How to Backdoor Diffie-Hellman

David Wong

NCC Group June 2016

Abstract

Lately several backdoors in cryptographicconstructions protocols and implementationshave been surfacing in the wild Dual-EC inRSArsquos B-Safe product a modified Dual-ECin Juniperrsquos operating system ScreenOS anda non-prime modulus in the open-source toolsocat Many papers have already discussedthe fragility of cryptographic constructionsnot using nothing-up-my-sleeve numbers aswell as how such numbers can be safely pickedHowever the question of how to introduce abackdoor in an already secure safe and easyto audit implementation has so far rarely beenresearched (in the public)We present a new way of building a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor byusing a composite modulus with a smoothorder We then explain how we were able toimplement a proof of concept with Socat andOpenSSL in order to exploit our backdoor onthe TLS protocol

Keywords Diffie-Hellman EphemeralDHE NOBUS Backdoor Discrete LogarithmSmall Subgroup Attack Pohlig-Hellman Pol-lard Rho Factorization Pollardrsquos p-1 ECMDual-EC Juniper socat

Update (December 2016) Dorey et al1

1Kristen Dorey Nicholas Chang-Fong and Alek-sander Essex Indiscreet Logs Persistent Diffie-Hellman Backdoors in TLS Cryptology ePrint

have pointed an attack on our first contribu-tion as well as an improvement for the ex-ploitation of our second contribution Thiswork has been updated to reflect these ad-vances

1 Introduction

Around Christmas 2015 Juniper a networkinghardware company released an out-of-cycle se-curity bulletin2 Two vulnerabilities were dis-closed without much details to help us graspthe seriousness of the situation Fortunatelyat this period of the year many researcherswere home with nothing else to do but to solvethis puzzle By quickly comparing both thepatched and vulnerable binaries the two is-sues were pinpointed While one of the vulner-abilities was a simple ldquomasterrdquo-password im-plemented at a crucial step of the productrsquosauthentication the other discovery was a bitmore subtle a unique value was modifiedMore accurately a number in the source codewas replaced The introduction of the vulner-ability was so simple and due to the fact thatthe number was stored as a string of hexadec-imal digits the trivial use of the UNIX com-mand line tool strings was enough to discoveritThe special value ended up being a constant

Archive Report 2016999 http eprint iacr org2016999 2016

2httpskbjunipernetInfoCenterindexpage=contentampid=JSA10713

1

Figure 1 The strings of the patched binary

Figure 2 The strings of the vulnerable binary

used in the systemrsquos pseudo-random numbergenerator (PRNG) Dual EC an odd algo-rithm believed to have been backdoored by theNSA3 The PRNGrsquos core has the ability to pro-vide a Nobody-But-Us (NOBUS) trapdoor asecret passage that can only be accessed by thepeople holding the secret key In our case theelliptic curve discrete logarithm k in the DualEC equation Q = [k]P (where P and Q arethe two elliptic curve points used in the foun-dation of Dual EC)Solely the NSA is thought to be in possessionof that k value making them the only onesable to climb back to the PRNGrsquos internalstate from random outputs and then able topredict the PRNGrsquos future states and outputsThe backdoor in Dual EC was pointed out by

3Daniel J Bernstein Tanja Lange and RubenNiederhagen Dual EC A Standardized Back DoorCryptology ePrint Archive Report 2015767 httpeprintiacrorg2015767 2015

Shumow and Ferguson4 at Crypto 2007 whichmight have been the reason why Juniper gen-erated their own point Q in their implementa-tion of Dual EC Shortly after that revision amysterious update would change that Q pointone more time magically allowing another or-ganization or person to access that backdoorin place of the NSA or JuniperAlthough the quest to find Juniperrsquos backdoorand the numerous open questions that arosefrom that work is a fascinating read byitself5 it is only the introduction of the workyou are currently reading Here we aim toshow how secure and strong cryptographicconstructions are a single and subtle changeaway from being your own secretive peep show

On February 1st 2016 only a few months afterJuniperrsquos debacle socat published a securityadvisory of its own6

In the OpenSSL address implemen-tation the hard coded 1024-bit DH pparameter was not prime The effec-tive cryptographic strength of a keyexchange using these parameters wasweaker than the one one could getby using a prime p Moreover sincethere is no indication of how these pa-rameters were chosen the existenceof a trapdoor that makes possible foran eavesdropper to recover the sharedsecret from a key exchange that usesthem cannot be ruled out

In the same vein as Juniperrsquos problem a single4Shumow and Ferguson On the Possibility of

a Back Door in the NIST SP800-90 Dual Ec PrngCrypto 2007 http rump2007 cr yp to 15 -shumowpdf 2007

5Stephen Checkoway et al A Systematic Analysisof the Juniper Dual EC Incident Cryptology ePrintArchive Report 2016376 http eprint iacr org2016376 2016

6httpwwwopenwallcomlistsoss-security201602014

2

number was at issue This time it was thepublic modulus an integer used to generatethe ephemeral Diffie-Hellman keys of bothparties during socatrsquos TLS handshakes Thisalgorithm had been contrary to Dual-ECconsidered secure from the start But as itturned out badly understood as well as theLogjam7 paper had demonstrated earlier inthe previous year most servers would useDiffie-Hellman key exchanges to performephemeral handshakes and the same serverswould generate their ephemeral keys fromhardcoded defaults (often the same ones)provided by various TLS libraries Thepaper raised a wave of discussion around howdevelopers should use Diffie-Hellman at thesame time scaring people away from 1024 bitDH ldquoWe estimate that even in the 1024-bitcase the computations are plausible givennation-state resourcesrdquo

Securely integrating DH in a protocol isunfortunately not well understood Defensiveapproaches are discussed in several RFCs89but few papers so far have taken the point ofview of the attacker The combination of thecurrent trend of increasing the bitsize of DHparameters with the now old trend of usingopen source librariesrsquo defaults to generateephemeral Diffie-Hellman keys would giveopportunist attackers a valid excuse to submittheir bigger (more secure) and backdoored

7David Adrian et al ldquoImperfect Forward SecrecyHow Diffie-Hellman Fails in Practicerdquo In 22nd ACMConference on Computer and Communications Secu-rity https weakdh org imperfect - forward -secrecy-ccs15pdf Oct 2015

8Eric Rescorla RFC 2631 Diffie-Hellman KeyAgreement Method RFC 2631 httpsrfc-editororgrfcrfc2631txt 2013 doi 1017487rfc2631

