Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: float 0c27d793 from openssl (ECDSA blinding) #21345

Closed
wants to merge 1 commit into from

Conversation

rvagg
Copy link
Member

@rvagg rvagg commented Jun 15, 2018

This came up during #21282, another security patch on upstream OpenSSL pending 1.1.0i release that's probably worth patching. Not critical and looks pretty academic but there's potential for a proper hole here and a POC is being released in a couple of weeks that might prove useful to an attacker.

Note that even though OpenSSL says this:

Since this attack is a localhost side channel only no CVE is assigned.

The original reporter expands with this:

The most common scenario is when the attacker and victim are both running in a cloud computing environment and their virtual machines are assigned to share the same physical host. In this hypothetical, an attacker could use a cross-VM side-channel attack to, for example, steal SSH server keys or TLS private keys.

If that's true for OpenSSL specifically then I don't think I'd call this a "localhost" side channel. But whatever.

There's a 1.0.2 variant patch for this too, I'll open PRs for 8 and 6.

Ref: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Upstream: openssl/openssl@0c27d793

Original commit message:

Add blinding to an ECDSA signature

Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

Reviewed-by: Rich Salz <[email protected]>

Pending OpenSSL 1.1.0i release.

Ref: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Upstream: openssl/openssl@0c27d793

Original commit message:
    Add blinding to an ECDSA signature

    Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
    ECDSA signature operation. During signing the signer calculates:

    s:= k^-1 * (m + r * priv_key) mod order

    The addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.

    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:

    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

    Since this attack is a localhost side channel only no CVE is assigned.

    Reviewed-by: Rich Salz <[email protected]>
@rvagg rvagg added openssl Issues and PRs related to the OpenSSL dependency. security Issues and PRs related to security. labels Jun 15, 2018
@rvagg rvagg requested review from bnoordhuis, shigeki and addaleax June 15, 2018 06:49
@nodejs-github-bot nodejs-github-bot added the openssl Issues and PRs related to the OpenSSL dependency. label Jun 15, 2018
rvagg added a commit to rvagg/io.js that referenced this pull request Jun 15, 2018
Pending OpenSSL 1.0.2p release.

Ref: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Ref: nodejs#21345
Upstream: openssl/openssl@949ff366

Original commit message:

    Add blinding to an ECDSA signature

    Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
    ECDSA signature operation. During signing the signer calculates:

    s:= k^-1 * (m + r * priv_key) mod order

    The addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.

    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:

    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

    Since this attack is a localhost side channel only no CVE is assigned.

    Reviewed-by: Rich Salz <[email protected]>
rvagg added a commit to rvagg/io.js that referenced this pull request Jun 15, 2018
Pending OpenSSL 1.0.2p release.

Ref: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Ref: nodejs#21345
Upstream: openssl/openssl@949ff366

Original commit message:

    Add blinding to an ECDSA signature

    Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
    ECDSA signature operation. During signing the signer calculates:

    s:= k^-1 * (m + r * priv_key) mod order

    The addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.

    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:

    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

    Since this attack is a localhost side channel only no CVE is assigned.

    Reviewed-by: Rich Salz <[email protected]>
rvagg added a commit that referenced this pull request Jun 18, 2018
Pending OpenSSL 1.0.2p release.

Ref: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Ref: #21345
Upstream: openssl/openssl@949ff366
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>

Original commit message:

    Add blinding to an ECDSA signature

    Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
    ECDSA signature operation. During signing the signer calculates:

    s:= k^-1 * (m + r * priv_key) mod order

    The addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.

    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:

    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

    Since this attack is a localhost side channel only no CVE is assigned.

    Reviewed-by: Rich Salz <[email protected]>
rvagg added a commit that referenced this pull request Jun 18, 2018
Pending OpenSSL 1.0.2p release.

Ref: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Ref: #21345
Upstream: openssl/openssl@949ff366
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>

Original commit message:

    Add blinding to an ECDSA signature

    Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
    ECDSA signature operation. During signing the signer calculates:

    s:= k^-1 * (m + r * priv_key) mod order

    The addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.

    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:

    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

    Since this attack is a localhost side channel only no CVE is assigned.

    Reviewed-by: Rich Salz <[email protected]>
@BridgeAR BridgeAR added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jun 18, 2018
@targos
Copy link
Member

targos commented Jun 24, 2018

@apapirovski
Copy link
Member

Landed in 831821b

apapirovski pushed a commit that referenced this pull request Jun 25, 2018
Pending OpenSSL 1.1.0i release.

Refs: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
PR-URL: #21345
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Upstream: openssl/openssl@0c27d793

Original commit message:
    Add blinding to an ECDSA signature

    Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
    ECDSA signature operation. During signing the signer calculates:

    s:= k^-1 * (m + r * priv_key) mod order

    The addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.

    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:

    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

    Since this attack is a localhost side channel only no CVE is assigned.

    Reviewed-by: Rich Salz <[email protected]>
targos pushed a commit that referenced this pull request Jun 25, 2018
Pending OpenSSL 1.1.0i release.

Refs: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
PR-URL: #21345
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Upstream: openssl/openssl@0c27d793

Original commit message:
    Add blinding to an ECDSA signature

    Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
    ECDSA signature operation. During signing the signer calculates:

    s:= k^-1 * (m + r * priv_key) mod order

    The addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.

    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:

    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

    Since this attack is a localhost side channel only no CVE is assigned.

    Reviewed-by: Rich Salz <[email protected]>
@targos targos mentioned this pull request Jul 3, 2018
@MylesBorins
Copy link
Contributor

Should this be backported to v8.x-staging? If yes please follow the guide and raise a backport PR, if not let me know or add the dont-land-on label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. openssl Issues and PRs related to the OpenSSL dependency. security Issues and PRs related to security.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants