Date: Tue, 10 Jan 2017 15:50:28 +0000 From: Cesar Pereida Garcia <cesar.pereidagarcia@....fi> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Attack Vector: Local Vendor: OpenSSL, LibreSSL, BoringSSL Versions Affected: OpenSSL 1.0.1u and previous versions LibreSSL (pre 6.0 errata 16, pre 5.9 errata 33) BoringSSL pre November 2015 Description: The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys. Mitigation: Users of OpenSSL with the affected versions should apply the patch available in the manuscript at . Users of LibreSSL should apply the official patch from OpenBSD [2,3]. Users of BoringSSL should upgrade to a more recent version. Credit: This issue was reported by Cesar Pereida García and Billy Brumley (Tampere University of Technology). Timeline: 19 Dec 2016 Disclosure to OpenSSL, LibreSSL, BoringSSL security teams 29 Dec 2016 Embargo lifted References:  http://ia.cr/2016/1195  https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig  https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig - Cesar
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.