Skip to content

Interactive proof-of-concept of the Dual_EC_DRBG backdoor

Notifications You must be signed in to change notification settings

dmhacker/dual-ec-drbg

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
 
 
 
 
 
 
 
 

Repository files navigation

dual-ec-drbg

This is an interactive proof-of-concept of the Dual_EC_DRBG backdoor. It uses an implementation of the 2006 Dual_EC_DRBG algorithm without any additional input. Please see this redacted NIST paper for algorithmic details. Project Bullrun also has a good overview of the subject.

This demonstration shows how a Shumlow-Ferguson attack could be executed to recover the internal state of the pseudorandom number generator after the attacker sees as little as 32 bytes. It attempts to adhere as closely as possible to the actual NIST specifications of the algorithm. However, because finding the actual backdoor used in the paper is computationally hard and would require solving the ECDLP, the demonstration uses its own version of point Q, and you can choose the backdoor d, such that dQ = P.

In order to run the demonstration, clone the repository and run cargo run. You can choose what curve, backdoor, and seed to use by passing them as additional arguments. By default, the program uses the P-256 curve and randomly generated seed and backdoor values. All numbers in the program are displayed in hexadecimal. Use cargo run -- --help for additional help.

About

Interactive proof-of-concept of the Dual_EC_DRBG backdoor

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages