oss-sec mailing list archives
CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)
From: Cesar Pereida Garcia <cesar.pereidagarcia () tut fi>
Date: Tue, 10 Jan 2017 15:50:28 +0000
Attack Vector: Local Vendor: OpenSSL, LibreSSL, BoringSSL Versions Affected: OpenSSL 1.0.1u and previous versions LibreSSL (pre 6.0 errata 16, pre 5.9 errata 33) BoringSSL pre November 2015 Description: The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys. Mitigation: Users of OpenSSL with the affected versions should apply the patch available in the manuscript at [1]. Users of LibreSSL should apply the official patch from OpenBSD [2,3]. Users of BoringSSL should upgrade to a more recent version. Credit: This issue was reported by Cesar Pereida GarcĂa and Billy Brumley (Tampere University of Technology). Timeline: 19 Dec 2016 Disclosure to OpenSSL, LibreSSL, BoringSSL security teams 29 Dec 2016 Embargo lifted References: [1] http://ia.cr/2016/1195 [2] https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig [3] https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig - Cesar
Current thread:
- CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Cesar Pereida Garcia (Jan 10)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Dan McDonald (Jan 10)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Huzaifa Sidhpurwala (Jan 11)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Casper Thomsen (Jan 12)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Dan McDonald (Jan 10)