Curveball+: Exploring Curveball-Like Vulnerabilities of Implicit Certificate Validation

Abstract

The Curveball vulnerability exploits defective ECC public-key comparisons without matching domain parameters on X.509 certificates in MS Windows. Attackers can forge certificate chains that have the same public key value as a Windows-trusted certificate to establish fake HTTPS websites or sign malware binaries, which will be successfully verified without any alerts. This paper expands the Curveball attack to Elliptic-curve Qu-Vanstone implicit certificates, which are ECC-specific and have reduced certificate size and computation cost of certificate validation. We present two versions of the Curveball+ attack that target the implicit certificate validation where the verifiers are prone to the Curveball vulnerability. We discuss different types of certificate chains, implicit and hybrid, and various certificate trust list entry structures and certificate formats. We prove that verifiers that compare the final public key of implicit certificates are secure against Curveball+ version 1 attacks, but Curveball+ version 2 attacks will succeed certificates in M2M format due to the assailable standard description. Our work has preventive values for developers to avoid some of the potential implementation pitfalls.

This work was supported by the National Key R &D Program of China (Award No.2020YFB1005800). Wei Wang is the corresponding author.

Appendices

Appendix 1 Proofs of the Q2P Problem

The format \([m,P]\) represents the certificate \(\textsf{ICert}[P,\mathbb {E}(G)]\) in the security model, where \(m\) represents the other information of \(\textsf{ICert}\) except the EC Point \(P\), renamed as the message. The rigorous definition of Q2P is described as follows.

Definition 1

Given an Elliptic Curve \(\mathbb {E}\), a hash function \(\textrm{Hash}\) and an EC Point \(Q\), Q2P problem asks for a message \(m\) and another EC Point \(P\) such that \(Q = \textrm{Hash}(m,P) \cdot P\).

In the random oracle model, we define the game for an adversary \(\mathcal {A}\) to solve Q2P problem as \(\textrm{Game}_{\mathcal {A}}^{{{\,\textrm{Q2P}\,}}}\big (\lambda ,\mathbb {E}\big )\)⁴ with a hash oracle \(\mathcal {O}_\mathcal {A}^{\textrm{Hash}}\). Note that the attacker in reality limits the \((x,y)\)-coordinates of \(G'\) in the output \(m\) (Sect. 4), more complex than Definition 1 with arbitrary \(m\).

Lemma 1

In the random oracle model, the EC-Schnorr family of signature schemes in \(\mathbb {E}(G)\) is secure if the ECDLP problem in \(\mathbb {E}(G)\) is intractable.

The variant of the Schnorr signature for a message \(m\) with the private key \(b\) can be expressed as \(\sigma :=(R,s)\) where the EC Point \(R := k \cdot G\) with random secret \(k\), and the integer \(s := b + k \cdot \textrm{Hash}(m, R)\). To verify the signature, one checks that \(s \cdot G = \textrm{Hash}(m, R) \cdot R + B\) with the public key \(B\).

Pointcheval and Stern [22] have proved Lemma 1 by constructing a reduction from ECDLP to the variant EC-Schnorr Signatures with the “forking lemma”.

Theorem 1

In the random oracle model, Q2P problem in \(\mathbb {E}\) is difficult if the Schnorr Signature Scheme in \(\mathbb {E}(G)\) is secure.

Proof

We just reveal the following experience: assuming that there exists a successful adversary \(\mathcal {A}\) solving the Q2P problem, construct a polynomial algorithm \(\mathcal {B}\) that uses \(\mathcal {A}\) as a subroutine to forgery the EC-Schnorr signature with nonnegligible probability. The game \(\textrm{Game}_{\mathcal {B}}^{{{\,\textrm{Schnorr}\,}}}\) runs as follows:

1. 1.

   After receiving the public key \(B\), randomly select an integer \(s\in \left[ 1,n\right) \) as a part of the output signature and calculate the final public key \(Q := s \cdot G-B\);

2. 2.

   To obtain the message and another part of the signature, run \(\textrm{Game}_{\mathcal {A}}^{{{\,\textrm{Q2P}\,}}}\big (\lambda ,\mathbb {E}\big )\) with \(\mathcal {O}_{\mathcal {B}}^{\textrm{Hash}}\);

3. 3.

   If \(\mathcal {A}\) wins with output \((m', P')\), construct and output the message with the forged signature \(\big (m',\sigma ' := (P', s)\big )\); otherwise, terminate \(\perp \).

