Flawed implemented cryptographic algorithm in the Microsoft ecosystem

Pocarovsky, Stefan; Koppl, Martin; Orgon, Milos

doi:10.2478/jee-2022-0025

Abstract

With the continuous development in the electronic chip field, the requirements for the security of IT infrastructures are also increasing. The need for ever-increasing key lengths in cryptography to maintain security cannot grow indefinitely. One of the solutions in the field of cryptography for using shorter keys while maintaining security is cryptography based on the principle of elliptic curves. Asymmetric elliptic curve cryptosystems lies in solving the discrete logarithm problem on an elliptic curve. However, not only secure algorithm but also its correct implementation is important. In this paper, we discuss an incorrect implementation of the ECC algorithm in the crypt32.dll library (Microsoft Windows) and the possibilities of its misuse.

References

[1] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and Public-Key Cryptosystems”, Communication of the ACM, vol. 21, No. 2, 1978.10.1145/359340.359342
Search in Google Scholar Back to article
[2] W. Diffie and M. E. Hellman, “New direction in cryptography”, IEEE Trans. Info. Theory, 1976.10.1109/TIT.1976.1055638
Search in Google Scholar Back to article
[3] E. Gilbert, F. MacWilliams, and N. Sloane, “Codes, which detect deception”, The Bell System technical Journal, vol. 53, no. 3, pp. 405-424, 1974.10.1002/j.1538-7305.1974.tb02751.x
Search in Google Scholar Back to article
[4] J. Jonsson and B. Kalisky, “Public-Key Cryptography Standards (PKCS), Fremont”, Internet Engineering Task Force, Internet Engineering Task Force.
Search in Google Scholar Back to article
[5] Understanding PKI: Concepts, Standards, and Deployment Considerations, Addison-Wesley Professional; 2nd edition (November 6), 2002.
Search in Google Scholar Back to article
[6] L. C. Washington, Elliptic Curves Number Theory and Cryptography, Boca Raton: CRC Press, 2000.
Search in Google Scholar Back to article
[7] V. G. Martinez, L. H. Encinas, and C. S. Avila, “A Survey of the Elliptic Curve Integrated Encryption Scheme”, Journal of computer science and engineering, vol 2, ISSUE 2, 2010.
Search in Google Scholar Back to article
[8] M. Dubyk and R. R. Varuni, Examining CVE-2020-0601 Crypt 32.dll Elliptic Curve Cryptography (ECC) Certificate Validation Vulnerability, The SANS institute, 01.03. 2022.
Search in Google Scholar Back to article
[9] G. FailOverFlow, “Console Hacking - PS3 Epic fails”, 2010.
Search in Google Scholar Back to article
[10] K. Burda, Aplikovan kryptografie, Brno, VUTIUM, (in Czech), 2013.
Search in Google Scholar Back to article
[11] SEC1: Elliptic Curve Cryptography, Mnonoauga: Certicom Research, 2000.
Search in Google Scholar Back to article
[12] NSA, Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers, 14. January, 2020.
Search in Google Scholar Back to article
[13] J. Simpson, A technical analysis of CurveBall, (CVE–0601), February, 2020.
Search in Google Scholar Back to article
[14] O. Lyak, POC for CVE–0601 Windows CryptoAPI, (Crypt32. dll), https://github.com/ly4k/CurveBall, January, 2020.
Search in Google Scholar Back to article

Flawed implemented cryptographic algorithm in the Microsoft ecosystem

Abstract

Paradigm

My account