Date: Wed, 2 Oct 2019 23:00:22 +0200 From: Ján Jančár <445358@...l.muni.cz> To: oss-security@...ts.openwall.com Subject: Minerva: ECDSA key recovery from bit-length leakage *Webpage* ========= https://minerva.crocs.fi.muni.cz/ *Vulnerability* =============== Minerva is a group of vulnerabilities in ECDSA/EdDSA implementations that allows for practical recovery of the long-term private key. We have found implementations which leak the bit-length of the scalar during scalar multiplication on an elliptic curve. This leakage might seem minuscule as the bit-length presents a very small amount of information present in the scalar. However, in the case of ECDSA/EdDSA signature generation, the leaked bit-length of the random nonce is enough for full recovery of the private key used after observing a few hundreds to a few thousands of signatures on known messages, due to the application of lattice techniques. https://minerva.crocs.fi.muni.cz/ *Affected* ========== * Cards - Athena IDProtect * Libraries - libgcrypt upto 1.8.4, fixed in 1.8.5 - wolfSSL/wolfCrypt upto 4.0.0, fixed in 4.1.0 - MatrixSSL upto 4.2.1 - SunEC/OpenJDK/OracleJDK upto JDK 12 - Crypto++ upto 8.2.0 * Other - https://github.com/indutny/elliptic/ 875 stars,2670640 uses - https://github.com/kjur/jsrsasign 2015 stars,7406 uses *CVEs* ====== * CVE-2019-15809 - Athena IDProtect cards * CVE-2019-13627 - libgcrypt * CVE-2019-13628 - wolfSSL/wolfCrypt * CVE-2019-13629 - MatrixSSL * CVE-2019-2894 - SunEC/OpenJDK/OracleJDK * CVE-2019-14318 - Crypto++ Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.