Executive Summary

Summary
Title OpenSSL leaks ECDSA private key through a remote timing attack
Informations
NameVU#536044First vendor Publication2011-05-17
VendorVU-CERTLast vendor Modification2011-06-01
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Cvss Base Score2.6Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityHigh
Cvss Expoit Score4.9AuthentificationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#536044

OpenSSL leaks ECDSA private key through a remote timing attack

Overview

The OpenSSL ladder implementation for scalar multiplication of points on elliptic curves over binary fields is susceptible to a timing attack vulnerability. This vulnerability can be used to steal the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

I. Description

Billy Bob Brumley's and Nicola Tuveri's paper "Remote Timing Attacks are Still Practical" states:

"For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery’s ladder that performs a fixed sequence of curve and field operations.

This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key."

II. Impact

A remote attacker can retrieve the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

III. Solution

We are currently unaware of a practical solution to this problem.

Do not use ECDSA signatures and binary curves for authentication.

Vendor Information

VendorStatusDate NotifiedDate Updated
Apache-SSLUnknown2011-04-212011-04-21
Apple Inc.Unknown2011-05-102011-05-10
CentOSUnknown2011-05-102011-05-10
Debian GNU/LinuxUnknown2011-05-102011-05-10
FreeBSD ProjectUnknown2011-05-102011-05-10
Gentoo LinuxUnknown2011-05-102011-05-10
Mandriva S. A.Unknown2011-05-102011-05-10
NetBSDUnknown2011-05-102011-05-10
OpenSSLAffected2011-03-292011-05-11
Red Hat, Inc.Unknown2011-05-102011-05-10
Slackware Linux Inc.Unknown2011-05-102011-05-10
SUSE LinuxUnknown2011-05-102011-05-10
UbuntuUnknown2011-05-102011-05-10

References

http://www.openssl.org/docs/crypto/ecdsa.html
http://eprint.iacr.org/2011/232

Credit

Thanks to Billy Brumley for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:2011-05-17
Date First Published:2011-05-17
Date Last Updated:2011-06-01
CERT Advisory:
CVE-ID(s):CVE-2011-1945
NVD-ID(s):CVE-2011-1945
US-CERT Technical Alerts:
Severity Metric:0.13
Document Revision:13

Original Source

Url : http://www.kb.cert.org/vuls/id/536044

CWE : Common Weakness Enumeration

idName
CWE-310Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application78

Open Source Vulnerability Database (OSVDB)

idDescription
74632OpenSSL ECDHE_ECDSA Cipher Suite ECDSA Timing Attack Weakness