Date : 07 juin 2023 à 16:15 — 15 min.
This submission explores the potential for introducing backdoors into cryptographic protocols via manipulation of OpenSSL engines, which are commonly used to augment OpenSSL features. From a security perspective, these engines are a target of choice as they provide a simple and portable way to legally modify OpenSSL behavior.
A comprehensive tutorial on OpenSSL implementation and architecture, including engines and providers, is first given. It demonstrates how these components can be exploited to compromise cryptographic security. Then, a proof-of-concept example of an attack that recovers the secret key of a certificate authority through nonce reuse in ECDSA signatures as well as an example on hooking OpenSSL functions via the SSL_write function are described.
This work highlights the need for increased caution and scrutiny when introducing new cryptographic implementations such as PQC using OpenSSL engines.