Executive Summary

Summary
Title OpenSSL leaks ECDSA private key through a remote timing attack
Informations
NameVU#536044First vendor Publication2011-05-17
VendorVU-CERTLast vendor Modification2011-06-01
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Cvss Base Score2.6Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityHigh
Cvss Expoit Score4.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#536044

OpenSSL leaks ECDSA private key through a remote timing attack

Overview

The OpenSSL ladder implementation for scalar multiplication of points on elliptic curves over binary fields is susceptible to a timing attack vulnerability. This vulnerability can be used to steal the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

I. Description

Billy Bob Brumley's and Nicola Tuveri's paper "Remote Timing Attacks are Still Practical" states:

"For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery’s ladder that performs a fixed sequence of curve and field operations.

This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key."

II. Impact

A remote attacker can retrieve the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

III. Solution

We are currently unaware of a practical solution to this problem.

Do not use ECDSA signatures and binary curves for authentication.

Vendor Information

VendorStatusDate NotifiedDate Updated
Apache-SSLUnknown2011-04-212011-04-21
Apple Inc.Unknown2011-05-102011-05-10
CentOSUnknown2011-05-102011-05-10
Debian GNU/LinuxUnknown2011-05-102011-05-10
FreeBSD ProjectUnknown2011-05-102011-05-10
Gentoo LinuxUnknown2011-05-102011-05-10
Mandriva S. A.Unknown2011-05-102011-05-10
NetBSDUnknown2011-05-102011-05-10
OpenSSLAffected2011-03-292011-05-11
Red Hat, Inc.Unknown2011-05-102011-05-10
Slackware Linux Inc.Unknown2011-05-102011-05-10
SUSE LinuxUnknown2011-05-102011-05-10
UbuntuUnknown2011-05-102011-05-10

References

http://www.openssl.org/docs/crypto/ecdsa.html
http://eprint.iacr.org/2011/232

Credit

Thanks to Billy Brumley for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:2011-05-17
Date First Published:2011-05-17
Date Last Updated:2011-06-01
CERT Advisory:
CVE-ID(s):CVE-2011-1945
NVD-ID(s):CVE-2011-1945
US-CERT Technical Alerts:
Severity Metric:0.13
Document Revision:13

Original Source

Url : http://www.kb.cert.org/vuls/id/536044

CWE : Common Weakness Enumeration

idName
CWE-310Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14723
 
Oval ID: oval:org.mitre.oval:def:14723
Title: DSA-2309-1 openssl -- compromised certificate authority
Description: Several fraudulent SSL certificates have been found in the wild issued by the DigiNotar Certificate Authority, obtained through a security compromise of said company. After further updates on this incident, it has been determined that all of DigiNotar's signing certificates can no longer be trusted. Debian, like other software distributors and vendors, has decided to distrust all of DigiNotar's CAs. In this update, this is done in the crypto library by marking such certificates as revoked. Any application that uses said component should now reject certificates signed by DigiNotar. Individual applications may allow users to overrride the validation failure. However, making exceptions is highly discouraged and should be carefully verified. Additionally, a vulnerability has been found in the ECDHE_ECDS cipher where timing attacks make it easier to determine private keys. The Common Vulnerabilities and Exposures project identifies it as CVE-2011-1945.
Family: unix Class: patch
Reference(s): DSA-2309-1
CVE-2011-1945
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24733
 
Oval ID: oval:org.mitre.oval:def:24733
Title: Vulnerability in OpenSSL 1.0.0d and earlier, makes easier for context-dependent attackers to determine private keys
Description: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Family: windows Class: vulnerability
Reference(s): CVE-2011-1945
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application78

OpenVAS Exploits

DateDescription
2012-02-13Name : Ubuntu Update for openssl USN-1357-1
File : nvt/gb_ubuntu_USN_1357_1.nasl
2011-09-30Name : Mandriva Update for openssl MDVSA-2011:136 (openssl)
File : nvt/gb_mandriva_MDVSA_2011_136.nasl
2011-09-30Name : Mandriva Update for openssl MDVSA-2011:137 (openssl)
File : nvt/gb_mandriva_MDVSA_2011_137.nasl
2011-09-21Name : Debian Security Advisory DSA 2309-1 (openssl)
File : nvt/deb_2309_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
74632OpenSSL ECDHE_ECDSA Cipher Suite ECDSA Timing Attack Weakness

Nessus® Vulnerability Scanner

DateDescription
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_3_libopenssl-devel-110606.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_4_libopenssl-devel-110607.nasl - Type : ACT_GATHER_INFO
2013-12-03Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201312-03.nasl - Type : ACT_GATHER_INFO
2013-06-05Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_8_4.nasl - Type : ACT_GATHER_INFO
2013-06-05Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2013-002.nasl - Type : ACT_GATHER_INFO
2012-04-20Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_7_0_0_24.nasl - Type : ACT_GATHER_INFO
2012-02-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1357-1.nasl - Type : ACT_GATHER_INFO
2012-01-09Name : The remote web server has multiple SSL-related vulnerabilities.
File : openssl_0_9_8s.nasl - Type : ACT_GATHER_INFO
2011-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-7550.nasl - Type : ACT_GATHER_INFO
2011-09-29Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-136.nasl - Type : ACT_GATHER_INFO
2011-09-29Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-137.nasl - Type : ACT_GATHER_INFO
2011-09-14Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2309.nasl - Type : ACT_GATHER_INFO
2011-09-12Name : The remote web server is affected by multiple SSL-related vulnerabilities.
File : openssl_1_0_0e.nasl - Type : ACT_GATHER_INFO
2011-06-15Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libopenssl-devel-110606.nasl - Type : ACT_GATHER_INFO
2011-06-15Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-7552.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 12:07:56
  • Multiple Updates