The following two factors allow \(\mathcal {B}\) to pass the game, which proves the correctness.

1. 1.

   New message: \(m'\) is suitable since \(\mathcal {B}\) did not make any signature query.

2. 2.

   Signature verification: the verification with signature \(\sigma '\) will be passed due to \(\textrm{Hash}(m',P') \cdot P' + B = Q + B = (s\cdot G - B) + B = s \cdot G\).

If \(\mathcal {A}\) runs in polynomial time and succeeds with nonnegligible probability, so will \(\mathcal {B}\). But by hypothesis, no such \(\mathcal {B}\) can make a forged variant EC-Schnorr signature in \(\mathbb {E}(G)\). Therefore, no adversary \(\mathcal {A}\) exists in the random oracle model, and the proof of this theorem is complete.

Combing Lemma 1 and Theorem 1, we can get that the Q2P problem is based on the ECDLP problem.

Appendix 2 Rationality of the Hybrid Verifier \(\mathcal {V}_{N,P}\)

The rationality of a hybrid verifier \(\mathcal {V}_{N,P}\) is that any certificate holder, except a self-signed holder, cannot change the certificate type so that the verifier will accept it. That is, transforming an explicit certificate into implicit (E2I), and transforming an implicit certificate to explicit (I2E). The rationality of \(\mathcal {V}_{N,P}\) is based on the ECDLP assumption with two additional oracles: an ECDSA signature oracle \(\mathcal {O}^{\textrm{Sign}}\) and an ECQV certificate oracle \(\mathcal {O}^{{{\,\textrm{ECQV}\,}}}\). Both ECDSA and ECQV algorithm are also based on the ECDLP assumption [7, 15], thus our ECDLP attacker have the ability to ask \(\mathcal {O}^{\textrm{Sign}}\) and \(\mathcal {O}^{{{\,\textrm{ECQV}\,}}}\). To simplify our proofs, we use the explicit certificate as an example.

Transform Explicit Certificates. Assume that a trusted certificate chain \(\{{\textsf{ECert}}_1,\) \({\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0\}\) is stored in the verifier \(\mathcal {V}_{N,P}\). We define \(\textrm{Game}^{E2I}_{\mathcal {A}, \mathcal {V}_{N,P}}(\textsf{ECert}, n)\) as follows: After receiving a certificate chain \(\big \{{\textsf{ECert}}_{1}[Q_1, \mathbb {E}(G_1); \sigma _0],{\textsf{ECert}}^{{{\,\textrm{R}\,}}}_{0}[Q_0,\) \(\mathbb {E}(G_0); \sigma ]\big \}\) with a private key \(d_1\) where \(Q_1=d_1\cdot G_1\), output a forged nonroot implicit certificate with a private key \((d', {\textsf{ICert}}_{\mathcal {A}}[P', \mathbb {E}(G_1)])\) so that the final public key satisfies \(Q' := \textrm{Hash}({\textsf{ICert}}_{\mathcal {A}}) \cdot P' + Q_0 = d' \cdot G_1\) and \(P' = Q_1\).

Theorem 2

In the random oracle model, I2E does not exist in normal \(\mathcal {V}_{N,Q}\) if the ECDLP problem is hard to solve.

Proof

We design \(\textrm{Game}^{{{\,\textrm{ECDLP}\,}}}_{\mathcal {B}}(n, \mathbb {E}(G))\) using \(\textrm{Game}^{E2I}_{\mathcal {A}, \mathcal {V}_{N,P}}\) \((\textsf{ECert}, n)\) as follows:

1. 1.

   After receiving the public key \(B\), randomly select \(d_1\in [1,n)\) and generate the two certificates \({\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0[B,\mathbb {E}(G);\sigma ]\), \({\textsf{ECert}}_1[Q_1,\mathbb {E}(G);\sigma _0]\) where \(\sigma \) and \(\sigma _0\) are obtained by asking the signature oracle \(\mathcal {O}_{\mathcal {B}}^{\textrm{Sign}}\) and \(Q_1 := d_1 \cdot G\). Send \(\big (\{{\textsf{ECert}}_1,{\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0\}, d_1\big )\) to \(\mathcal {A}\).

2. 2.

   Judge \(\mathcal {A}\)’s answer when \(\mathcal {A}\) outputs as \((d', {\textsf{ICert}}_{\mathcal {A}})\).

3. 3.