9Robert Zuccherato RFC 2785 Methods forAvoiding the Small-Subgroup Attacks on the Diffie-Hellman Key Agreement Method for SMIME RFC2785 httpsrfc-editororgrfcrfc2785txt2013 doi 1017487rfc2785

parameters into open-source or closed-sourcelibraries This work is about generating suchbackdoors and implementing them in TLSshowing how easy and subtle the process isThe working code along with explanations onhow to reproduce our setup is available onGithub10

In section 2 we will first briefly talk aboutthe several attacks possible on Diffie-Hellmanfrom small subgroup attacks to Pohlig Hell-manrsquos algorithm In section 3 we will introduceour first attempt at a DH backdoor We willpresent another DH backdoor in section 4 byusing the ideas of the previous section with acomposite modulus In section 5 we will see an-other method using a composite modulus thatallows us to choose a specific generator allow-ing us to only modify the modulus value whenimplementing our backdoor In section 6 wewill explain how we implemented the backdoorin TLS and how we exploited it We will thensee in section 7 how to detect such backdoorsand how to prevent them Eventually we willwrap it all up in section 8

2 Attacks on Diffie-Hellmanand the Discrete Logarithm

To attack a Diffie-Hellman key exchange onecould extract the secret key a from one of thepeerrsquos public key ya = ga (mod p) One couldthen compute the shared key gab (mod p)using the other peerrsquos public key yb = gb

(mod p)

The naive way to go about this is to computeeach power of g (while tracking the exponent)until the public key is found This is calledtrial multiplication and would need on av-erage q

2 operations to find a solution (with10httpsgithubcommimooDiffie-Hellman_

Backdoor

3

q the order of the base) More efficientlyalgorithms that compute discrete logarithmin expected radicq steps like Shankrsquos baby-stepgiant-step (deterministic) Pollard rho orPollard Kangaroo (both probabilistic) can beused Because of the memory required forbaby-step giant-step Pollardrsquos algorithms areoften preferred While both are parallelizablePollard Kangaroo is used when the order isunknown or known to be in a small intervalFor larger orders the Index Calculus or Num-ber Field Sieve (NFS) algorithms are the mostefficient But so far computing a discretelogarithm in polynomial time on a classicalcomputer is still an open problem

21 Pollard Rho

The algorithm that interests us here is PollardRho it is fast in relatively small orders it isparallelizable and it takes very little amountof memory to run The idea comes from thebirthday paradox and the following equation(where x is the secret key we are looking forand a aprime b and bprime are known)

gxa+b = gxaprime+bprime (mod p)

=rArr x = (aminus aprime)minus1(bprime minus b) (mod pminus 1)

The birthday paradox tells us that by lookingfor a random collision we can quickly find onein O(radicp) A random function is used to ef-ficiently step through various gxa+b until twovalues repeat themselves it is then straightfor-ward to calculate x Cycle-finding algorithmsare used to avoid storing every iteration of thealgorithm (two different iterations of gxa+b arestarted and end up in a loop past a certainstep) and the technique of distinguished pointsis used to parallelize the algorithm (Machinesonly save and share particular iterations forexample iterations starting with a chosen num-ber of zeros)

22 Pohlig-Hellman

In 1978 Pohlig and Hellman discovered ashortcut to the discrete logarithm problem11if you know the complete factorization of theorder of the group and all of the factors are rel-atively small then the discrete logarithm canbe quickly computedThe idea is to find the value of the secret keyx modulo the divisors of the grouprsquos order byreducing the public key y = gx (mod p) insubgroups of order dividing the group orderThanks to the Chinese Remainder Theorem(CRT) stated later on the secret key can thenbe reassembled in the group order Summedup below is the full Pohlig-Hellman algorithm(with ϕ being Eulerrsquos totient function)

1 Determine the prime factorization of theorder of the group

ϕ(p) =prod

pkii

2 Determine the value of x modulo pkii foreach i

3 Recompute x (mod ϕ(p)) with the CRT

The central idea of Pohlig and Hellmanrsquos al-gorithm is in how they determine the value ofthe secret key x modulo each factor pkii of theorder One way of doing it is to try to reducethe public key to the subgroup wersquore lookingat by computing

yϕ(p)pkii (mod p)

Computing the discrete logarithm of thatvalue we get x (mod pkii ) This works because

11Stephen Pohlig and Martin Hellman An ImprovedAlgorithm for Computing Logarithms over GF(p) andits Cryptographic Significance http www - ee stanfordedu~hellmanpublications28pdf 1978

4

of the following observation (note that x canbe written x1 + pkii x2 for some x1 and x2)

yϕ(p)pkii = (gx)ϕ(p)p

kii (mod p)

= g(x1+pkii x2)ϕ(p)p

kii (mod p)

= gx1ϕ(p)pkii gx2ϕ(p) (mod p)

= gx1ϕ(p)pkii (mod p)

= (gϕ(p)pkii )x1 (mod p)

The value we obtain is a generator of thesubgroup of order pkii raised to the powerx1 By computing the discrete logarithm ofthis value we will obtain x1 which is thevalue of x modulo pkii Generally we will usethe Pollard Rho algorithm to compute thatdiscrete logarithm

The Chinese Remainder Theorem sometimesused for good12 will be of use here for evil Thefollowing theorem states why it is possible forus to find a solution to our problem once wefind a solution modulo each power prime factorof the order

Theorem 1 Suppose m =kprodmi with

m1 middot middot middot mk pairwise co-prime

For any (a1 middot middot middot ak) there exists an x suchthat

x = a1 (mod m1)x = ak (mod mk)

There is a simple way to recover x (mod m)which is stated in the following theorem

Theorem 2 Moreover there exists a unique

12Shinde and Fadewar Faster RSA Algorithm forDecryption Using Chinese Remainder Theorem httpwwwtechsciencecomdoi103970icces2008005255pdf

solution for x (mod m)

x =

ksumai lowast (

prodj 6=i

mjmj) (mod m)

with mj = mminus1j (mod mi)

At first it might be kind of hard to graspwhere that formula is coming from But letrsquossee where it does by starting with only twoequations Keep in mind that we want to findthe value of x modulo m = m1m2

x = a1 (mod m1)

x = a2 (mod m2)

=rArr x = (mod m)

