Fix leakage of projective coordinates in ECC
See the comments in the code for how an attack would go, and the ChangeLog entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar over several signatures translates to full private key recovery using a lattice attack.) Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
parent
d414c32a16
commit
a4aa89b16e
2 changed files with 35 additions and 0 deletions
|
|
@ -6,6 +6,13 @@ New deprecations
|
|||
* Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
|
||||
SSL module for hardware acceleration of individual records.
|
||||
|
||||
Security
|
||||
* Fix side channel in ECC code that allowed an adversary with access to
|
||||
precise enough timing and memory access information (typically an
|
||||
untrusted operating system attacking a secure enclave) to fully recover
|
||||
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
|
||||
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
|
||||
|
||||
Bugfix
|
||||
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
|
||||
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
|
||||
|
|
|
|||
|
|
@ -2016,6 +2016,20 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
|
|||
|
||||
final_norm:
|
||||
#endif
|
||||
/*
|
||||
* Knowledge of the jacobian coordinates may leak the last few bits of the
|
||||
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||
* inversion (used for coordinate normalization) may leak the full value
|
||||
* of its input via side-channels [2].
|
||||
*
|
||||
* [1] https://eprint.iacr.org/2003/191
|
||||
* [2] https://eprint.iacr.org/2020/055
|
||||
*
|
||||
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||
*/
|
||||
if( f_rng != 0 )
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
|
||||
|
||||
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
|
||||
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
|
||||
|
||||
|
|
@ -2388,6 +2402,20 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
|||
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Knowledge of the projective coordinates may leak the last few bits of the
|
||||
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||
* inversion (used for coordinate normalization) may leak the full value
|
||||
* of its input via side-channels [2].
|
||||
*
|
||||
* [1] https://eprint.iacr.org/2003/191
|
||||
* [2] https://eprint.iacr.org/2020/055
|
||||
*
|
||||
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||
*/
|
||||
if( f_rng != NULL )
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
|
||||
|
||||
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
|
||||
|
||||
cleanup:
|
||||
|
|
|
|||
Loading…
Reference in a new issue