628af850c9a7c5e34be311f21a5ecdb1ba78b7ba3537fea1bf0d3b3d4a689ae33b3ddd9299
04fd71aee9fb5c2b98fc479941076e9d2061735f0850c433522d9075b18e3c44d67e4999d889b21b193241e39ea7042eaa067fc2d908b7ea91f227fdbb2377a4aa
04b6d82f488d66f9ded64586f1bc6043b99fec47cafc21f79b6a1a8316fc5bdcd80b616e352de352b6f0e4e1f1e8e5cc8c795d695b7d66f082b2823a4e8dfbdb37
0417c10d019c28dfff2d9a2d7fccaf05ad29a3fa602a4a5b348043b9631975a6b0841a02f06c744d5cb57d7970cbe9ef96579d3d66079db2d11bf21bf348eb9926
049a4122b1c1550137c49f7978cb07f9d9e061772e14021ec7b57bcb5d0b2e49f44a78108fbcf10a3bdbd765201cae975ceaed7dbe5bb7c2cf9210be8fc3292bf6
Curve: P-384 - VALID points
041809bb9bb30b6cee0a4e696fe6649a1f6d30b128896b0b3a369b1fc2d4cf5119bc51ce048fee360f2aab82e03a41f0acfd964a8470ab026ca56dfac9a44528d85bd70ea43200402cd99a8a172a896caf9fa4b9782184792ac8430c847ae22b18
04d0c385606d02e1154d43ff459f2117a0144a2228187bffaacd4b6071287787988e9e1dadf792968eb64be75769c3c5350ad60e9b4bd96e8b9c3100658ae0fbb94fae2f298040384e4f2435953a2cd7f211b630c9827e279ce08ec42d7f3ed7f4
04ee45d59e21ff3f22234048ce69eb470f1987a9b78b15ecebe39d05a9710c7cb44d7884f0b1627af831f1d83e8137f0dcbf5f2046fc06fc299acb615f305c696b40f5c523f1b10b2e734b8532960df9ccb8247a6774fadc51c98b9bc5e120ddb3
04e1bb7ae49cb2295644e4b09d14923529457a00aa9cc5f37a31cdb815c742cdc8865edf3f8af7a60b4c4c88c03cb8d88ebc09305521a7f47a50a98782d86e22d979c34716657237364c9ef3aa5b1138d717b5c83e1d689938109368bdd46b1848
047d825fc8cf4d83ad62164bae630bdb2e4389135b6e4a9a42b1544927cb651e8b0c712d8446d67250893f7d5cbe87a714cd84c3c74aa8b8acc97d3fd07ef190cfd9e165ff607dc80afcc05fe92b7b3b3d773ae8e4d97a241faaea272ccedb6d2d
04b7abb20ed224c9f4d8bbec7e8b180e68b6fd35187467a65bd8be3ece500575dc5f39ebfc1ee8e2591363a95985b4ed689ce1c1a5073bc01d20f9067594bb1e2cea2213254ba50962965b57f0b451a4f3e96b47a6888b9641c5d86e6ed8ed6cd8
04403cb6b9995d6e7b5aecbc48051a284a9db3eba2083aa00f105b867938fdeabb9fe043f6ea88ae6f523b2ca306a6fd0fdc8a3bed56c819b5ab0b292890b05a749b8cd1b80138896b44fff9a15b6ead2b6413cd3fcf9de9628fac95c6a475e6de
044661826dde4a827b569b6ec680197f0edb3489f26d316c145e8650d13bea6fd0c3637f6ad5f1efabcac438bd85a8ba3080746acd16d4e1938bc7d3e1b34e01a616e829335a3449c97a82db63c2cc97a476455b6f8bed930cd50ef0081b8d6699
044e9e2ca424cd273a58178b1f1a766b8d94345fbb651cc8c47c53f11ee57c4f5cc520fb5f23e0280e5e1352a8197f40364e2101a0003e45e24fb3136f2d0c38ecac9a24bd5f647fa07a37b81c3500388055a211c1addddaa0e2c23fde48626e7e
04b02eb2e1d66c4e7cc3f84a77ddfc352ecd2452ba85ec1d583520b338fc399982333905d00a010f0cc2756eeb475543606844fe2d89b0b03802c7d542cffa8581871d11884725956b47fb60b9dab3da2c3060c9f872a651e61a08edf77e624b4b
Curve: P-384 - INVALID points
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe
04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffe
04fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff

The following invalid P384 points were created by generating valid points and 1 added to the X coordinate

04e1593666fd2396e79039af9d0cd279bcb7785be1af108a70e8a9748fd8e43f7ba21cb2ed1a1fe538fb50e8c39dfd4b069a525ef6a956d59fb8aed547b0eee4f70a198e9f6af58bb662090e6f7e592d7e4dda3e30a8ff4fe9a5b98cb3a427dc3f
049f370c91c0bd8da56c1cfcf335bc412e0338fbdf6bffc80a719bbfebeee7306a85fd3d9930a7aeb83297d6e8b90777aeca15a775dfcf43c93860e84438afdf6aba3a6db8c97d843dd711b687da7a7c0702716bab3caea3d80e388e6bdfa833a8
044bf63bbba04e110ed4ae7c5be4eb9318e9d9348b1a8a7ae1ae90323a539e149861f90949de82ebcfbb82a36c50c21fe6372673f590f8da0e981396b55e3a2920f5086ae9c66046d18a0de4462d6c2a6e4b0e0320f116d45499c5e6bbc173bd29
046e213a4a844e7bbbd7e61fb0a16552b14db536386be9cdb3cd9e33f9a4e8953cfc58d883f744f1b4581239e09c0471ec5745589e47e1648294d65eb02e7081182fd41db2bd4b3263432e654667d4bf2b3810bac64dbf81045b021f316cc331c6
043b6c9ddbb084826be48c29163179a6557c6da180103923e249f6d5a99a1c164468a85db8ae1e43dffcc916be715843bfb697415b95f9c617d623a2944359c6633ba614a3d1ed5f1d4441219282359140f006be1eb406eb52cfd5cb69b6f5d88d
044a524b15d07cadbd17fc05d023804da4b1aed9308394a22a5ea8483b816a00790c48e22360658c98ec781e96ed7bcd9e36c2c7a7ba086c6706b0d0373d2dbb6812c27d3b5408d83e8d74ba1fe86356d007abf48c391a35262f4b115429555e1b
04bda4b9877eb090bd3c545f07943e4229e466e61700b6ad58f513a4dee498f3b56d7db0e79a1a69104c2315dd641b14ef8acd243591098902907dd8ddcf9d653588c899671160133e1cb10f1a065ef12e07f969798615f6e56ace1c9e27f44562
0462631f38631ff8e7ff1ed3068e13d6878aa1445cf697ba3a26f3aee4d90c451ec795a9411257d298fa33ef5b47b10518fceb1ee10569f030ad043e6679e62cb7567b30612f68e2f3729fb000df0400e0448f09b383ee50c83531010fb52bc008
047afeafb849823c769f303eb271345983d16ef51ee5284e47444bdc59d14979d928d822cfbbcf59e2e8e08aef3ed7325667be02e63b4f2f2785d32701ad2f287f56f1877e0bcbbfc3fb4da2111548ebcc7a18b048d5e94825a601e965965390b9
048342438090b7271818868de33b79d85d5ee0357401d137177b42c2f06707b025f7694b34c95ee3c14c0fe8c0d90138896ab7b167f9f7ef37affe4bd237c020c97a4ae452eaabd8cdf5ed8e0a163b614bcd62e90b3841d08147b0ab6896fc1881