How can we start building the value of x

If x = a1m2 (mod m)

then

x = a1m2 (mod m1)

x = 0 (mod m2)

Not quite what we want but we are gettingthere Letrsquos add to it

If x = a1m2m2 (mod m)

m2 the integer congruent to mminus12 (mod m1)

then

x = a1m2m2 = a1 (mod m1)

x = 0 (mod m2)

Thatrsquos almost what we want Half of what wewant actually We just need to do the samething for the other side of the equation andwe have

x = a1m2m2+a2m1m1 (mod m)

= a1m2m2 (mod m1)= a1 (mod m1)

= a2m1m1 (mod m2)= a2 (mod m2)

5

with m2 the integer congruent to mminus12

(mod m1) and m1 the integer congruent tomminus11 (mod m2)

Everything works as we wanted Now youshould understand better how we came up withthat general formula There have been im-provements to it with the Garnerrsquos algorithm13

but this method is so fast anyway that it is notthe bottleneck of the whole attack

23 Small Subgroup Attacks

The attack we just visited is a passive attackthe knowledge of one Diffie-Hellman exchangebetween two parties is enough to obtain thefollowing shared key But instead of reducingone partyrsquos public key to an element of dif-ferent subgroups there is another clever at-tack called a small subgroup attack that cre-ates the different subgroup generators directlyand sends them to one peer successively to ob-tain its private key It is an active attack thatdoesnrsquot work against ephemeral protocols thatrenew the Diffie-Hellman public key for everynew key exchange This is for example thecase with TLS when using ephemeral Diffie-Hellman (DHE) as a key exchange during thehandshakeThe attack is straight forward and summed upbelow

1 Determine the prime factorization of theorder of the group

ϕ(p) =prod

pkii

2 Find a generator for every subgroup of or-der pkii this can be done by picking a ran-dom element α and computing

αϕ(p)pkii (mod p)

13httpwwwcseeumbcedu~lomonacos08441handoutsGarnerAlgpdf

3 Send generators one by one as your pub-lic keys in different Diffie-Hellman key ex-changes

4 Determine the value of x modulo pkii foreach shared key computed

5 Recompute x (mod ϕ(p)) with the CRT

The fourth step can be done by having ac-cess to an oracle telling you what the sharedkey computed by the victim is In TLS thisis done by brute-forcing the possible solutionsand seeing which one has been used by the vic-tim in his following encrypted messages (forexample the MAC computation in the Finishmessage during the handshake) With theseconstraints the attack would be weaker thanPohlig-Hellman since the brute-force is slowerthan Pollard Rho or even trial multiplicationBecause of the previously stated limitationsand the fact that this attack only works forrather small subgroups we wonrsquot use it in thiswork

3 A First Backdoor Attemptin Prime Groups

The naive approach to creating a backdoorwould be to weaken the parameters enoughto make the computation of discrete loga-rithms affordable Making the modulus aprime of a special form (re + s with small rand s) would facilitate the Special NumberField Sieve (SNFS) algorithm Having asmall modulus would also allow for easierpre-computation of the General Number FieldSieve (GNFS) algorithm It is believed14 thatthe NSA has enough power to achieve the

14David Adrian et al ldquoImperfect Forward SecrecyHow Diffie-Hellman Fails in Practicerdquo In 22nd ACMConference on Computer and Communications Secu-rity https weakdh org imperfect - forward -secrecy-ccs15pdf Oct 2015

6

first pre-computing phases of GNFS on 1024bit primes which would then allow them tocompute discrete logarithms in such largegroups in the matter of seconds But theseideas are pure computational advantages thatinvolve no secret key to make the use ofefficient backdoors possible Moreover theyare downright not practical the attackerwould have to re-do the pre-computing phaseentirely for every different modulus and thenext generation of recommended modulusbitsize (2048+) would make these kind ofcomputational advantages fruitless

Another approach could be to use a genera-tor of a smaller subgroup (without publishingwhat smaller subgroup we use) so that algo-rithms like Pollard Rho would be cost-effectiveagain

ϕ(p) = pminus 1 = p1 times middot middot middot times pk

gxy = (mod p)

order

But then algorithms like Pollard Kangaroothat run in the same amount of time asPollard Rho and that do not require theknowledge of the basersquos order could be usedas well by anyone willing to try This makesit a poorly hidden backdoor that we cannotqualify as NOBUS

Section 4 uses both of these ideas to inserta backdoor into Diffie-Hellman by usinga composite modulus GNFS and SNFScan then be used modulo the factors of thecomposite modulus or better as we will seethe generatorrsquos ldquosmallrdquo subgroups can beconcealed modulo the factors

Back to our prime modulus A second ideawould be to set the scene for the Pohlig-Hellman algorithm to work This can be done

by fixing a prime modulus p such that p minus 1is B-smooth with B small enough for discretelogarithms in bases of order B to be possible

y = gx (mod p)ϕ(p) = pminus 1 = p1 times middot middot middot times pk

x (mod p1) middot middot middot x (mod pk)

Pohlig-Hellman

x (mod ϕ(p))

CRT

But this design is flawed in the same ways asthe previous ones were anyone can computethe order of the group (by subtracting 1 fromp) and try to factor it Choosing p such thatp minus 1 would include factors small enough touse one of the O(radicp) would make it danger-ously factorisable Using the Elliptic CurveMethod (ECM) a factorization algorithmwhich complexity only depends on the size ofthe smallest factor (or for a full factorizationon the size of the second largest factor) thelatest records15 were able to find factors ofaround 300 bits This necessary lower boundon the factors makes it unfeasible to use anyof the O(radicp) algorithms that would take forexample more than 2150 operations to solvethe discrete logarithm of 300 bit orders

Our contribution in section 5 uses a compos-ite modulus to hide the smoothness of the or-der as long as the modulus cannot be factoredThis method is preferred from the other meth-ods as it is not reversible and might only needa change of modulus For example in manyDH parameters or implementations g = 2 as agenerator is often used While the first methodwill not allow any easy ways to find a specificgenerator our second method will

15httpwwwloriafr~zimmermarecordstop50html

7

4 A Second Backdoor At-tempt With a CompositeModulus and a Hidden Sub-group

Update this section was first presented as away to construct a Nobody-But-Us backdoorimproving on the previous section Unfortu-nately Dorey et al16 have pointed an attackon this method that makes the backdoor re-versible This section has been left as is butit should be noted that there exist a way toreverse it according to Coron et al17

