31 October 2019
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.
Researchers from Masaryk University have presented a timing attack called Minerva. The attack exploits side-channel vulnerabilities in implementations of elliptic curve signatures, primarily ECDSA. The primary targets of the attack were cryptographic chips, but several open-source libraries were also affected.
The attack works by detecting the length of the nonce value used for signature generation due to a timing side-channel. It’s a well-known property of elliptic curve signatures that if an attacker knows the nonce he can break the private key. However, even partial knowledge of the nonce can be used for a key recovery attack, which is what Minerva uses.
Minerva affected several chips with certifications from FIPS and Common Criteria. The Minerva authors try to explain how that happened as follows: “The FIPS 140-2 certification scheme specifically does not require side-channel resistance to be tested by the lab performing the assessment. So even though the FIPS security targets of the aforementioned cards specify resistance against side-channel attacks, no such testing had to be performed.”
Furthermore, commenting on the case of Common Criteria: “The original Common Criteria certificate DCSSI-CC-2009/11 that introduced the vulnerable functionality did so by stating the functionality is explicitly not protected against SPA/DPA attacks and should not be used on secure data.”
Following the publication of Minerva, Dan Bernstein commented on the applicability of the attack to EdDSA. Originally, the authors of Minerva had claimed that the EdDSA implementation in Libgcrypt was vulnerable to Minerva as well, but though a timing leak is present, it’s not exploitable, which the authors now mention on their web page. Bernstein describes in detail how the design of EdDSA prevented such attacks.
Affected by Minerva are the Libgcrypt, WolfSSL, MatrixSSL, and Crypto++ libraries and the Oracle Java JDK. Libgcrypt has released a fix in version 1.8.5, WolfSSL in 4.1.0.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.