CryptoDB
Open Source Is Not Enough. Attacking the EC-package of Bouncycastle version 1.x_132
Authors: | |
---|---|
Download: | |
Abstract: | BouncyCastle is an open source Crypto provider written in Java which supplies classes for Elliptic Curve Cryptography (ECC). We have found a flaw in the class ECPoint resulting from an unhappy interaction of elementary algorithms. We show how to exploit this flaw to a real world attack, e.g., on the encryption scheme ECIES. BouncyCastle has since fixed this flaw (version 1.x_133 and higher) but all older versions remain highly vulnerable to an active attacker and the attack shows a certain vulnerability of the involved validation algorithms. |
BibTeX
@misc{eprint-2008-17790, title={Open Source Is Not Enough. Attacking the EC-package of Bouncycastle version 1.x_132}, booktitle={IACR Eprint archive}, keywords={implementation / elliptic curve cryptography}, url={http://eprint.iacr.org/2008/113}, note={ daniel.mall@fhnw.ch 13951 received 13 Mar 2008}, author={Daniel Mall and Qing Zhong}, year=2008 }