Security BSides London 2015

Elliptic Curve Cryptography (ECC) is hot. Far better scalable than traditional encryption, more and more data and networks are being protected using ECC. Not many people know the gory details of ECC though, which given its increasing prevalence is a very bad thing. In this presentation I will turn all members of the audience into ECC experts who will be able to implement the relevant algorithms and also audit existing implementations to find weaknesses or backdoors.

Actually, I won't.

To fully understand ECC to a point where you could use it in practice, you would need to spend years inside university lecture rooms to study number theory, geometry and software engineering. And then you can probably still be fooled by a backdoored implementation.

What I will do, however, is explain the basics of ECC. I'll skip over the gory maths (it will help if you can add up, but that's about the extent of it) and explain how this funny thing referred to as "point addition on curves" can be used to exchange a secret code between two entities over a public connection.

I will also explain how the infamous backdoor in Dual_EC_DRGB (a random number generator that uses the same kind of maths) worked.

At the end of the presentation, you'll still not be able to find such backdoors yourselves and you probably realise you never will. But you will be able to understand articles about ECC a little better. And, hopefully, you will be convinced it is important that we educate more people to become ECC-experts.