diff options
| -rw-r--r-- | README.md | 519 | ||||
| -rw-r--r-- | docs/FORMAT.md | 64 | ||||
| -rw-r--r-- | docs/LIBS.md | 31 | ||||
| -rw-r--r-- | docs/card.png | bin | 0 -> 653 bytes | |||
| -rw-r--r-- | docs/leaky_msb.png | bin | 0 -> 135626 bytes | |||
| -rw-r--r-- | docs/nonleaky_msb.png | bin | 0 -> 187445 bytes | |||
| -rw-r--r-- | requirements.txt | 4 |
7 files changed, 374 insertions, 244 deletions
@@ -1,154 +1,101 @@ -# ECTester +#  ECTester [](https://travis-ci.org/crocs-muni/ECTester) [](https://ci.appveyor.com/project/J08nY/ectester-cm6ng) [](https://github.com/crocs-muni/ECTester/releases) [](https://github.com/crocs-muni/ECTester/blob/master/LICENSE) [](https://crocs-muni.github.io/ECTester/) -Tests support and behavior of elliptic curve cryptography implementations on JavaCards (`TYPE_EC_FP` and `TYPE_EC_F2M`) and on selected software libraries. +ECTester is a tool for testing and analysis of elliptic curve cryptography implementations on JavaCards and in cryptographic libraries. It consists of four separate parts: + + - The ECTester applet, a JavaCard applet that provides the testing interface + - The ECTesterReader app, a reader app that works with the applet + - The ECTesterStandalone app, which works with software libraries + - Jupyter notebooks for analysis and visualization of data from the apps + For more information on ECC support on JavaCards see the [github page](https://crocs-muni.github.io/ECTester/), with results, tables and docs. +This project is developed by the [Centre for Research On Cryptography and Security](https://crocs.fi.muni.cz) at Faculty of Informatics, Masaryk University. + +## Contents + + - [Setup](#setup) + - [JavaCard testing](#javacard-testing): [Examples](#examples) + - [Standalone library testing](#standalone-library-testing): [Examples](#examples-1) + - [Analysis](#analysis): [Examples](#examples-2) + +## Other documentation + + - [TESTS](docs/TESTS.md): Description of card test suites. + - [CURVES](docs/CURVES.md): Description of curve and test data contained in ECTester. + - [FORMAT](docs/FORMAT.md): Description of input and output formats used by ECTester. + - [LIBS](docs/LIBS.md): List of cryptographic libraries supported by ECTester and their characteristics. + - [VULNS](docs/VULNS.md): List of vulnerabilities discovered using ECTester. + ## Setup -ECTester uses ant. There are three parts of ECTester, the JavaCard applet used for testing, the reader app which controls it and the standalone app which tests software libraries. +ECTester uses Java 8 and ant. There are three parts of ECTester, the JavaCard applet used for testing, the reader app which controls it and the standalone app which tests software libraries. The target platform for ECTester is Linux, but things should work on Windows as well, although testing of standalone libraries will be limited to Java libraries and Microsoft CNG library. + +To build ECTester simply do: ```bash -git submodule update --init --recursive # To initialize submodules. +git submodule update --init --recursive # To initialize submodules (JavaCard SDKs, Microsoft CNG, BoringSSL, ...) ant -f build-reader.xml package # To build the reader tool (jar) -> "dist/ECTesterReader.jar" ant -f build-standalone.xml package # To build the standalone tool (jar) -> "dist/ECTesterStandalone.jar" ant -f build-applet.xml build # To build the applet (cap) -> "applet/ectester.cap". ``` Build produces both a lightweight version of the JARs and a full version of the JARs with dependencies included, the latter has the `*-dist.jar` suffix. -The standalone build tries building test binaries for all the supported libraries, and silently fails if the library is not properly supported. -The applet comes in two flavors, targeting JavaCard 2.2.1 and 2.2.2. The 2.2.2 version supports extended length APDUs which are necessary for some commands -to work properly. Use the `cap` ant property to specify which CAP file to build, either `ectester221.cap` or `ectester222.cap`. +The applet comes in two flavors, targeting JavaCard 2.2.1 and 2.2.2. The 2.2.2 version supports extended length APDUs which are necessary for some commands to work properly. Use the `cap` ant property to specify which CAP file to build, either `ectester221.cap` or `ectester222.cap`. To build the 221 version do: ```bash ant -f build-applet.xml build -Dcap=ectester221.cap ``` +The `build-standalone.xml` ant build file invokes a Makefile (or a Makefile.bat on Windows) in `src/cz/crcs/ectester/standalone/libs/jni`, which tries to build the C/C++ shim libraries required for ECTester to test the actual native cryptographic libraries from Java. The Makefile uses pkg-config to locate the libraries installed, thus if non-standard location of the tested libraries is used, the Makefile or your pkg-config needs some changes to work. + +See the section on [setup](#setup-1) of standalone library testing for more details. + ## JavaCard testing -1. Upload `applet/ectester.cap` using your favorite tool (e.g., [GlobalPlatformPro tool](https://github.com/martinpaljak/GlobalPlatform)) or the `build-applet.xml` ant file. -2. Run `java -jar dist/ECTesterReader.jar -t`. +The JavaCard part of ECTester targets testing elliptic curve cryptography implementations in programmable smart cards of the JavaCard platform, version 2.2.1 and up. The reader app supports many actions, the main one being [testing](#test): the running of predetermined test suites that test the JavaCard for support, performance and vulnerabilities. The other actions focus on data collection, [generating keys](#generate), [signing data](#ecdsa), [performing key agreement](#ecdh) or [exporting the preset curves](#export), output of the mentioned actions can then be analyzed using the Jupyter notebooks, see [analysis](#analysis). + +1. Upload `applet/ectester.cap` using your favorite tool (e.g., [GlobalPlatformPro tool](https://github.com/martinpaljak/GlobalPlatform)) or the `build-applet.xml` ant file (target `upload` or `upload-emv`). +2. Run `java -jar dist/ECTesterReader.jar -t` or other data collection commands. 