diff options
author | Matt Caswell <matt@openssl.org> | 2018-05-25 12:10:13 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-06-13 16:19:22 +0100 |
commit | a3e9d5aa980f238805970f420adf5e903d35bf09 (patch) | |
tree | 97b9528d8f40343f204acb6f16c0f38289fb202d /CHANGES | |
parent | d3273ef6c549d1bf74d18c9056218c1d8b98a2b9 (diff) |
Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -8,6 +8,10 @@ release branch. Changes between 1.1.0h and 1.1.1 [xx XXX xxxx] + *) Add blinding to an ECDSA signature to protect against side channel attacks + discovered by Keegan Ryan (NCC Group). + [Matt Caswell] + *) Enforce checking in the pkeyutl command line app to ensure that the input length does not exceed the maximum supported digest length when performing a sign, verify or verifyrecover operation. |