1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
# Test suites
- `default`
- `test-vectors`
- `compression`
- `wrong`*
- `composite`*
- `invalid`*
- `twist`*
- `degenerate`*
- `cofactor`*
- `edge-cases`*
**\*NOTE: The `wrong`, `composite`, `invalid`,`twist`, `cofactor`, `edge-cases` and `degenerate` test suites caused temporary/permanent DoS of some cards. These test suites prompt you for
confirmation before running, be cautious.**
## Default
Tests the default curves present on the card. These might not be present or the card might not even support ECC.
Tests keypair allocation, generation, ECDH and ECDSA. ECDH is first tested with two valid generated keypairs, then
with a compressed public key to test support for compressed points.
This test suite is run if no argument is provided to `-t / --test`.
For example:
```bash
java -jar ECTester.jar -t
```
tests prime field and binary field curves, using the default test suite.
## Test-Vectors
Tests using known test vectors provided by NIST/SECG/Brainpool:
[SECG - GEC2](http://read.pudn.com/downloads168/doc/772358/TestVectorsforSEC%201-gec2.pdf)
[NIST - ECCDH](http://csrc.nist.gov/groups/STM/cavp/component-testing.html#ECCCDH)
[Brainpool - RFC6931](https://tools.ietf.org/html/rfc6932#appendix-A.1)
[Brainpool - RFC7027](https://tools.ietf.org/html/rfc7027#appendix-A)
For example:
```bash
java -jar ECTester.jar -t test-vectors
```
tests all curves for which test-vectors are provided.
## Compression
Tests support for compression of public points in ECDH as specified in ANSI X9.62. Tests ECDH with points in compressed
and hybrid form. Also tests card response to a hybrid point with wrong `y` coordinate and to the point at infinity(as public key in ECDH).
For example:
```bash
java -jar ECTester.jar -t compression
```
## Wrong
Tests on a category of wrong curves. These curves are not really curves as they have:
- non-prime field in the prime-field case
- reducible polynomial as the field polynomial in the binary case
This test suite also does some additional tests with corrupting the field parameter:
- Fp:
- p = 0
- p = 1
- p = q^2; q prime
- p = q * s; q and s prime
- F2m:
- e1 = e2 = e3 = 0
- m < e1 < e2 < e3
These tests should fail generally.
For example:
```bash
java -jar ECTester.jar -t wrong
```
does all wrong curve tests.
## Composite
Tests using curves that don't have a prime order/nearly prime order.
These tests should generally fail, a success here implies the card will use a non-secure curve if such curve is set
by the applet. Operations over such curves are susceptible to small-subgroup attacks.
For example:
```bash
java -jar ECTester.jar -t composite
```
## Invalid
Tests using known named curves from several categories(SECG/NIST/Brainpool) against pre-generated *invalid* public keys.
ECDH should definitely fail, a success here implies the card is susceptible to invalid curve attacks.
See [Practical Invalid Curve Attacks on TLS-ECDH](https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/09/14/main-full.pdf) for more information.
For example:
```bash
java -jar ECTester.jar -t invalid
```
tests using all curves with pregenerated *invalid* public keys for these curves.
## Twist
Tests using known named curves froms several categories(SECG/NIST) against pre-generated points on twists of said curves.
ECDH should fail, a success here implies the card is not twist secure, if a curve with an unsecure twist is used,
the card might compute on the twist, if a point on the twist is supplied.
See [SafeCurves on twist security](https://safecurves.cr.yp.to/twist.html) for more information.
For example:
```bash
java -jar ECTester.jar -t twist
```
## Degenerate
Tests using known named curves froms several categories(SECG/NIST) against pre-generated points on the degenerate line
`Y: x = 0`. ECDH should fail, a success here might mean the card does not check that the point lies on the correct curve
and uses a curve model vulnerable to such degenerate points.
See [Degenerate Curve Attacks - Extending Invalid Curve Attacks to Edwards Curves and Other Models](https://eprint.iacr.org/2015/1233.pdf) for more information.
For example:
```bash
java -jar ECTester.jar -t degenerate
```
## Cofactor
Tests whether the card correctly rejects points that lie on the curve but not on the subgroup generated by the specified generator
during ECDH.
For example:
```bash
java -jar ECTester.jar -t cofactor
```
## Edge-Cases
Tests various inputs to ECDH which may cause an implementation to achieve a certain edge-case state during ECDH.
Some of the data is from the google/Wycheproof project. Tests include [CVE-2017-10176](https://nvd.nist.gov/vuln/detail/CVE-2017-10176) and [CVE-2017-8932](https://nvd.nist.gov/vuln/detail/CVE-2017-8932).
CVE-2017-10176 was in implementation issue in the SunEC Java library that caused the implementation to reach the point at infinity during ECDH computation.
CVE-2017-8932 was an implementation issue in the Go standard library, in particular its scalar multiplication algorithm on the
P-256 curve which leaked information about the private key.
For example:
```bash
java -jar ECTester.jar -t edge-cases
```
|