Our first backdoor gets around the previousproblems using a composite modulus n = pqwith p and q large enough to avoid thefactorization of n This requires the sameprecautions used to secure RSA instanceswith n typically reaching 2048 bits and withtwo factors p and q nearing the same size

With the factorization of n known the dis-crete logarithm problem can be reduced mod-ulo p and q and solved there before being re-constructed modulo ϕ(n) with the help of theCRT theorem

16Kristen Dorey Nicholas Chang-Fong and Alek-sander Essex Indiscreet Logs Persistent Diffie-Hellman Backdoors in TLS Cryptology ePrintArchive Report 2016999 http eprint iacr org2016999 2016

17Jean-Sebastien Coron et al Cryptanalysis of theRSA Subgroup Assumption from TCC 2005 Cryptol-ogy ePrint Archive Report 2010650 httpeprintiacrorg2010650 2010

y = gx (mod n = pq)

y (mod p) y (mod q)

x (mod pminus 1) x (mod q minus 1)

NFSSNFS NFSSNFS

x (mod (pminus 1)(q minus 1))

CRT

p and q could be hand-picked as SNFS primesor we could use GNFS to compute the discretelogarithm modulo p and q But a more efficientway exists to ease the discrete logarithm prob-lem Choosing a generator g such that both gmodulo p and g modulo q generate ldquosmallrdquo sub-groups would allow us to compute two discretelogarithms in two small subgroups instead ofone discrete logarithm in one large groupFor example we could pick p and q such thatp minus 1 = 2p1p2 and q minus 1 = 2q1q2 with p1 andq1 two small prime factors and p2 q2 two largeprime factors Lagrangersquos theorem tells us thatthe possible orders of the subgroups are divi-sors of the group order This means we canprobably find an element g of order p1q1 to beour Diffie-Hellman generator

pminus 1

p12 p2

g (mod p)

subgroup of order

q minus 1

q12 q2

g (mod q)

By reducing the discrete logarithm problemy = gx modulo p and q with our new back-doored generator we can compute x modulopminus1 and qminus1 more easily and then recomputean equivalent secret key modulo (pminus1)(qminus1)

8

This will find the exact original secret keywith a probability of 1

4p2q2 which is tiny but

this doesnrsquot matter since the shared key wewill compute with that solution and the otherpeerrsquos public key will be a valid shared key

Proof Let a+ kap1q1 be Alicersquos public key forka isin Z and let b+ kbp1q1 be Bobrsquos public keyfor kb isin Zthen Bobrsquos shared key will be(ga+kap1q1)b+kbp1q1 = gab (mod n)Let a + kcp1q1 be the solution we found forkc isin Zthen the shared key we will compute will be(gb+kbp1q1)a+kcp1q1 = gab (mod n) which isthe same as Bobrsquos shared key

Update here the research of Dorey etal18 pointed that p1 and p2 can be found inO(max(p1 p2)) operations with Coron et alrsquosattack19 which makes this backdoor as easyto reverse as it is to exploit Thus this can nolonger be called a Nobody-But-Us backdoorFortunately our contribution in section 5 stillholds

We used the Pollard Rho function in Sage 610on a Macbook Pro with an i7 Intel Core 31GHz to compute discrete logarithms mod-ulo safe primes of diverse bitsizes The resultsare summed up in the table below

order size expected complexity time

40 bits 220 01s45 bits 222 04s50 bits 225 34s

18Kristen Dorey Nicholas Chang-Fong and Alek-sander Essex Indiscreet Logs Persistent Diffie-Hellman Backdoors in TLS Cryptology ePrintArchive Report 2016999 http eprint iacr org2016999 2016

19Jean-Sebastien Coron et al Cryptanalysis of theRSA Subgroup Assumption from TCC 2005 Cryptol-ogy ePrint Archive Report 2010650 httpeprintiacrorg2010650 2010

A stronger and more clever attacker wouldparallelize this algorithm on more powerfulmachines to obtain better numbers To beable to exploit the backdoor ldquoliverdquo we wanta running-time close to zero Using a 80 bitinteger as our generatorrsquos order someonewith no knowledge of the factorization of themodulus would take around 240 operationsto compute a discrete logarithm while thiswould take us on average 221 thanks to thetrapdoor A more serious adversary witha higher computation power and a care forsecurity might want to choose a 200 bit integeras the generatorrsquos order For that he wouldneed to be able to perform 250 operationsinstantaneously if he would want to tamperwith the encrypted communications followingthe key exchange while an outsider wouldhave to perform an ldquoimpossiblerdquo number of2100 operations The size of the two primesp and q and of the resulting n = pq shouldbe chosen large enough to resist against thesame attacks as RSA That is a n of 2048 bitswith p and q both being 1024 bit long wouldsuffice

To use such a backdoor one must not onlygenerate two primes p and q to satisfy the pre-vious shape but also find a specific generatorg This is not a hard task unless you want touse a specific generator g For example manylibraries use g = 2 by default implementingthis backdoor would mean changing both themodulus and the generator This is becausethe probability that an element in a group oforder q is the generator of a subgroup of or-der d is d

q This means that with our exampleg = 2 we would need to generate many mod-ulus hoping that g = 2 as a generator wouldwork The probability that it would work foreach try would be

p1p2(pminus 1)(q minus 1)

sim 1

pq=

1

n

9

This is obviously too small of a probability forus to try to generate many parameters untilone admits our targeted g as a generator ofour ldquosmallrdquo subgroup This is a problem if wewant to only replace the modulus of an im-plementation to activate our backdoor Sincechanging only one value would be more subtlethan changing two values our next contribu-tion revise the way we generate the backdoorparameters to solve this problem

5 A Composite Modulus for aNOBUS Backdoor with a B-Smooth Order

Letrsquos start again with a composite modulusn = pq but this time letrsquos choose p and q suchthat pminus1 and qminus1 are both B-smooth with Bsmall enough for the discrete logarithm to bedoable in subgroups of order B Wersquoll see laterhow to choose BLet p minus 1 = p1 times middot middot middot times pk times 2 and q minus 1 =q1timesmiddot middot middottimesqltimes2 such that gcd(pminus1 qminus1) = 2 andsuch that pi le B and qj le B for all i isin J1 kKand j isin J1 lK respectively This makes theorder of the group ϕ(n) = (p minus 1)(q minus 1) B-smoothConstructing the Diffie-Hellman modulusthis way permits anyone with both theknowledge of the order factorization and theability of computing the discrete logarithmin subgroups of order B to compute thediscrete logarithm modulo n by using thePohlig-Hellman method

