Invalid Curve in ECDH

Consequences

Compromise of session key and/or private Diffie-Hellman key

Access required for attack

Ability to modify public key parameters for a ECDH exchange

Explanation

An attacker may attempt to break Elliptic Curve Diffie-Hellman by sending weak or invalid public keys (for example, invalid public keys that contain points not on the curve, curves that have been deliberately chosen so that discrete logs are easy to compute as well as orders or cofactors that are wrong). A robust implementation should validate all the inputs of a key agreement and ensure that in no case information about the private key is leaked.

References

• Google Wycheproof Bugs List
• CVE-2015-7940 Bouncy Castle before v1.51 does not validate a point is on the curve. Bouncy Castle v1.52 checks that the public key point is on the public key curve but does not check whether public key and private key use the same curve.
• Ingrid Biehl, Bernd Meyer, Volker Müller, “Differential Fault Attacks on Elliptic Curve Cryptosystems”, Crypto ‘00, pp. 131-164
• Adrian Antipa, Daniel Brown, Alfred Menezes, Rene Struik, and Scott Vanstone, “Validation of Elliptic Curve Public Keys”, PKC 2003,