From 82debf83328da2d669529f29a4e08fbfbd26fb7b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Oct 2019 10:18:51 +0100 Subject: [PATCH 1/2] ECDSA: Fix side channel vulnerability The blinding applied to the scalar before modular inversion is inadequate. Bignum is not constant time/constant trace, side channel attacks can retrieve the blinded value, factor it (it is smaller than RSA keys and not guaranteed to have only large prime factors). Then the key can be recovered by brute force. Reducing the blinded value makes factoring useless because the adversary can only recover pk*t+z*N instead of pk*t. --- library/ecdsa.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ecdsa.c b/library/ecdsa.c index c635a507e..24bf73473 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -153,6 +153,7 @@ static int ecdsa_sign_internal( mbedtls_ecp_group *grp, mbedtls_mpi *r, MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &k, &k, &grp->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) ); From 5cf41f80a4cc7ce35ff64deb65a85d05ff275e02 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 25 Oct 2019 08:53:01 +0100 Subject: [PATCH 2/2] Add ChangeLog entry --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 16982a0e0..d84a364f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.7.x branch released xxxx-xx-xx +Security + * Fix side channel vulnerability in ECDSA. Our bignum implementation is not + constant time/constant trace, so side channel attacks can retrieve the + blinded value, factor it (as it is smaller than RSA keys and not guaranteed + to have only large prime factors), and then, by brute force, recover the + key. Reported by Alejandro Cabrera Aldaya and Billy Brumley. + Changes * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() from the cipher abstraction layer. Fixes #2198.