Since pminus 1 and qminus 1 are both B-smooth theyare susceptible to be factored with the Pol-lardrsquos p-1 factorization algorithm a factoriza-tion algorithm that can find a factor p of n ifp minus 1 is partially-smooth RSA counters thisproblem using safe primes of the form p = q+1with q prime as well but this would break ourbackdoor Instead as a way of countering Pol-

lardrsquos p-1 we can add a large factor to bothp minus 1 and q minus 1 that we will call pbig and qbigrespectively

To exploit this backdoor we can reduce ourpublic key y modulo p and q as we did inour first method and proceed with Pohlig-Hellmanrsquos algorithm there This is not anecessary step but this will reduce the size ofthe numbers in our calculations speeding upthe attack We then carry on with CRT torecompute the private key modulo its orderwhich can be picked at a secure maximumof (pminus1)(qminus1)

2 which brings around the samesecurity promises of a safe-prime modulusThis is because of the following isomorphywe have (Zn)lowast (Zp)lowast times (Zq)lowast with theproductrsquos orders s = |(Zp)lowast| and t = |(Zq)lowast|not being coprimes (gcd(p minus 1 q minus 1) = 2)This results in a non-cyclic group with anupper-bound on possible subgroup orders oflcm(s t) = (pminus1)(qminus1)

2

To decide how big pbig and qbig should be wecan look at the worldrsquos records for the Pollardrsquosp-1 factorization algorithm20 the largest B2parameter (the large factor) used in a factor-ization is 1015 sim 50bits in 2015 As with ourprevious method we could use much larger fac-tors of around 100 bits to avoid any powerfuladversaries and have a agreeable 251 computa-tions on average to solve the discrete logarithmproblem in these large subgroups

20httpwwwloriafr zimmermarecordsPmi-nus1html

10

This method brings the security of our overallscheme to the one of a perfectly secure Diffie-Hellman Its security also relies on the RSArsquosassumption that factoring n is difficult if n islarge enough More than that the probabilityof having a targeted element be a valid gen-erator can be as large as 1

2 in our example ofa secure subgroup of order (pminus1)(qminus1)

2 Thiswill allow us to easily generate a backdooredmodulus that will fit a specific generator thusincreasing the stealthiness of the implementa-tion phase of our scheme In the case wherethe large two subgroups of order pbig and qbigneed to be avoided one could think about try-ing to generate many modulus hopping thatthe targeted g would fit This can be donewith probability 1

2pbigqbigfor each try which is

way too low But worse this would give a freestart to someone trying to factor the modulususing Pollardrsquos p-1 Another way would be topass a fake order to the program forcing it togenerate small ephemeral private keys upper-bounded by ϕ(n)

pbigqbig After this proceding to

use Pohlig-Hellman over the small factors ig-noring pbig and qbig would be enough to findthe private key This can be done in OpenSSLor libraries making use of it by passing the fakeorder to OpenSSL via dh-gtq Of course doingthis would bring back our first methodrsquos issuesby having to add extra lines of code to ourmalicious patch

6 Implementing and Exploit-ing the Backdoor in TLS

Theoretically any application including Diffie-Hellman might be backdoored using ourmethod As TLS is one of the most well knownprotocols using Diffie-Hellman it is particularlyinteresting to abuse for a field test of our workMost TLS applications making use of theDiffie-Hellman algorithm for the handshake ndashalthough this is an algorithm rarely used in

TLS ndash would have their DH public key andparameters baked into userrsquos or serverrsquos gen-erated certificates Interestingly the param-eters of the ndash much more commonly used ndashephemeral version of Diffie-Hellman used toadd the properties of Perfect Forward Secrecyare rarely chosen by end users and thus neverengraved into userrsquos or serverrsquos certificatesFurthermore most libraries implementing theTLS protocol (socat Apache NGINX )have predefined or hardcoded ephemeral DHparameters Developers using those librarieswill rarely generate their own parameters andwill use the default ones This was the sourceof many discussions after being pointed outby Logjam21 last year creating a movement ofawareness pushing people to migrate to biggerparameters and increase the bitsizes of appli-cationrsquos Diffie-Hellman modulus from 1024 orlower to 2048+ bits This trend seems like theperfect excuse to submit a backdoored patchclaiming to improve the security of a libraryWersquoll first see how TLS works with ephemeralDiffie-Hellman in the next section Followedwill be a demonstration on how the backdoorwas implemented in real open source librariesFinally wersquoll explain how our setup worked tomake use of the backdoor

61 Background

An ephemeral handshake allows two parties tonegotiate a ldquofreshrdquo set of keys for every newTLS connection This has become the pre-ferred way of using TLS as it increases itssecurity providing the property that we callForward Secrecy or Perfect Forward Secrecythat is if the long term key is compromisedrecorded past communications wonrsquot be af-

21David Adrian et al ldquoImperfect Forward SecrecyHow Diffie-Hellman Fails in Practicerdquo In 22nd ACMConference on Computer and Communications Secu-rity https weakdh org imperfect - forward -secrecy-ccs15pdf Oct 2015

11

This method brings the security of our overallscheme to the one of a perfectly secure Diffie-Hellman Its security also relies on the RSArsquosassumption that factoring n is difficult if n islarge enough More than that the probabilityof having a targeted element be a valid gen-erator can be as large as 1

2 in our example ofa secure subgroup of order (pminus1)(qminus1)

2 Thiswill allow us to easily generate a backdooredmodulus that will fit a specific generator thusincreasing the stealthiness of the implementa-tion phase of our scheme In the case wherethe large two subgroups of order pbig and qbigneed to be avoided one could think about try-ing to generate many modulus hopping thatthe targeted g would fit This can be donewith probability 1

2pbigqbigfor each try which is

way too low But worse this would give a freestart to someone trying to factor the modulususing Pollardrsquos p-1 Another way would be topass a fake order to the program forcing it togenerate small ephemeral private keys upper-bounded by ϕ(n)

pbigqbig After this proceding to

use Pohlig-Hellman over the small factors ig-noring pbig and qbig would be enough to findthe private key This can be done in OpenSSLor libraries making use of it by passing the fakeorder to OpenSSL via dh-gtq Of course doingthis would bring back our first methodrsquos issuesby having to add extra lines of code to ourmalicious patch