3. Inspect output log with annotated results. -Following operations are tested in the default test suite: +Following operations are tested in the default test suite, which is just a basic support test suite: + - Allocation of new KeyPair class for specified parameters - Generation of KeyPair with default curve - Setting of custom curve and KeyPair generation - Generation of shared secret via ECDH - Signature via ECDSA -See `java -jar ECTesterReader.jar -h`, `java -jar ECTesterReader.jar -ls` and [DOCS](docs/TESTS.md) for more. - -### Options - -``` - -V,--version Print version info. - -h,--help Print help. - -ln,--list-named <what> Print the list of supported named - curves and keys. - -ls,--list-suites List supported test suites. - -e,--export Export the defaut curve parameters - of the card(if any). - -g,--generate <amount> Generate <amount> of EC keys. - -t,--test <test_suite[:from[:to]]> Test ECC support. Optionally specify - a test number to run only a part of - a test suite. <test_suite>: - - default - - compression - - invalid - - twist - - degenerate - - cofactor - - wrong - - signature - - composite - - test-vectors - - edge-cases - - miscellaneous - -dh,--ecdh <count> Do EC KeyAgreement (ECDH...), - [count] times. - -dsa,--ecdsa <count> Sign data with ECDSA, [count] times. - -nf,--info Get applet info. - -b,--bit-size <bits> Set curve size. - -fp,--prime-field Use a prime field. - -f2m,--binary-field Use a binary field. - -nc,--named-curve <cat/id> Use a named curve, from CurveDB: - <cat/id> - -c,--curve <curve_file> Use curve from file <curve_file> - (field,a,b,gx,gy,r,k). - -u,--custom Use a custom curve (applet-side - embedded, SECG curves). - -npub,--named-public <cat/id> Use public key from KeyDB: <cat/id> - -pub,--public <pubkey_file> Use public key from file - <pubkey_file> (wx,wy). - -npriv,--named-private <cat/id> Use private key from KeyDB: <cat/id> - -priv,--private <privkey_file> Use private key from file - <privkey_file> (s). - -nk,--named-key <cat/id> Use keyPair from KeyDB: <cat/id> - -k,--key <key_file> Use keyPair from file <key_file> - (wx,wy,s). - -i,--input <input_file> Input from file <input_file>, for - ECDSA signing. - -o,--output <output_file> Output into file <output_file>. The - file can be prefixed by the format - (one of text,yml,xml), such as: - xml:<output_file>. - -l,--log <log_file> Log output into file [log_file]. - -v,--verbose Turn on verbose logging. - --format <format> Output format to use. One of: - text,yml,xml. - --fixed Generate key(s) only once, keep them - for later operations. - --fixed-private Generate private key only once, keep - it for later ECDH. - --fixed-public Generate public key only once, keep - it for later ECDH. - -kb,--key-builder Allocate KeyPair using KeyBuilder. - -f,--fresh Generate fresh keys (set domain - parameters before every generation). - --time Output better timing values, by - running command in dry run mode and - normal mode, and subtracting the - two. - --time-unit <unit> Use given time unit in measurement, - one of: milli, micro, nano. - --cleanup Send the cleanup command trigerring - JCSystem.requestObjectDeletion() - after some operations. - -s,--simulate Simulate a card with jcardsim - instead of using a terminal. - -y,--yes Accept all warnings and prompts. - -to,--test-options <options> Test options to use: - - preset: Use preset semi-random - private keys (derived from curve) - instead of generating keypairs on - the cards when the test needs one. - - random: Use fully random private - keys instead of generating keypairs. - -ka,--ka-type <type> Set KeyAgreement object [type], - corresponds to JC.KeyAgreement - constants. - -sig,--sig-type <type> Set Signature object [type], - corresponds to JC.Signature - constants. - -C,--color Print stuff with color, requires - ANSI terminal. -``` +See `java -jar ECTesterReader.jar -h`, `java -jar ECTesterReader.jar -ls` and [TESTS](docs/TESTS.md) for more. ### Actions -#### Export -`-e / --export` - -Exports the default curves (if any) that are preset on the card. -Use with `-o / --output [out_file]` to output the curve parameters to a file. -For format of this file see [FORMAT](docs/FORMAT.md). +Actions for the reader app, exactly one of which is required for every run. #### Test `-t / --test [test_suite]` Perform support, performance and vulnerability tests of ECC. +Currently supported test suites include: + + - `default` + - `test-vectors` + - `compression` + - `miscellaneous` + - `signature` + - `wrong`* + - `invalid`* + - `twist`* + - `degenerate`* + - `composite`* + - `cofactor`* + - `edge-cases`* + +**\*NOTE: The `wrong`, `composite`, `invalid`,`twist`, `cofactor`, `edge-cases` and `degenerate` test suites caused temporary/permanent DoS of some cards. These test suites prompt you for +confirmation before running, be cautious.** + To select which tests will be performed, it is possible to enter the test suite name with a suffix which specifies the number of the first test to be run, and optionally the number of the last test to be run as `-t <test_suite>[:start_index[:stop_index]]`. @@ -156,6 +103,13 @@ Use with `-o / --output [out_type:]<out_file>` to output the test results to a f For possible formats of this file see [FORMAT](docs/FORMAT.md). For more info about the test suites see [TESTS](docs/TESTS.md). +#### Export +`-e / --export` + +Exports the default curves (if any) that are preset on the card. +Use with `-o / --output [out_file]` to output the curve parameters to a file. +For format of this file see [FORMAT](docs/FORMAT.md). + #### Generate `-g / --generate [amount]` @@ -187,7 +141,7 @@ For format of these files see [FORMAT](docs/FORMAT.md). Respects the Signature type specified in `-sig / --sig-type [type]`. #### List named curves -`-ln / --list-named []` +`-ln / --list-named [category/name]` Lists categories of curves, keys and keypairs embedded in ECTester's jar, along with some information about them. These can be used as arguments to the `-n[c|k|pub|priv] / --named-[curve|key|public|private]` parameters, using the format: `category/name`. @@ -208,6 +162,7 @@ Lists the implemented test suites and gives their short description. Get and print ECTester applet info from an applet installed on a card. Outputs: + - Card ATR - Negotiated protocol (T=0/T=1) - ECTester applet version @@ -216,7 +171,7 @@ Outputs: - JavaCard cleanup support - ECTester internal array sizes and APDU buffer size -### Example +### Examples Snippet below shows running the default test suite while simulating(`-s`), so using JCardSim. This shows that JCardsim simulates 112b Fp support with default curve present and supports ECDH, ECDHC and ECDSA. @@ -281,11 +236,56 @@ This shows that JCardsim simulates 112b Fp support with default curve present an If you are interested in testing support for other JavaCard algorithms, please visit JCAlgTester project: https://github.com/crocs-muni/JCAlgTest +Snippet below shows collection of 1000 of ECDSA signatures (`--ecdsa`) over a prime field (`-fp`) 160 bit (`-b`) curve, which will be the `secp160r1` curve, because of the `-u` switch, which selects one of the SECG curves for the bit-length. The applet signes randomly generated but static data using a fixed key (`--fixed`). Timing data is collected and output in nanoseconds (`--time-unit`) and output into `out.csv`. +``` +> java -jar ECTesterReader.jar --ecdsa 1000 -fp -b 160 -u --fixed --time-unit nano -o out.csv +Allocate Signature(ALG_ECDSA_SHA) object ┃ 10 ms ┃ OK (0x9000) +Allocate local keypair 160b ALG_EC_FP ┃ 57 ms ┃ OK (0x9000) +Set secp160r1 curve parameters on local keypair ┃ 0 ms ┃ OK (0x9000) +Generate local keypair ┃ 49 ms ┃ OK (0x9000) +Export keypair params from both keys of local keypair ┃ 0 ms ┃ OK (0x9000) +ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 31 ms ┃ OK (0x9000) +ALG_ECDSA_SHA verification with local keypair(provided data) ┃ 40 ms ┃ OK (0x9000) +ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 12 ms ┃ OK (0x9000) +ALG_ECDSA_SHA verification with local keypair(provided data) ┃ 19 ms ┃ OK (0x9000) +ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 14 ms ┃ OK (0x9000) +ALG_ECDSA_SHA verification with local keypair(provided data) ┃ 19 ms ┃ OK (0x9000) +ALG_ECDSA_SHA signature with local keypair(provided data) ┃ 14 ms ┃ OK (0x9000) +... +``` + +The output of the above command, `out.csv` looks something like this: +``` +index;signTime[nano];verifyTime[nano];data;pubW;privS;signature[SHA1];nonce;valid +0;26255357;28391390;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302c02144be3feb924778b4ef4dff059935a53ca38b5016c02144161ca9cce5afbe2d06fd37379200eec0ad9c9d3;00c79485ede7e464b8c37312008fc54fea69d75463;1 +1;14306042;20846855;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302d021500a3684c699aded3af7b6e9c2d5bd033974443588c02143ee89959bb25c524da19b90f852e0dfcdb4ed6f6;00d9e1ad90d83dd3fc23b91061de6abf094e23e15a;1 +2;16327883;18140346;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302d0214429d54da93314437c5e1dd8a5244050f6b810dd3021500b989c5f990e702f319fb862d74172f5cc704e968;6206c53cabfc51fdcce5b5c551f091ddc5064dc2;1 +3;19589990;37379094;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302c02142017caabf802f18c5ac26d7b9c4679d34fcbd335021442a6dd6d63e136a27cda25e0e6197db4a30a9609;00ecdd91d35735d084dfb912d4aeca7e3f68cf2cd5;1 +4;15369903;22086733;a82187036e952ef2facb119b283883473944a0705f6e5979bf941789006b1b66;0463456917124646414c737ab5b2f83cf14d87139d047eac35b3e045a3e779ba345150d02e334454a8;3ebe95d4fda4988e000cba9b0cce25992da0f11d;302e021500c82cb5d17aa2c1e13659c3ee0be8896f8e416731021500a1bdbfb48c46490c82af88f590c79d5770916c79;0094f752027314501b3586295c660576c184d9c9ee;1 +``` +This output can be then analysed using Jupyter notebooks in the `util` directory, see [analysis](#analysis) for more. + +Snippet below shows output of the info command: +``` +> java -jar ECTesterReader.jar -nf +Card ATR: 3bdb960080b1fe451f830031c064c308010001900095 +Card protocol: T=1 +ECTester applet version: v0.3.3 +ECTester applet APDU support: extended length +JavaCard API version: 2.2 +JavaCard supports system cleanup: true +Array sizes (apduBuf,ram,ram2,apduArr): 635 256 256 512 +``` + + ## Standalone library testing +The standalone part of ECTester targets testing elliptic curve cryptography implementations in Java and native cryptographic libraries. + Currently supported libraries include: - - [BouncyCastle](https://bouncycastle.org/java.html) - - [Sun EC](https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunEC) + + - [BouncyCastle](https://bouncycastle.org/java.html) (Java) + - [Sun EC](https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunEC) (Java) - [OpenSSL](https://www.openssl.org/) - [BoringSSL](https://boringssl.googlesource.com/boringssl) - [wolfSSL](https://www.wolfssl.com/) @@ -297,13 +297,54 @@ Currently supported libraries include: - [Intel Performance Primitives Crypto](https://github.com/intel/ipp-crypto) - [MatrixSSL](https://github.com/matrixssl/matrixssl) - [MbedTLS](https://github.com/ARMmbed/mbedtls) - + For more information on ECC libraries see [LIBS](docs/LIBS.md). ### Setup +Simply doing `ant -f build-standalone.xml package` should build everything necessary to teste libraries via the standalone app, the sections below describe the details of how that works and what needs to be done if it doesn't. + +To see whether your build was sucessful, go to the `dist` directory, run: +`java -jar ECTesterStandalone.jar list-libs` and observe if your target libraries are included in the output. If they are not, and they are native libraries, it means that either the shim library was not built successfully or that the actual native library couldn't be found and loaded on runtime. To solve the former, look for build errors during the ant run in the `libs-try` step, for the latter, if the library is in an non-standard location specifying `LD_LIBRARY_PATH` will help load it. Consulting the next sections should help solve both. + +#### Native + +ECTester interfaces with native libraries by using custom shim libraries that expose the functionality via the [Java Native Interface](https://en.wikipedia.org/wiki/Java_Native_Interface), these can be found in the [src/cz/crcs/ectester/standalone/libs/jni](src/cz/crcs/ectester/standalone/libs/jni) directory along with a Makefile (Makefile.bat for Windows). The shim library will depend on the native library, and have a name like `boringssl_provider.so`, `botan_provider.so`, `cryptopp_provider.so` and `openssl_provider.so`. The Makefile has a target for every library that it supports that builds its shim, see the `help` target for more info. The Makefile is automatically ran when the `build-standalone.xml` ant build is triggered, so if all is setup correctly, you do not need to deal with the Makefile while building. + +There are two important environmental variables that should be set in your environment. First, you should set `JAVA_HOME` which should point to your JDK. The tooling uses `JAVA_HOME` to locate native Java library headers, like `jni.h`. Second, ECTester uses pkg-config to locate the native libraries, if your pkg-config files are in an unusual place the pkg-config command would not find them by default, you should set `PKG_CONFIG_PATH` to the directory containing the `*.pc` files. If pkg-config files are unavailable for the library you are trying to test, you will need to change the Makefile manually to apply the correct options to the commands (CFLAGS, include options, linker options...). + +Below you can see how a full build with all the libraries currently supported on Linux looks +``` +> cd src/cz/crcs/ectester/standalone/libs/jni +> make +cc -DLTM_DESC -I/usr/local/include -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c tomcrypt.c +cc -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c c_utils.c +cc -o lib_timing.so -shared -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -Wl,-soname,lib_timing.so c_timing.c +g++ -I/usr/include/botan-2 -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c botan.cpp +g++ -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c cpp_utils.cpp +g++ -I/usr/local/include -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c cryptopp.cpp +cc -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c openssl.c +cc -I../../../../../../../ext/boringssl/include/ -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c boringssl.c +cp ../../../../../../../ext/boringssl/build/crypto/libcrypto.so lib_boringssl.so +cc -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c gcrypt.c +cc -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c mbedtls.c +cc -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -c ippcp.c +cc -fPIC -I"/usr/lib/jvm/java-8-openjdk/include" -I"/usr/lib/jvm/java-8-openjdk/include/linux" -I. -O2 -Imatrixssl/ -c matrixssl.c +cc -fPIC -shared -O2 -o tomcrypt_provider.so -Wl,-rpath,'$ORIGIN/lib' tomcrypt.o c_utils.o -L. -ltommath -L/usr/local/lib -ltomcrypt -l:lib_timing.so +cc -fPIC -shared -O2 -o openssl_provider.so -Wl,-rpath,'$ORIGIN/lib' openssl.o c_utils.o -L. -lssl -lcrypto -l:lib_timing.so +cc -fPIC -shared -O2 -o boringssl_provider.so -Wl,-rpath,'$ORIGIN/lib' boringssl.o c_utils.o -L. lib_boringssl.so -l:lib_timing.so +cc -fPIC -shared -O2 -o gcrypt_provider.so -Wl,-rpath,'$ORIGIN/lib' gcrypt.o c_utils.o -L. -lgcrypt -lgpg-error -l:lib_timing.so +cc -fPIC -shared -O2 -o mbedtls_provider.so -Wl,-rpath,'$ORIGIN/lib' mbedtls.o c_utils.o -L. -lmbedcrypto -l:lib_timing.so +cc -fPIC -shared -O2 -o ippcp_provider.so -Wl,-rpath,'$ORIGIN/lib' ippcp.o c_utils.o -L. -lippcp -l:lib_timing.so +cc -fPIC -shared -O2 -o matrixssl_provider.so -Wl,-rpath,'$ORIGIN/lib' -L. matrixssl.o c_utils.o libcrypt_s.a libcore_s.a -l:lib_timing.so +g++ -fPIC -shared -O2 -o botan_provider.so -Wl,-rpath,'$ORIGIN/lib' botan.o cpp_utils.o -L. -lbotan-2 -fstack-protector -m64 -pthread -l:lib_timing.so +g++ -fPIC -shared -O2 -o cryptopp_provider.so -Wl,-rpath,'$ORIGIN/lib' cryptopp.o cpp_utils.o -L. -L/usr/local/lib -lcryptopp -l:lib_timing.so +``` + +#### Java + OpenJDK JRE is required to test ECDH on Windows properly, as Oracle JRE requires the Java Cryptography Providers -for certain classes (such as a [KeyAgreement](https://docs.oracle.com/javase/8/docs/api/javax/crypto/KeyAgreement.html)) +for certain classes (such as a [KeyAgreement](https://docs.oracle.com/javase/8/docs/api/javax/crypto/KeyAgreement.html)) to be signed by keys that are signed by their JCA Code Signing Authority. ECTester internally uses Java Cryptography Provider API to expose and test native libraries. OpenJDK for Windows can be obtained from [ojdkbuild/ojdkbuild](https://github.com/ojdkbuild/ojdkbuild). @@ -316,100 +357,174 @@ with quite a lot of practical key sizes, they are available for download: To install, place them in `${java.home}/jre/lib/security/`. -### Options +### Examples +Snippet below shows how the `list-libs` command for well, listing currently supported libraries, behaves if all supported libraries are present (on Linux). ``` -usage: ECTesterStandalone.jar [-V] [-h <command>] [-C] [ - (ecdh [-b <n>] [-nc <cat/id>] [-cn <name>] [-o <output_file>] [-t <type>] [--key-type <algorithm>] [-n <amount>] [-npub <cat/id> | -pub <pubkey>] [--fixed-private] [-npriv <cat/id> | -priv <privkey>] [--fixed-public]) | - (ecdsa [-b <n>] [-nc <cat/id>] [-cn <name>] [-o <output_file>] [-npriv <cat/id> | -priv <privkey>] [-npub <cat/id> | -pub <pubkey>] [-t <type>] [-n <amount>] [-f <file>]) | - (export [-b <n>] [-o <output_file>] [-t <type>]) | - (generate [-b <n>] [-nc <cat/id>] [-cn <name>] [-o <output_file>] [-n <amount>] [-t <type>]) | - (list-data [what]) | - (list-libs) | - (list-suites) | - (list-types) | - (test [-b <n>] [-nc <cat/id>] [-cn <name>] [-gt <type>] [-kt <type>] [-st <type>] [-f <format>] [--key-type <algorithm>] <test-suite>) -] [lib] +> java -jar ECTesterStandalone.jar list-libs + - Sun Elliptic Curve provider (EC, ECDSA, ECDH) + - Version: 1.800000 + - Supports native timing: [] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: NONEwithECDSA, ECDSA, SHA384withECDSA, SHA224withECDSA, SHA512withECDSA, SHA256withECDSA + - Curves: X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1 + + - BouncyCastle Security Provider v1.58 + - Version: 1.580000 + - Supports native timing: [] + - KeyPairGenerators: ECMQV, ECDSA, EC, ECDH, ECDHC + - KeyAgreements: ECCDHwithSHA384KDF, ECDHwithSHA256KDF, ECDHwithSHA384KDF, ECDHwithSHA1KDF, ECDHwithSHA224KDF, ECDH, ECDHC, ECDHwithSHA512KDF, ECCDHwithSHA1KDF, ECCDHwithSHA512KDF, ECCDHwithSHA224KDF, ECCDHwithSHA256KDF + - Signatures: SHA1withCVC-ECDSA, NONEwithECDSA, ECGOST3410, SHA256withECNR, ECGOST3410-2012-512, SHA512withECDDSA, GOST3411-2012-512withECGOST3410-2012-512, SHA3-512withECDSA, SHA384withPLAIN-ECDSA, SHA256withECDSA, SHA224withECDDSA, SHA256withECDDSA, ECDSA, SHA3-256withECDSA, SHA256withPLAIN-ECDSA, SHA224withECNR, SHA384withECDDSA, SHA512withECNR, SHA256withCVC-ECDSA, SHA1withECNR, ECDDSA, SHA1withPLAIN-ECDSA, GOST3411-2012-256withECGOST3410-2012-256, SHA384withCVC-ECDSA, SHA512withPLAIN-ECDSA, SHA224withCVC-ECDSA, SHA3-224withECDSA, SHA3-224withECDDSA, SHA224withPLAIN-ECDSA, SHA3-384withECDDSA, SHA384withECDSA, SHA3-384withECDSA, SHA3-512withECDDSA, SM3withSM2, GOST3411withECGOST3410, SHA224withECDSA, SHA512withECDSA, RIPEMD160withECDSA, ECGOST3410-2012-256, SHA512withCVC-ECDSA, RIPEMD160withPLAIN-ECDSA, SHA3-256withECDDSA + - Curves: B-163, B-233, B-283, B-409, B-571, FRP256v1, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521, brainpoolp160r1, brainpoolp160t1, brainpoolp192r1, brainpoolp192t1, brainpoolp224r1, brainpoolp224t1, brainpoolp256r1, brainpoolp256t1, brainpoolp320r1, brainpoolp320t1, brainpoolp384r1, brainpoolp384t1, brainpoolp512r1, brainpoolp512t1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176w1, c2pnb208w1, c2pnb272w1, c2pnb304w1, c2pnb368w1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, sm2p256v1, wapip192v1 + + - libtomcrypt 1.18.1 + - Version: 1.180000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: NONEwithECDSA + - Curves: ECC-192, ECC-224, ECC-256, ECC-384, ECC-521, SECP112R1, SECP128R1, SECP160R1 - -V,--version Print version info. - -h,--help <command> Print help(about <command>). - -C,--color Print stuff with color, requires ANSI terminal. - [lib] What library to use. + - Botan 2.11.0 (release, dated 20190701, revision git:16a726c3ad10316bd8d37b6118a5cc52894e8e8f, distribution unspecified) + - Version: 2.110000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: ECGDSA, ECDSA, ECKCDSA, ECDH + - KeyAgreements: ECDHwithSHA256KDF, ECDHwithSHA384KDF, ECDHwithSHA1KDF, ECDHwithSHA224KDF, ECDH, ECDHwithSHA512KDF + - Signatures: NONEwithECDSA, NONEwithECKCDSA, SHA256withECKCDSA, SHA512withECGDSA, SHA256withECDSA, NONEwithECGDSA, ECKCDSA, ECDSA, SHA224withECKCDSA, SHA384withECKCDSA, SHA224withECGDSA, SHA384withECDSA, ECGDSA, SHA384withECGDSA, SHA224withECDSA, SHA512withECDSA, SHA512withECKCDSA + - Curves: brainpool160r1, brainpool192r1, brainpool224r1, brainpool256r1, brainpool320r1, brainpool384r1, brainpool512r1, frp256v1, gost_256A, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, sm2p256v1, x962_p192v2, x962_p192v3, x962_p239v1, x962_p239v2, x962_p239v3 - ecdh: | Perform EC based KeyAgreement. | - -b,--bits <n> What size of curve to use. - -nc,--named-curve <cat/id> Use a named curve, from CurveDB: - <cat/id> - -cn,--curve-name <name> Use a named curve, search from curves - supported by the library: <name> - -o,--output <output_file> Output into file <output_file>. - -t,--type <type> Set KeyAgreement object [type]. - --key-type <algorithm> Set the key [algorithm] for which the - key should be derived in - KeyAgreements with KDF. Default is "AES". - -n,--amount <amount> Do ECDH [amount] times. - -npub,--named-public <cat/id> Use a named public key, from CurveDB: - <cat/id> - -pub,--public <pubkey> Use a given public key from file. - --fixed-private Perform ECDH with fixed private key. - -npriv,--named-private <cat/id> Use a named private key, from - CurveDB: <cat/id> - -priv,--private <privkey> Use a given private key from file. - --fixed-public Perform ECDH with fixed public key. + - Crypto++ 8.3.0 + - Version: 8.000000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: ECDSA, ECDH + - KeyAgreements: ECDH + - Signatures: ECDSA, SHA384withECDSA, SHA224withECDSA, SHA512withECDSA, SHA256withECDSA + - Curves: 1.2.156.10197.1.301, 1.2.156.10197.1.301.3.1, 1.2.840.10045.3.1.1, 1.2.840.10045.3.1.7, 1.3.132.0.1, 1.3.132.0.10, 1.3.132.0.15, 1.3.132.0.16, 1.3.132.0.17, 1.3.132.0.2, 1.3.132.0.22, 1.3.132.0.23, 1.3.132.0.24, 1.3.132.0.25, 1.3.132.0.26, 1.3.132.0.27, 1.3.132.0.28, 1.3.132.0.29, 1.3.132.0.3, 1.3.132.0.30, 1.3.132.0.31, 1.3.132.0.32, 1.3.132.0.33, 1.3.132.0.34, 1.3.132.0.35, 1.3.132.0.36, 1.3.132.0.37, 1.3.132.0.38, 1.3.132.0.39, 1.3.132.0.4, 1.3.132.0.5, 1.3.132.0.6, 1.3.132.0.7, 1.3.132.0.8, 1.3.132.0.9, 1.3.36.3.3.2.8.1.1.1, 1.3.36.3.3.2.8.1.1.11, 1.3.36.3.3.2.8.1.1.13, 1.3.36.3.3.2.8.1.1.3, 1.3.36.3.3.2.8.1.1.5, 1.3.36.3.3.2.8.1.1.7, 1.3.36.3.3.2.8.1.1.9 - ecdsa: | Perform EC based Signature. | - -b,--bits <n> What size of curve to use. - -nc,--named-curve <cat/id> Use a named curve, from CurveDB: - <cat/id> - -cn,--curve-name <name> Use a named curve, search from curves - supported by the library: <name> - -o,--output <output_file> Output into file <output_file>. - -npriv,--named-private <cat/id> Use a named private key, from - CurveDB: <cat/id> - -priv,--private <privkey> Use a given private key from file. - -npub,--named-public <cat/id> Use a named public key, from CurveDB: - <cat/id> - -pub,--public <pubkey> Use a given public key from file. - -t,--type <type> Set Signature object [type]. - -n,--amount <amount> Do ECDSA [amount] times. - -f,--file <file> Input [file] to sign. + - OpenSSL 1.1.1c 28 May 2019 + - Version: 1.110000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: NONEwithECDSA + - Curves: Oakley-EC2N-3, Oakley-EC2N-4, SM2, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2pnb208w1, c2pnb272w1, c2pnb304w1, c2pnb368w1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, prime256v1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, wap-wsg-idm-ecid-wtls1, wap-wsg-idm-ecid-wtls10, wap-wsg-idm-ecid-wtls11, wap-wsg-idm-ecid-wtls12, wap-wsg-idm-ecid-wtls3, wap-wsg-idm-ecid-wtls4, wap-wsg-idm-ecid-wtls5, wap-wsg-idm-ecid-wtls6, wap-wsg-idm-ecid-wtls7, wap-wsg-idm-ecid-wtls8, wap-wsg-idm-ecid-wtls9 - export: | Export default curve parameters. | - -b,--bits <n> What size of curve to use. - -o,--output <output_file> Output into file <output_file>. - -t,--type <type> Set KeyPair object [type]. + - OpenSSL 1.1.0 (compatible; BoringSSL) + - Version: 1.100000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: NONEwithECDSA + - Curves: prime256v1, secp224r1, secp384r1, secp521r1 - generate: | Generate EC keypairs. | - -b,--bits <n> What size of curve to use. - -nc,--named-curve <cat/id> Use a named curve, from CurveDB: <cat/id> - -cn,--curve-name <name> Use a named curve, search from curves - supported by the library: <name> - -o,--output <output_file> Output into file <output_file>. - -n,--amount <amount> Generate [amount] of EC keys. - -t,--type <type> Set KeyPairGenerator object [type]. + - libgcrypt 1.8.4 + - Version: 1.800000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: SHA224withECDDSA, SHA256withECDDSA, NONEwithECDSA, ECDSA, ECDDSA, SHA384withECDSA, SHA512withECDDSA, SHA224withECDSA, SHA512withECDSA, SHA384withECDDSA, SHA256withECDSA + - Curves: Curve25519, Ed25519, GOST2001-CryptoPro-A, GOST2001-CryptoPro-B, GOST2001-CryptoPro-C, GOST2001-test, GOST2012-tc26-A, GOST2012-tc26-B, GOST2012-test, NIST P-192, NIST P-224, NIST P-256, NIST P-384, NIST P-521, brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1, secp256k1 - list-data: | List/show contained EC domain parameters/keys. | - [what] what to list. + - wolfCrypt JCE Provider + - Version: 1.000000 + - Supports native timing: [] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: ECDSA, SHA384withECDSA, SHA512withECDSA, SHA256withECDSA - list-libs: | List supported libraries. | + - mbed TLS 2.16.0 + - Version: 3.000000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: NONEwithECDSA + - Curves: brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1 - list-suites: | List supported test suites. | + - 2020.0.0 (-) + - Version: 2020.000000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: NONEwithECDSA + - Curves: secp112r1, secp112r2, secp128r1, secp128r2, secp160r1, secp160r2, secp192r1, secp224r1, secp256r1, secp384r1, secp521r1 - list-types: | List KeyPairGenerator, KeyAgreement and Signature types. | + - MatrixSSL + - Version: 4.100000 + - Supports native timing: [cputime-processor, cputime-thread, monotonic, monotonic-raw, rdtsc] + - KeyPairGenerators: EC + - KeyAgreements: ECDH + - Signatures: NONEwithECDSA + - Curves: brainpoolP224r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192r1, secp224r1, secp256r1, secp384r1, secp521r1 +``` + +Snippet below demonstrates generation of 1000 (`-n`) keys on the named curve `secp256r1` (`-nc`) using the BouncyCastle library. +``` +> java -jar ECTesterStandalone.jar gen -n 1000 -nc secg/secp256r1 Bouncy +index;time[nano];pubW;privS +0;18459241;04886c2d253490d6a80906628aea65dc6763fe53690241d54de1f479f44d120e6349528644b3736eda0a8a0326563c3a846a415e1ff029a22404718c91770349d4;532e9b01e439df0ae63f7ed0a9c5f57f91175fd21d80a1d048c93fda7b704522 +1;1672835;049de329ce6d7d031a693143890ea7a277c0cb400b534b3a075614a1ec7d0b1e1680bd6791bb5027007ea286aa86a3af451e6772440be0adb3b19d249a47f8581e;00d69151b165880f93d18b4870b613e012ff00883192cd405d1fccd23e9001f9cc +2;1433582;04cdf57599adb2096259ce55cc7bb8f4278ea50e8eb40eece42b73f532ac92da1702da16dcfbc378170828dfab29e202aefcce98573d94b37a911ab6d69f4de690;7fb22f96166c90436caa3be55023750333c9b4101761dd5e5257d0909a377435 +3;1388344;043f031b1efe0946c4cb4bf154c1ebefd63c3759aff2b021ae3338c99572fee66eb93dbd2f54907c55005df47618365f2f25238e8956cf27a132bc22ee1a014b5a;17c5e6164fced4ea35def7b6889797e10ac1c122044d139b56fd77bd6db973bd +4;1190134;043495f79ae0d6ef885ea4229da46b07aedd10bf7646f91fc7ccdce1f24839e7323e101cdd4acd90e8deb023faf324c1d8cb37421df38f268d28bc83a39297ee0b;6effde3b884f22ecd6e8dbe01e90c80587be9fa7fe39a0293e34c9254efb1210 +5;858219;0472197b8c6622a1715e7a3cbb4e2fcdb58448880b35f65295c68992a2646904619d85f87896aeefdd1704d04a9f0956f5bd4c6147f01b1fdc0dbd1d82d9554c4a;73c2d2f87f83d8f568d4173b98eab8e9ded2e17a9561cd194adcbb3d139242d0 +6;873804;04829646ac5dbf5324c217a0d24239e33bfd4680634ae70fc27a9884f38b4eac04416c5127eec915993fc4d89076e7540bc973644c0ba2b5a509386734693daf9b;7dd1eccbe8919fe3dd7612fb22fa5fd060f6cb40e0abdc0f9f977e1f949f9ca6 +... +``` + +Snippet below demonstrates performing 10 ECDSA signatures, without hashing the message (`-t NONEwithECDSA`) on the `secp256r1` curve, with a fixed keypair throught the process (`--fixed`), utilizing the rdtsc instruction to measure duration (`--time-source`) and using the MatrixSSL library. +``` +> java -jar ECTesterStandalone.jar ecdsa -n 10 -t NONEwithECDSA -nc secg/secp256r1 --fixed --time-source rdtsc Matrix +index;signTime[instr];verifyTime[instr];data;pubW;privS;signature[NONE];nonce;verified +0;6785333;18200703;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3045022070ca3dfe2017892d23a2301b2465ab387af7999c79de7dae53ec04d1600a25800221009fc9a6fe20c7930b9d8be40424ab4b08fa641f339efa81e6ccf5497cd71180f0;57ebf83913734ff0a78fa952da12996c48da17fbcf5967e74eb3e2c6b5e726b1;1 +1;8582180;16170010;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3045022100efd3efc1bb2ed243eec9bea4bc331966e869c02df1fc8686a7649708c106595a022050e9a2548bac56bb3287f27c1761136947eefaa8a92f31978ed9485a03cb8f3d;0f5d3cc25d3eb69177b7917631f5639a088773873e91c1adb0a2b753987cace8;1 +2;14906610;28661375;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3044022012ff4f949d1957c160ffdf5e53e6d3925c464954a79df2a613360e9513f647f5022001c337de39c78d16db21ee061a7f85cdd52a249570b59ef3f6c43f94a494a3a7;01525f491f4173281eb2f23877d816aa20f77f25ef87c9241dc130c2b862f923;1 +3;14364756;17223863;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3046022100ddad3254d04df6914b886275b1d01939ea64481fba8bea2c4b3eac611ef3ce4a022100ca7702d7d1bea15bf7c8e77da9421e053e6b2235e3390fdcc0b60a69dc5cbc16;00810fe33ddc3dcee687f6310394c2f326d6024103e0b5dca97ddd157bb9d82721;1 +4;8211882;14507032;24b064ff5a4d08df6f982d0e139677fb4e66602bea01e381e16d4d3614fd09d5;0429ef9b52fc5c9b8711c938820f4d15d6aab1dcd8aa5a80e754233f23c622a5a174cca795068aff9c979bff7e6f1345b529612a4d16df6adf56b8ac250a1fafc3;54d06d1a79b2b43dc072b96ca7b9f045fda84ac13f74ef81fab0d561a47d11d1;3046022100ae041e36e82c8f5d96f93beabb7bdfd070f88426b2b19ce53dea42f19a493500022100b20e409621effb91c92f79e3a125c02c16bdea3bbc6b690c47af8d87ff9994cf;54396537f7426576a6a0ba71bef63c5a1400b6baec9684807180696cb619ae5a;1 +... +``` - test: | Test a library. | - -b,--bits <n> What size of curve to use. - -nc,--named-curve <cat/id> Use a named curve, from CurveDB: <cat/id> - -cn,--curve-name <name> Use a named curve, search from curves - supported by the library: <name> - -gt,--kpg-type <type> Set the KeyPairGenerator object [type]. - -kt,--ka-type <type> Set the KeyAgreement object [type]. - -st,--sig-type <type> Set the Signature object [type]. - -f,--format <format> Set the output format, one of - text,yaml,xml. - --key-type <algorithm> Set the key [algorithm] for which the key - should be derived in KeyAgreements with - KDF. Default is "AES". - <test-suite> The test suite to run. +Snippet below demonstrates performing 10000 ECDH key agreements, using the curve name `secp256r1` (`-cn`, the difference between the `-cn` option and the `-nc` option is that the latter looks up the curve in ECTester's database and passes the parameters to the library explicitly, while the former passes the name to the library) using the MbedTLS library. +``` +> java -jar ECTesterStandalone.jar ecdh -n 10000 -cn secp256r1 mbed +index;time[nano];pubW;privS;secret[NONE] +0;5952101;04367ef86b5fbf1b4716bf7822342ebb19a9b6bcfbdb4f4950bf090ba2d1263579dac3e8447c21202432c76f89a0b48a1c16970e4fde67853c8d389da3f02fcdfc;00ecc7b46513149ab19fbeb1c49c1706712dc7da3899add30eb935e18fe5851d79;a94524fa98e0e5b3e139afdb89b73b843e48d5491b19585a5dcae02f20f13088 +1;6099022;0439803db68efddbfc3fba1feae41118b02e35d009670fbb4c5dfe6a56fe20829b42e101d0c55bf905276ac71af7e215714cf41742c1f8a2d102761b9eb307d209;6f43118f50ddfef724288ad4f116354bec4735370cb221547b76b18832daaea9;d1b90ed000ca9542ac2101383397a7180cdcd6896b1ccfb5b719da734ad96bf1 +2;6479870;0479a06bef6ad14e54f043c04a1747e9c4199a648651066274fef6a1e291ef01364968fe087c6d2bdbfc99118e3fa3c122362a9e84bd4e2d955fa1234d4d7b5fcf;3e3e7fb34c248c059a90cff03126fbb8bf72e27608c2a1aa6351ec393c560bb3;a455a16a834c73823ab44dd6124a50640b4bb5256beddb9cd6f4b1e98377e4b5 +3;6071236;04e57a603e491c9139a61b56dce7cbef3f3c7bdae375a6ee7e99631c5d9318e4e88a5edbe7290f73e5d925b10ce5c6b20dcd00fb7bb24aa4b2a3305ac444838906;3b1464a35c007ed437265ad292ff56a67666456eff7de97ff3a87594b3827c9e;2daa2d01d04b677df66ca4293aa14d492239cb066b1a87915d92915c723ffb3b +4;6545463;04031c6fd3510a3381a0c8b3479a482b38bc5820a48c7bae4a2460805daf90d064441990bd1651a646c38d416ad8d4be39d4a4d58a19ed4532142148f80127412c;5dc92b7b09b91a2249d94b42083e7ad77a30b86a88d03db262d562477b3a7fc7;5520240090f83e506d915e43133fa0fe48338b29ee42279406ad63a7c10e57a1 +5;7244349;0461f7ece97faeb52c367a550eb275b103b60f3beb8f07021f4e8c3991a95a454baca85b893fda2600ec56130de1117f0fbcc55bd9045abd1b26e7fc74cc701069;704f250ad24b94a1cdf3543954e9c5bfeb865a742c603a15cb7d7238807f113b;c74fca9cf311ea456ac0a0e8888f26de32716977f9ead6c15e0e3b066d7faa4c +6;6318854;042e99f9808b2b4c4fbf23a6d00a619e7f9d12035ab4c0a731d6eb8396e5caec5842ad551081fe2270eb8036dec88234d15b0f8a261cbc53eb9bc6c5d61704d1ec;4d3d375f5d6b27e1a6de8a154915fa7eec3871eac55da1e2a501e73f31a26c3c;407db9be0a58bc3c159fbb6b960dd9cd5bc90ebf79724660bb3e6d350ff07ed0 +7;6730228;040b235b6b894351305d0c43625cf8eb4640627a506980e9e51d15be8fc3fb677165e95b4e235f3d6909a676b433d996d932840a731d13e0172858ba5e83ce0cc3;008bb99df5b2d1dc91e08eb03f9b5b1f599e00249ac1c0ca17c821e62e2a18d140;c0767fa0cbacee16d0058b5c1c1f7e42e3fcf663c43c76e67d5d2b443d454131 +8;5522559;04acdec418cfa1ae61a3f969602480e362784e45f6c2d05e06ce30e363e616b6dcb00373d266fb9a5f731b88bb265b23683de5d5bbe35d709cafd3f57742fc6abf;00fe4f270444b99adaeae0bc525a857cb57d3075767183a15e5db9bc71aff8cbb2;e1fa8558593e56dd3108493d5171beb41922bbe23a6924525d2e0469c9de0cdb +... ``` +It is recommended to disably [CPU frequency scaling](https://wiki.archlinux.org/index.php/CPU_frequency_scaling) of your processor before performing collection of timing data, as it adds significant noise to the data as it kicks in. Also, running the collection on very high priority and locked to a single core (`taskset -c 0`) helps as well. + +## Analysis + +ECTester contains a few Jupyter notebooks that perform timing analysis on data generated by either the ECTester reader app or the standalone app. These notebooks currently operate on data from the ECDSA, ECDH or key generation commands. + +[](https://mybinder.org/v2/gh/crocs-muni/ECTester/master?filepath=util%2Fplot_dsa.ipynb) [](https://mybinder.org/v2/gh/crocs-muni/ECTester/master?filepath=util%2Fplot_dh.ipynb) [](https://mybinder.org/v2/gh/crocs-muni/ECTester/master?filepath=util%2Fplot_gen.ipynb) + + +### Requirements + + - matplotlib + - numpy + - scipy + - Jupyter + - asn1crypto + +### Examples + +#### ECDSA timing analysis + +To analyze ECDSA data, use the `plot_dsa.ipynb` notebook. Enter the options in the second cell, including filename, curve, desired time units and then simply run the following cells to obtain heatmaps of the timing data of ECDSA like those displayed below. + + +This heatmap above is a heatmap of the most significant byte of ECDSA random nonces and the signature time, one can see that there is a clear dependency between certain most significant bits of the nonce and signature time. This is due to the scalar multiplication leaking via timing and was the issue behind [CVE-2019-14318](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14318) in Crypto++. + + +This heatmap shows a non leaking implementation that is constant time and does not leak any information (via timing) about the secret scalar in scalar multiplication. diff --git a/docs/FORMAT.md b/docs/FORMAT.md index 16af130..5c29d58 100644 --- a/docs/FORMAT.md +++ b/docs/FORMAT.md @@ -1,14 +1,34 @@ # Format -ECTester mostly reads/outputs data in either human-readable format or using CSV. +ECTester mostly reads/outputs data in either human-readable format or using CSV, YAML or XML, depending on the data. ## Test runs By default test runs are output in a human readable format, however YAML and XML is also supported and can be selected -by using the `--format` option. Also, prefixing the output file name when using the `-o/--output` option allows to output +by using the `--format` option. Also, prefixing the output file name when using the `-o/--output` option allows to output the same test run in different formats to different files. For example: `--format yaml -o default_output.yaml -o xml:output_file.xml -o text:readable_text_file.txt ` +The YAML output of the test runs is used to generate the static pages of the tests at <https://crocs-muni.github.io/ECTester/>. + +## Notation +In the rest of this documentation the following notation is used + + - `p` - prime F_p + - `m` - binary field exponent F_2^m + - `e1` - largest exponent of the field polynomial + - `e2` - middle exponenet of the field polynomial, or `0000` if field poly is a trinomial + - `e3` - smallest exponent (except zero) of the field polynomial, or `0000` if field poly is a trinomial + - `a` - a parameter in short Weierstrass curve equation + - `b` - b parameter in short Weierstrass curve equation + - `gx` - x coordinate of the curve base-point g + - `gy` - y coordinate of the curve base-point g + - `n` - the base-point order + - `h` - the base-point cofactor + - `wx` - the x coordinate of the public key + - `wy` - the y coordinate of th public key + - `s` - the private key value + ## Curves Input files for the `-c/--curve` option should be in CSV, little-endian hexadecimal format. Output of the `-e/--export` option will also be in this format. @@ -31,56 +51,46 @@ Input files for the `-k/--key`, `-pub/--public` and `-priv/--private` options sh ### Private key `s` -### Notation - - `p` - prime F_p - - `m` - binary field exponent F_2^m - - `e1` - largest exponent of the field polynomial - - `e2` - middle exponenet of the field