|Title||OpenSSL leaks ECDSA private key through a remote timing attack|
|Name||VU#536044||First vendor Publication||2011-05-17|
|Vendor||VU-CERT||Last vendor Modification||2011-06-01|
Security-Database Scoring CVSS v2
|Cvss vector : (AV:N/AC:H/Au:N/C:P/I:N/A:N)|
|Cvss Base Score||2.6||Attack Range||Network|
|Cvss Impact Score||2.9||Attack Complexity||High|
|Cvss Expoit Score||4.9||Authentification||None Required|
|Calculate full CVSS 2.0 Vectors scores|
Vulnerability Note VU#536044
OpenSSL leaks ECDSA private key through a remote timing attack
OverviewThe OpenSSL ladder implementation for scalar multiplication of points on elliptic curves over binary fields is susceptible to a timing attack vulnerability. This vulnerability can be used to steal the private key of a TLS server that authenticates with ECDSA signatures and binary curves.
I. DescriptionBilly Bob Brumley's and Nicola Tuveri's paper "Remote Timing Attacks are Still Practical" states:
"For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery’s ladder that performs a fixed sequence of curve and field operations.
II. ImpactA remote attacker can retrieve the private key of a TLS server that authenticates with ECDSA signatures and binary curves.
III. SolutionWe are currently unaware of a practical solution to this problem.
Do not use ECDSA signatures and binary curves for authentication.
Thanks to Billy Brumley for reporting this vulnerability.
This document was written by Jared Allar.
|Url : http://www.kb.cert.org/vuls/id/536044|
CWE : Common Weakness Enumeration
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
|74632||OpenSSL ECDHE_ECDSA Cipher Suite ECDSA Timing Attack Weakness|