6 Implementing and Exploit-ing the Backdoor in TLS

Theoretically any application including Diffie-Hellman might be backdoored using ourmethod As TLS is one of the most well knownprotocols using Diffie-Hellman it is particularlyinteresting to abuse for a field test of our workMost TLS applications making use of theDiffie-Hellman algorithm for the handshake ndashalthough this is an algorithm rarely used in

TLS ndash would have their DH public key andparameters baked into userrsquos or serverrsquos gen-erated certificates Interestingly the param-eters of the ndash much more commonly used ndashephemeral version of Diffie-Hellman used toadd the properties of Perfect Forward Secrecyare rarely chosen by end users and thus neverengraved into userrsquos or serverrsquos certificatesFurthermore most libraries implementing theTLS protocol (socat Apache NGINX )have predefined or hardcoded ephemeral DHparameters Developers using those librarieswill rarely generate their own parameters andwill use the default ones This was the sourceof many discussions after being pointed outby Logjam21 last year creating a movement ofawareness pushing people to migrate to biggerparameters and increase the bitsizes of appli-cationrsquos Diffie-Hellman modulus from 1024 orlower to 2048+ bits This trend seems like theperfect excuse to submit a backdoored patchclaiming to improve the security of a libraryWersquoll first see how TLS works with ephemeralDiffie-Hellman in the next section Followedwill be a demonstration on how the backdoorwas implemented in real open source librariesFinally wersquoll explain how our setup worked tomake use of the backdoor

61 Background

An ephemeral handshake allows two parties tonegotiate a ldquofreshrdquo set of keys for every newTLS connection This has become the pre-ferred way of using TLS as it increases itssecurity providing the property that we callForward Secrecy or Perfect Forward Secrecythat is if the long term key is compromisedrecorded past communications wonrsquot be af-

21David Adrian et al ldquoImperfect Forward SecrecyHow Diffie-Hellman Fails in Practicerdquo In 22nd ACMConference on Computer and Communications Secu-rity https weakdh org imperfect - forward -secrecy-ccs15pdf Oct 2015

11

fected and future communications will still re-sist passive attacks This is done by using oneof the two Diffie-Hellman algorithms providedby TLS ldquonormalrdquo Diffie-Hellman present in theciphersuites containing DHE in their names andElliptic Curve Diffie-Hellman (ECDH) presentin the ciphersuites containing ECDHE in theirnames Note that the concept of ldquoephemeral rdquois not defined the same by everyone the de-fault behavior of OpenSSL up until recent ver-sions has been to generate the ephemeral DHkey at boot time and cache it until rebootunless specified not to do so Such behaviorwould greatly speed up our attackAt the start of a new ephemeral handshakeboth the server and the client will send eachother their ephemeral DH (DHE) public keysvia a ServerKeyExchange and a ClientKeyEx-change message respectively The server willdictate as well what the DHE parameters arevia the same ServerKeyExchange message

Figure 3 The serverKeyExchange message

Figure 4 The clientKeyExchange message

Let c and s be the client and the server publickeys respectively The following computationis done on each side right after the key ex-

change to derive the session keys that will en-crypt further communications (including finalhandshake messages)

1 premaster_secret = gcs (mod n)

2 master_secret = PRF(premaster_secretldquomaster secretrdquo ClientHellorandom +ServerHellorandom)

3 keys = PRF(master_secret ldquokey ex-pansionrdquo ServerHellorandom + Clien-tHellorandom)

Right after trading their ephemeral DH pub-lic keys the TLS peers compute the Diffie-Hellman algorithm by exponentiating theotherrsquos public key with their own private keyThe output is stored in a premaster_secretvariable that is sent into a pseudo-randomfunction (PRF) with the string ldquomaster secretrdquoand the public values random of both partiestaken from their Hello message as parametersThis is because the DH output can be of fluc-tuating lengths TLS offers several parame-ters and algorithms to perform this part ofthe handshake passing it through a PRF firstaims to normalize its size before deriving thekeys from it The output of that first PRF isthen sent into the same PRF repeatedly alongwith different arguments the string ldquokey ex-pansionrdquo and the reversed order of the randomvalues we just used until enough bits are pro-duced for the many keys used to encrypt andauthenticate the post-handshake communica-tionsTwo authentication keys are first de-rived client_write_MAC_key andserver_write_MAC_key one for each di-rection Then two encryption keys arederived as well client_write_key andserver_write_key For AEAD ciphersMAC keys are ignored and two more val-ues after the encryption keys are derivedclient_write_IV and server_write_IV

12

62 Implementation

Figure 5 socatrsquos xio-opensslc file

Figure 6 The same backdoored socat file after ourchanges

socat makes use of OpenSSL underneath thesurface and being a useful nifty command linetool it is what we first used to quickly testour backdoor parameters With the help ofthe dhparam argument we can use an ASN1file encoded in the DER format to specifyour backdoored DH parameters to the pro-gram But as this exercise is one of imple-mentation we will show how we modified the

source code of socat to introduce the backdoorto the masses We started by generating smallparameters with the method in section 5 forour tests Since socatrsquos generator is 2 we onlyhad to modify the modulus in the dh1024_pvariable of the xio-opensslc file Above arethe differences between a valid version and abackdoored version of socatIf we want to submit such a patch as an excuseto increase the size of the DH parameters wecould mimick socatrsquos case22

Figure 7 The commit diff page of the socat ldquopre-sumedrdquo backdoor

63 Exploitation

To exploit this kind of backdoor we first needto obtain a Man-In-The-Middle position be-

22httprepoorczsocatgitcommitdiff281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0

13

62 Implementation

Figure 5 socatrsquos xio-opensslc file

Figure 6 The same backdoored socat file after ourchanges

socat makes use of OpenSSL underneath thesurface and being a useful nifty command linetool it is what we first used to quickly testour backdoor parameters With the help ofthe dhparam argument we can use an ASN1file encoded in the DER format to specifyour backdoored DH parameters to the pro-gram But as this exercise is one of imple-mentation we will show how we modified the

source code of socat to introduce the backdoorto the masses We started by generating smallparameters with the method in section 5 forour tests Since socatrsquos generator is 2 we onlyhad to modify the modulus in the dh1024_pvariable of the xio-opensslc file Above arethe differences between a valid version and abackdoored version of socatIf we want to submit such a patch as an excuseto increase the size of the DH parameters wecould mimick socatrsquos case22

