5b0589e9ab
Calling mbedtls_mpi_cmp_int reveals the number of leading zero limbs to an adversary who is capable of very fine-grained timing measurements. This is very little information, but could be practical with secp521r1 (1/512 chance of the leading limb being 0) if the adversary can measure the precise timing of a large number of signature operations. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
7 lines
401 B
Text
7 lines
401 B
Text
Security
|
|
* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
|
|
An adversary who is capable of very precise timing measurements could
|
|
learn partial information about the leading bits of the nonce used for the
|
|
signature, allowing the recovery of the private key after observing a
|
|
large number of signature operations. This completes a partial fix in
|
|
Mbed TLS 2.20.0.
|