polynomial, or `0000` if field poly is a trinomial - - `e3` - smallest exponent (except zero) of the field polynomial, or `0000` if field poly is a trinomial - - `a` - a parameter in short Weierstrass curve equation - - `b` - b parameter in short Weierstrass curve equation - - `gx` - x coordinate of the curve base-point g - - `gy` - y coordinate of the curve base-point g - - `n` - the base-point order - - `h` - the base-point cofactor - - `wx` - the x coordinate of the public key - - `wy` - the y coordinate of th public key - - `s` - the private key value - ## Key generation output(CSV) Output of the `-g/--generate` option. For ECTesterReader this has the format: `index;genTime[milli];exportTime[milli];pubW;privS` where `pubW` is the public key used in ANSI X9.62 format, -`privS` is the private key, `genTime` is the time required to generate the keypair and `exportTime` is the time required to export it (send it to the reader). +`privS` is the private key, `genTime` is the time required to generate the keypair and `exportTime` is the time required to export it (recover it from the JavaCard API and send it to the reader). -For ECTesterStandalone: +For ECTesterStandalone this has the format: `index;time[nano];pubW;privS` +The string in the brackets denotes the measurement unit used, can be one of `milli`, `micro`, `nano` and also `instr` for ECTesterStandalone, if the measured duration is instructions. + ## KeyAgreement output(CSV) Output of the `-dh/--ecdh` option. For ECTesterReader this has the format: -`index;time[milli];pubW;privS;secret` where `pubW` is the public key used in ANSI X9.62 format, `privS` is the private key -and `secret` is the KeyAgreement result. +`index;time[milli];pubW;privS;secret[SHA1]` where `pubW` is the public key used in ANSI X9.62 format, `privS` is the private key +and `secret` is the KeyAgreement result. The value in brackets denotes what hash algorithm was used, can be `NONE`. + +For ECTesterStandalone this has the format: -For ECTesterStandalone this has the format: and the same meaning as for ECTesterReader. +`index;time[nano];pubW;privS;secret[SHA1]` and the same meaning as for ECTesterReader. -`index;time[nano];pubW;privS;secret` and the same meaning as for ECTesterReader. +The string in the brackets denotes the measurement unit used, can be one of `milli`, `micro`, `nano` and also `instr` for ECTesterStandalone, if the measured duration is instructions. ## Signature output(CSV) Output of the `-dsa/--ecdsa` option. For ECTesterReader this has the format: -`index;signTime[milli];verifyTime[milli];data;pubW;privS;signature;nonce;valid` where `pubW` is the public key used +`index;signTime[milli];verifyTime[milli];data;pubW;privS;signature[SHA1];nonce;valid` where `pubW` is the public key used in ANSI X9.62 format, `privS` is the private key, `signTime` and `verifyTime` are the durations of the sign and verify operations, `data` is the signed data (if available), `signature` is the produced signature, `nonce` is the `k` (nonce) value recovered from the signature -abd the private key (if possible), `valid` denotes the verification result. +abd the private key (if possible), `valid` denotes the verification result. The value in brackets after `signature` denotes what hash algorithm was used, can be `NONE`. For ECTesterStandalone this has the format: - `index;signTime[nano];verifyTime[nano];data;pubW;privS;signature;nonce;verified` and the same meaning as for ECTesterReader.
\ No newline at end of file + `index;signTime[nano];verifyTime[nano];data;pubW;privS;signature[SHA1];nonce;verified` and the same meaning as for ECTesterReader. + +The string in the brackets denotes the measurement unit used, can be one of `milli`, `micro`, `nano` and also `instr` for ECTesterStandalone, if the measured duration is instructions.
\ No newline at end of file diff --git a/docs/LIBS.md b/docs/LIBS.md index 0987656..9c90abf 100644 --- a/docs/LIBS.md +++ b/docs/LIBS.md @@ -1,16 +1,3 @@ -# Libraries with ECC support - -Popular libraries with at least some ECC support, that ECTester does not yet support: - - - [NSS](https://hg.mozilla.org/projects/nss) - - [LibreSSL](https://www.libressl.org/) - - [Nettle](http://www.lysator.liu.se/~nisse/nettle/) - - [BearSSL](https://bearssl.org/) - - [cryptlib](https://www.cryptlib.com/) - - [OpenSSL (FIPS mode)](https://www.openssl.org/docs/fipsnotes.html) - - [Microsoft .NET crypto](https://docs.microsoft.com/en-us/dotnet/standard/security/cryptography-model) - - [Linux kernel](https://kernel.org), test via [libkcapi](http://chronox.de/libkcapi.html) - # Supported libraries Libraries that ECTester can test. @@ -125,10 +112,24 @@ ninja - C - Only supports prime field curves. - Uses 4 bit sliding window. - - Uses projective coordinates. + - Uses projective coordinates. - [Intel Performance Primitives](https://software.intel.com/en-us/ipp-crypto-reference-2019) - C - Only supports prime field curves. - Uses 5-bit window NAF. - Uses Jacobian coordinates. - - <https://github.com/intel/ipp-crypto>
\ No newline at end of file + - <https://github.com/intel/ipp-crypto> + + +# Libraries with ECC support + +Popular libraries with at least some ECC support, that ECTester does not yet support: + + - [NSS](https://hg.mozilla.org/projects/nss) + - [LibreSSL](https://www.libressl.org/) + - [Nettle](http://www.lysator.liu.se/~nisse/nettle/) + - [BearSSL](https://bearssl.org/) + - [cryptlib](https://www.cryptlib.com/) + - [OpenSSL (FIPS mode)](https://www.openssl.org/docs/fipsnotes.html) + - [Microsoft .NET crypto](https://docs.microsoft.com/en-us/dotnet/standard/security/cryptography-model) + - [Linux kernel](https://kernel.org), test via [libkcapi](http://chronox.de/libkcapi.html)
\ No newline at end of file diff --git a/docs/card.png b/docs/card.png Binary files differnew file mode 100644 index 0000000..d8a67af --- /dev/null +++ b/docs/card.png diff --git a/docs/leaky_msb.png b/docs/leaky_msb.png Binary files differnew file mode 100644 index 0000000..38b5e5e --- /dev/null +++ b/docs/leaky_msb.png diff --git a/docs/nonleaky_msb.png b/docs/nonleaky_msb.png Binary files differnew file mode 100644 index 0000000..f722cf2 --- /dev/null +++ b/docs/nonleaky_msb.png diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..918d2c6 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +numpy +scipy +matplotlib +asn1crypto
\ No newline at end of file |