Figure 7 The commit diff page of the socat ldquopre-sumedrdquo backdoor

63 Exploitation

To exploit this kind of backdoor we first needto obtain a Man-In-The-Middle position be-

22httprepoorczsocatgitcommitdiff281d1bd6515c2f0f8984fc168fb3d3b91c20bdc0

13

tween the client and the server This can bedone passively by obtaining posterior access tologs of TLS records but this was done activelyin our proof of concept23 by using a machineas a proxy to the server and making the clientconnect to the proxy directly instead of theserver The proxy unintelligently forwards thepackets back and forth until a TLS connectionis initiated it then observes the handshakestoring the random values at first until theserver decides to send its public Diffie-Hellmanparameters to be used in an ephemeral keyexchange If the proxy recognizes the back-door parameters in the serverrsquos ServerKeyEx-change message it runs the attack recoveringone partyrsquos private key and computing the ses-sion keys out of that information With thesession keys in hand the proxy can then ob-serve the traffic in clear and even tamper withthe messages being exchanged

Client Server

ClientHellorandom

ServerHellorandom

ServerKeyExchangeDHparams ampServerKeyExchangepubKey

ClientKeyExchangepubKey

Depending on the security margins chosenduring the generation of the backdoor and onthe computing power of the attacker it maybe the case that the attacker would not beable to derive the session keys until the firstfew messages have been exchanged exemptingthem from tampering For better resultsthe work could be parallelized and the two

23httpsgithubcommimooDiffie-Hellman_Backdoor

public keys could be attacked simultaneouslyas one might be recovered more quickly thanthe other one As soon as the private keyof one party is recovered the Diffie-Hellmanand the session keys computations are donein a negligible time and the proxy can startlive decrypting and live tampering with thepackets If the attacker really wants to be ableto tamper with the first messages it can delaythe end of the handshake by sending TLSwarning alerts that can keep a handshakealive indefinitely or for a period of timedepending on the TLS implementation usedby both parties

Update exploitation of this backdoor hasbeen improved by Dorey et al24 who pointedthat an active man-in-the-middle attacker canalso force both a client and a server to use aDHE cipher suite (to force them to use thebackdoor) if both peers already support a DHEcipher suite

7 Detecting a Backdoor andDefending Against One

In the course of this work several open sourcelibraries were tested for composite moduluswith no positive results TLS handshakes ofthe full range of IPv4 addresses obtained fromscansio were inspected on March 3rd 2016 Atotal of 50222805 handshakes were analyzedfrom which 4522263 were augmented with theuse of ephemeral Diffie-Hellman From thesenumbers only 30 handshakes used a compos-ite modulus all of them had a small factor butnone of them could be factored in less than5 hours using the ECM or Pollardrsquos p-1 fac-

24Kristen Dorey Nicholas Chang-Fong and Alek-sander Essex Indiscreet Logs Persistent Diffie-Hellman Backdoors in TLS Cryptology ePrintArchive Report 2016999 http eprint iacr org2016999 2016

14

torization algorithms Most IPs were hostingwebpages in some cases the same one All ad-ministrators were contacted about the issueOur contributions should withstand any kindof reversing and thus we should not be able todetect any backdoor produced by people whowould have reached the same conclusions asours The addition of easy to find small factorscould have been intentionally done to provideplausible deniability Interestingly it is alsohard to differentiate a mistake in the modulusgeneration from a backdoor From the Hand-book of Applied Cryptography25 fact 37

Definition 1 Let n be chosen uniformly atrandom from the interval [1 x]

1 if 12 le α le 1 then the probability thatthe largest prime factor of n is le xα is ap-proximately 1+ ln(α) Thus for examplethe probability than n has a prime factorgt

radic(x) is ln(2) asymp 069

2 The probability that the second-largestprime factor of n is le x02117 is about 12

3 The expected total number of prime fac-tors of n is lnlnx +O(1) (If n =

prodpeii

the total number of prime factors of n issumei)

Since it might be easier to visualize this withnumbers

1 a 1024 bit composite modulus n probabil-ity to have a prime factor greater than 512bits is asymp 069

2 the probability that the second-largestprime factor of n is smaller than 217 bitsis 12

3 The total number of prime factor of n isexpected to be 7

25httpcacruwaterloocahacaboutchap3pdf

Considering that a full factorization withECM runs in a complexity tied to the size ofthe second largest factor it might be hard orimpossible to do it half of the time The restof the time it might take a bit of work butsince the largest factor found using ECM26 is274 bits it is possible

The question of how to avoid these kinds ofbackdoors or weaknesses is also interesting andwell understood but rarely done correctlyFirst it is known that by using safe primesndash primes of the form 2q+1 with q prime ndash thegeneratorrsquos subgroup will have an order closeto the modulusrsquo size Since it is easy to check ifa number is a safe prime the client should alsoonly accept such moduli The current state isthat most programs donrsquot even check for primemodulus As an example no browser currentlywarns the user if a composite modulus is de-tectedAnother way to prevent this is to have a pre-defined list of public parameters27 this wouldmake Diffie-Hellman look similar to EllipticCurve Diffie-Hellman in the sense that onlya few curves are pre-defined and accepted inmost exchangesBoth mitigations can be hard to integrate if thetwo endpoints of a key exchange are not con-trolled For example this is the case between

26httpwwwloriafr~zimmermarecordstop50html

27Matt Lepinski and Dr Stephen T Kent RFC5114 Additional Diffie-Hellman Groups for Use withIETF Standards RFC 5114 httpsrfc-editororg rfc rfc5114 txt 2015 doi 10 17487 rfc5114 Tero Kivinen RFC 3526 More ModularExponential (MODP) Diffie-Hellman groups for Inter-net Key Exchange (IKE) RFC 3526 httpsrfc-editororgrfcrfc3526txt 2015 doi 1017487rfc3526 Daniel Kahn Gillmor IETF Draft Nego-tiated Finite Field Diffie-Hellman Ephemeral Parame-ters for TLS Internet-Draft draft-ietf-tls-negotiated-ff-dhe-10 httpstoolsietforghtmldraft-ietf-tls- negotiated- ff- dhe- 10 Internet EngineeringTask Force 2015

