Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 2 Feb 2016 10:56:22 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Miscomputations of elliptic curve scalar multiplications in Nettle

https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html

The Nettle library is a library for basic cryptographic functions. Its
most prominent user is GnuTLS.

Through fuzzing of elliptic curve scalar multiplications (multiplying a
point on an elliptic curve with a scalar number) I discovered two carry
propagation bugs that would lead the cauculations to produce wrong
results. They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.

While analyzing these bugs Nettle developer Niels Möller discovered
another carry propagation bug in P-256 that was fixed in the same
commit. Nettle 3.2 fixes all three bugs.

The impact is currently unclear, but miscalculations in cryptographic
functions should generally be considered security issues. I'd like to
encourage cryptographers to try to analyze whether these bugs can lead
to cryptographic breaks.

https://github.com/hannob/bignum-fuzz/blob/master/point-fuzz.c
I have published a code example on how to fuzz elliptic curve
multiplications. It can compare the output of OpenSSL with either
Nettle or NSS. It currently works only with prime field curves, but it
can probably be adapted to other curves.

P-256 bug:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
Mailing list post with code sample
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
Commit / fix for P-256 bug

P-384 bug:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003024.html
Mailing list post with code sample
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
Commit / fix for P-384 bug

https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
Nettle 3.2 release notes

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.