   If \(\mathcal {A}\) wins, calculate \(d_0 = d' - \textrm{Hash}({\textsf{ICert}}_{\mathcal {A}}) \cdot d_1\), and output \(b:=d_0\).

We state that \(B=b \cdot G\) for correctness, under the premise of \(Q_1=P'\) in \(\mathcal {V}_{N,P}\). We have \( B = Q' - \textrm{Hash}({\textsf{ICert}}_{\mathcal {A}}) \cdot P' = \big (\textrm{Hash}({\textsf{ICert}}_{\mathcal {A}}) \cdot d_1 + b\big ) \cdot G - \textrm{Hash}({\textsf{ICert}}_1) \cdot P' = b \cdot G \). If \(\mathcal {A}\) successfully constructs the eligible nonroot implicit certificate, \(\mathcal {B}\) is also successful in solving the ECDLP problem, proving the theorem.

Transform Implicit Certificates. Assume that a trusted certificate chain \(\big \{{\textsf{ICert}}_{1}\) \([P_1, \mathbb {E}(G)],{\textsf{ECert}}^{{{\,\textrm{R}\,}}}_{0}\) \([B, \mathbb {E}(G); \sigma ]\big \}\) is stored in the verifier \(\mathcal {V}_{N,P}\). We define \(\textrm{Game}^{I2E}_{\mathcal {A}, \mathcal {V}_{N,P}}\) \((\textsf{ICert}, n)\) as follows: After receiving \(\{{\textsf{ICert}}_1,\) \({\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0\}\) and \((d_1, k')\) where \(Q_1:=\textrm{Hash}({\textsf{ICert}}_1) \cdot P_1 + Q_0 = d_1 \cdot G\text {,}\) (\(k'\) is defined in the ECQV procedure for \({\textsf{ICert}}_1\)), output a forged nonroot certificate with a private key \(\bigl (d', {\textsf{ECert}}_{\mathcal {A}}[Q', \mathbb {E}(G);\sigma _0]\bigr )\) so that \(Q' := d' \cdot G = P_1\).

Theorem 3

In the random oracle model, I2E does not exist in normal \(\mathcal {V}_{N,P}\) if the ECDLP in \(\mathbb {E}(G)\) is hard to solve.

Proof

We design \(\textrm{Game}^{{{\,\textrm{ECDLP}\,}}}_{\mathcal {B}}(n, \mathbb {E}(G))\) using \(\textrm{Game}^{I2E}_{\mathcal {A}, \mathcal {V}_{N,P}}\) \((\textsf{ECert}, n)\) as follows:

1. 1.

   After receiving the public key \(B\), generate \({\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0\) \([B,\mathbb {E}(G);\sigma ]\) asking an ECDSA signature oracle \(\mathcal {O}^{\textrm{Sign}}_{\mathcal {B}}\) for \(\sigma \).

2. 2.

   Call ECQV procedure to generate \({\textsf{ICert}}_1[R,\mathbb {E}(G)]\) whose CA is \({\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0\), with a median \(k_1\) and the private key \(d_1\). Noted that the public and private key reconstruction values are \((R,s)\) by a query of Schnorr signature Oracle \(\mathcal {O}^{\textrm{Sign}}_{\mathcal {B}}\) where \(m\) is defined in Appendix 1.

3. 3.

   Send \(\big (\{{\textsf{ICert}}_1,{\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0\}, d_1\big )\) to \(\mathcal {A}\).

4. 4.

   Judge \(\mathcal {A}\)’s answer when \(\mathcal {A}\) outputs as \((d', {\textsf{ECert}}_{\mathcal {A}})\).

5. 5.

   If \(\mathcal {A}\) wins, calculate \({\textsf{ECert}}^{{{\,\textrm{R}\,}}}_0\)’s private key \(d_0 := d_1 - \textrm{Hash}({\textsf{ICert}}_{1}) \cdot d'\), and output \(b:=d_0\).

We state that \(B=b \cdot G\) for correctness, under the premise of \(P_1=Q'\) in \(\mathcal {V}_{N,P}\). We have \( B = Q_1 - \textrm{Hash}({\textsf{ICert}}_1) \cdot P_1 = \big (\textrm{Hash}({\textsf{ICert}}_1) \cdot d' + b\big ) \cdot G - \textrm{Hash}({\textsf{ICert}}_1) \cdot P_1 = b \cdot G \) If \(\mathcal {A}\) successfully constructs the eligible nonroot implicit certificate, \(\mathcal {B}\) is also successful in solving the ECDLP problem with the same probability.