15

browsers and websites TLS connections wherethe browser is a different program from what isrunning on the server Asserting for these spe-cial primes might just break the connectionwhich would be worse from the userrsquos perspec-tive This is why Google Chrome is currentlyremoving DHE from its list of supported ciphersuites28 and recommending server administra-tors to migrate from DHE to ECDHE Thisis also one of the recommendations from Log-jam29 These security measures might verywell prevent this workrsquos efforts backdooringECDHE in a stealthy way as we did with DHEremains an open problem

8 Conclusion

Many cryptographic constructions are not sub-ject to change unless a breakthrough comesalong and the whole construction has to bereplaced Very rarely the excuse of updat-ing a reviewed and considered strong cryp-tographic implementation to change a singlenumber comes along and very few people un-derstand such subtle changes According tothe grading system of a whitepaper by Schneieret al30 here is how such a backdoor scores

bull medium undetectability to discover thebackdoor one would have to test for theprimality of the modulus A pretty easytask although not typically performed asseen with the socatrsquos case where it took

28httpsgroupsgooglecomachromiumorgforummtopicblink-devAAdv838-koodiscussion

29David Adrian et al ldquoImperfect Forward SecrecyHow Diffie-Hellman Fails in Practicerdquo In 22nd ACMConference on Computer and Communications Secu-rity https weakdh org imperfect - forward -secrecy-ccs15pdf Oct 2015

30Bruce Schneier et al Surreptitiously WeakeningCryptographic Systems Cryptology ePrint ArchiveReport 2015097 httpeprintiacrorg 2015

them more than a year to realize the com-posite modulus

bull high lack of conspiracy in the case of so-cat only the person who had submittedthe vulnerability would be the target ofinvestigation It turns out he is a regularemployee at Oracle

bull high plausible deniability three thingshelp us in the creation of a good storyin the socatrsquos case reversing bytes ofthe fake prime gives us a prime somesmall factors were found anyone withweak knowledge of cryptography couldhave submitted a composite number

bull medium ease of use man-in-the-middlingthe attack and observing the first hand-shake would allow the attacker to take ad-vantage of the backdoor

bull high severity having access to that back-door lets us observe or if exploited in realtime let us tamper with any communica-tions made over TLS

bull medium durability system admins wouldhave to update to newer versions to re-move the backdoor

bull high monitorability the saboteur cannotdetect if other attackers are taking advan-tage of the backdoor which is OK sincethe backdoor in this work are NOBUSones

bull high scale backdooring an open-source li-brary would allow access to many systemsrsquoand usersrsquo communications

bull high precision the saboteur doesnrsquotweaken any system only the saboteurhimself can access the backdoor

bull high control like Dual-EC only the sabo-teur can exploit the backdoor

16

While this work is mostly a fictive exercise wehope to raise awareness in the need for bettertoolings and deeper reviews of open source ndashas well as closed source ndash implementations ofcryptographic algorithms

Acknowledgements

Many thanks to both Scott Fluhrer and ScottContini who have been of precious help in thecore ideas of this paper

Thanks as well to Pete L Clark Tom RitterMike Brown Roman Zabicki Vincent LynchDrew Suarez Ryan Koppenhaver DivyaNatesan Andy Grant and Jake Massimo forfeedback and discussions

References

[1] David Adrian et al ldquoImperfect ForwardSecrecy How Diffie-Hellman Fails inPracticerdquo In 22nd ACM Conference onComputer and Communications Secu-rity httpsweakdhorgimperfect-forward - secrecy - ccs15 pdf Oct2015

[2] Daniel J Bernstein Tanja Lange andRuben Niederhagen Dual EC A Stan-dardized Back Door Cryptology ePrintArchive Report 2015767 http eprintiacrorg2015767 2015

[3] Stephen Checkoway et al A SystematicAnalysis of the Juniper Dual EC Inci-dent Cryptology ePrint Archive Report2016376 httpeprintiacrorg2016376 2016

[4] Jean-Sebastien Coron et al Cryptanal-ysis of the RSA Subgroup Assump-tion from TCC 2005 Cryptology ePrintArchive Report 2010650 http eprintiacrorg2010650 2010

[5] Kristen Dorey Nicholas Chang-Fongand Aleksander Essex Indiscreet LogsPersistent Diffie-Hellman Backdoors inTLS Cryptology ePrint Archive Report2016999 httpeprintiacrorg2016999 2016

[6] Daniel Kahn Gillmor IETF Draft Ne-gotiated Finite Field Diffie-HellmanEphemeral Parameters for TLSInternet-Draft draft-ietf-tls-negotiated-ff-dhe-10 httpstoolsietforghtmldraft- ietf- tls- negotiated-ff-dhe-10 Internet Engineering TaskForce 2015

[7] Tero Kivinen RFC 3526 More Modu-lar Exponential (MODP) Diffie-Hellmangroups for Internet Key Exchange (IKE)RFC 3526 https rfc - editor orgrfcrfc3526txt 2015 doi 1017487rfc3526

[8] Matt Lepinski and Dr Stephen T KentRFC 5114 Additional Diffie-HellmanGroups for Use with IETF StandardsRFC 5114 https rfc - editor orgrfcrfc5114txt 2015 doi 1017487rfc5114

[9] Stephen Pohlig and Martin HellmanAn Improved Algorithm for Comput-ing Logarithms over GF(p) and itsCryptographic Significance http www - ee stanford edu ~hellman publications28pdf 1978

[10] Eric Rescorla RFC 2631 Diffie-HellmanKey Agreement Method RFC 2631https rfc - editor org rfc rfc2631 txt 2013 doi 10 17487 rfc2631

17

[11] Bruce Schneier et al SurreptitiouslyWeakening Cryptographic SystemsCryptology ePrint Archive Report2015097 httpeprintiacrorg2015

[12] Shinde and Fadewar Faster RSA Al-gorithm for Decryption Using ChineseRemainder Theorem http www techscience com doi 10 3970 icces2008005255pdf

[13] Shumow and Ferguson On the Possibil-ity of a Back Door in the NIST SP800-90 Dual Ec Prng Crypto 2007 httprump2007crypto15-shumowpdf2007

[14] Robert Zuccherato RFC 2785 Methodsfor Avoiding the Small-Subgroup Attackson the Diffie-Hellman Key AgreementMethod for SMIME RFC 2785 httpsrfc-editororgrfcrfc2785txt2013 doi 1017487rfc2785

18