oss-sec mailing list archives
Minerva: ECDSA key recovery from bit-length leakage
From: Ján Jančár <445358 () mail muni cz>
Date: Wed, 2 Oct 2019 23:00:22 +0200
*Webpage* ========= https://minerva.crocs.fi.muni.cz/ *Vulnerability* =============== Minerva is a group of vulnerabilities in ECDSA/EdDSA implementations that allows for practical recovery of the long-term private key. We have found implementations which leak the bit-length of the scalar during scalar multiplication on an elliptic curve. This leakage might seem minuscule as the bit-length presents a very small amount of information present in the scalar. However, in the case of ECDSA/EdDSA signature generation, the leaked bit-length of the random nonce is enough for full recovery of the private key used after observing a few hundreds to a few thousands of signatures on known messages, due to the application of lattice techniques. https://minerva.crocs.fi.muni.cz/ *Affected* ========== * Cards - Athena IDProtect * Libraries - libgcrypt upto 1.8.4, fixed in 1.8.5 - wolfSSL/wolfCrypt upto 4.0.0, fixed in 4.1.0 - MatrixSSL upto 4.2.1 - SunEC/OpenJDK/OracleJDK upto JDK 12 - Crypto++ upto 8.2.0 * Other - https://github.com/indutny/elliptic/ 875 stars,2670640 uses - https://github.com/kjur/jsrsasign 2015 stars,7406 uses *CVEs* ====== * CVE-2019-15809 - Athena IDProtect cards * CVE-2019-13627 - libgcrypt * CVE-2019-13628 - wolfSSL/wolfCrypt * CVE-2019-13629 - MatrixSSL * CVE-2019-2894 - SunEC/OpenJDK/OracleJDK * CVE-2019-14318 - Crypto++
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Minerva: ECDSA key recovery from bit-length leakage Ján Jančár (Oct 02)