Date: Tue, 10 Jan 2017 15:50:28 +0000 From: Cesar Pereida Garcia <cesar.pereidagarcia@....fi> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Attack Vector: Local Vendor: OpenSSL, LibreSSL, BoringSSL Versions Affected: OpenSSL 1.0.1u and previous versions LibreSSL (pre 6.0 errata 16, pre 5.9 errata 33) BoringSSL pre November 2015 Description: The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys. Mitigation: Users of OpenSSL with the affected versions should apply the patch available in the manuscript at . Users of LibreSSL should apply the official patch from OpenBSD [2,3]. Users of BoringSSL should upgrade to a more recent version. Credit: This issue was reported by Cesar Pereida García and Billy Brumley (Tampere University of Technology). Timeline: 19 Dec 2016 Disclosure to OpenSSL, LibreSSL, BoringSSL security teams 29 Dec 2016 Embargo lifted References:  http://ia.cr/2016/1195  https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig  https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig - Cesar
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