Executive Summary

Summary
Title OpenSSL leaks ECDSA private key through a remote timing attack
Informations
NameVU#536044First vendor Publication2011-05-17
VendorVU-CERTLast vendor Modification2011-06-01
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Cvss Base Score2.6Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityHigh
Cvss Expoit Score4.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#536044

OpenSSL leaks ECDSA private key through a remote timing attack

Overview

The OpenSSL ladder implementation for scalar multiplication of points on elliptic curves over binary fields is susceptible to a timing attack vulnerability. This vulnerability can be used to steal the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

I. Description

Billy Bob Brumley's and Nicola Tuveri's paper "Remote Timing Attacks are Still Practical" states:

"For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery’s ladder that performs a fixed sequence of curve and field operations.

This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key."

II. Impact

A remote attacker can retrieve the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

III. Solution

We are currently unaware of a practical solution to this problem.

Do not use ECDSA signatures and binary curves for authentication.

Vendor Information

VendorStatusDate NotifiedDate Updated
Apache-SSLUnknown2011-04-212011-04-21
Apple Inc.Unknown2011-05-102011-05-10
CentOSUnknown2011-05-102011-05-10
Debian GNU/LinuxUnknown2011-05-102011-05-10
FreeBSD ProjectUnknown2011-05-102011-05-10
Gentoo LinuxUnknown2011-05-102011-05-10
Mandriva S. A.Unknown2011-05-102011-05-10
NetBSDUnknown2011-05-102011-05-10
OpenSSLAffected2011-03-292011-05-11
Red Hat, Inc.Unknown2011-05-102011-05-10
Slackware Linux Inc.Unknown2011-05-102011-05-10
SUSE LinuxUnknown2011-05-102011-05-10
UbuntuUnknown2011-05-102011-05-10

References

http://www.openssl.org/docs/crypto/ecdsa.html
http://eprint.iacr.org/2011/232

Credit

Thanks to Billy Brumley for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:2011-05-17
Date First Published:2011-05-17
Date Last Updated:2011-06-01
CERT Advisory:
CVE-ID(s):CVE-2011-1945
NVD-ID(s):CVE-2011-1945
US-CERT Technical Alerts:
Severity Metric:0.13
Document Revision:13

Original Source

Url : http://www.kb.cert.org/vuls/id/536044

CWE : Common Weakness Enumeration

idName
CWE-310Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application78

OpenVAS Exploits

DateDescription
2012-02-13Name : Ubuntu Update for openssl USN-1357-1
File : nvt/gb_ubuntu_USN_1357_1.nasl
2011-09-30Name : Mandriva Update for openssl MDVSA-2011:136 (openssl)
File : nvt/gb_mandriva_MDVSA_2011_136.nasl
2011-09-30Name : Mandriva Update for openssl MDVSA-2011:137 (openssl)
File : nvt/gb_mandriva_MDVSA_2011_137.nasl
2011-09-21Name : Debian Security Advisory DSA 2309-1 (openssl)
File : nvt/deb_2309_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
74632OpenSSL ECDHE_ECDSA Cipher Suite ECDSA Timing Attack Weakness

Nessus® Vulnerability Scanner

DateDescription
2013-12-03Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201312-03.nasl - Type : ACT_GATHER_INFO
2013-06-05Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_8_4.nasl - Type : ACT_GATHER_INFO
2013-06-05Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2013-002.nasl - Type : ACT_GATHER_INFO
2012-04-20Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_7_0_0_24.nasl - Type : ACT_GATHER_INFO
2012-02-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1357-1.nasl - Type : ACT_GATHER_INFO
2012-01-09Name : The remote web server has multiple SSL-related vulnerabilities.
File : openssl_0_9_8s.nasl - Type : ACT_GATHER_INFO
2011-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-7550.nasl - Type : ACT_GATHER_INFO
2011-09-29Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-136.nasl - Type : ACT_GATHER_INFO
2011-09-29Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-137.nasl - Type : ACT_GATHER_INFO
2011-09-14Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2309.nasl - Type : ACT_GATHER_INFO
2011-09-12Name : The remote web server is affected by multiple SSL-related vulnerabilities.
File : openssl_1_0_0e.nasl - Type : ACT_GATHER_INFO
2011-06-15Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libopenssl-devel-110606.nasl - Type : ACT_GATHER_INFO
2011-06-15Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-7552.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 12:07:56
  • Multiple Updates