ECDSA timing leaks
57 views
Skip to first unread message
Jeffrey Walton
Jul 26, 2019, 12:56:48 AM7/26/19
to Crypto++ Users
Hi Everyone,
We received a private email concerning an ECDSA timing attack by Ján Jančár.
We are tracking the report at https://github.com/weidai11/cryptopp/issues/869 .
Jeff
Andrew Marlow
Jul 26, 2019, 6:42:39 AM7/26/19
to Crypto++ Users
this references the article Remote Timing Attacks are Still Practical which mentions that the vunerability was found in OpenSSL. So this makes me wonder, is there a CVE number for this yet?
Jeff
Jeffrey Walton
Jul 26, 2019, 11:48:58 AM7/26/19
to Crypto++ Users
At the moment there are no CVEs. We have not identified the scope of the issue (yet). We know Add() and Multiply() are leaking some information. We are less sure about how much info is being leaked.
We gave the distros a heads up, and told them we probably had something CVE-worthy coming down the pike.
Jeff
Jeffrey Walton
Jul 28, 2019, 3:41:14 AM7/28/19
to Crypto++ Users
The issue was assigned CVE-2019-14318 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14318).
Jeffrey Walton
Jul 28, 2019, 9:36:13 PM7/28/19
to Crypto++ Users
On Friday, July 26, 2019 at 12:56:48 AM UTC-4, Jeffrey Walton wrote:
A quick update... We are still trying to reproduce the results from ECTester. We still don't have a baseline yet.
Jančár offered a patch for the leak in nonce length. But the gorilla in the room are the leaks in Add(), Double() and Multiply().
Jeff
Jeffrey Walton
Jul 29, 2019, 12:10:15 PM7/29/19
to Crypto++ Users
On Friday, July 26, 2019 at 12:56:48 AM UTC-4, Jeffrey Walton wrote:
The leak on the length of the nonce was cleared at https://github.com/weidai11/cryptopp/pull/870/commits/80c59bcdb251 .
Next on the hit list are the leaks on Add(), Double() and Multiply().
Jeff
Jeffrey Walton
Aug 5, 2019, 2:28:33 AM8/5/19
to Crypto++ Users
On Friday, July 26, 2019 at 12:56:48 AM UTC-4, Jeffrey Walton wrote:
We received a private email concerning an ECDSA timing attack by Ján Jančár.We are tracking the report at https://github.com/weidai11/cryptopp/issues/869 .
The leaks on ECP functions Add() and Double() were cleared tonight. They are on my testing branch at the moment, but available at https://github.com/weidai11/cryptopp/pull/871 .
According to Jančár, Multiply() and Exponentiate() are testing good. Wei already used a Montgomery implementation for the speed benefits so the functions are already mostly hardened.
The last item on the hit list is EC2N. Binary fields will be trickier because they do not get the attention of prime fields. I need to perform some more research.
Jeff
Jeffrey Walton
Aug 10, 2019, 3:02:28 AM8/10/19
to Crypto++ Users
On Friday, July 26, 2019 at 12:56:48 AM UTC-4, Jeffrey Walton wrote:
A partial patch is available. The patch was created against the Crypto++ 8.2 release. The patch fixes (1) leak in ECDSA nonce length; and (2) leak in prime fields (ECP class).
The fix is incomplete because it is missing the fix for (3) leak in binary fields (EC2N class). The fix for (3) should be ready in a couple of weeks.
The fix is incomplete because it is missing the fix for (3) leak in binary fields (EC2N class). The fix for (3) should be ready in a couple of weeks.
Jeff
Reply all
Reply to author
Forward
0 new messages