Bulletproof TLS Newsletter #58
Elliptic curve implementations vulnerable to Minerva timing attack
31 October 2019
Author: Hanno Böck

This issue was distributed to 52,242 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Elliptic curve implementations vulnerable to Minerva timing attack
  2. Short news

Elliptic curve implementations vulnerable to Minerva timing attack

Researchers from Masaryk University have presented a timing attack called Minerva. The attack exploits side-channel vulnerabilities in implementations of elliptic curve signatures, primarily ECDSA. The primary targets of the attack were cryptographic chips, but several open-source libraries were also affected.

The attack works by detecting the length of the nonce value used for signature generation due to a timing side-channel. It’s a well-known property of elliptic curve signatures that if an attacker knows the nonce he can break the private key. However, even partial knowledge of the nonce can be used for a key recovery attack, which is what Minerva uses.

Minerva affected several chips with certifications from FIPS and Common Criteria. The Minerva authors try to explain how that happened as follows: “The FIPS 140-2 certification scheme specifically does not require side-channel resistance to be tested by the lab performing the assessment. So even though the FIPS security targets of the aforementioned cards specify resistance against side-channel attacks, no such testing had to be performed.”

Furthermore, commenting on the case of Common Criteria: “The original Common Criteria certificate DCSSI-CC-2009/11 that introduced the vulnerable functionality did so by stating the functionality is explicitly not protected against SPA/DPA attacks and should not be used on secure data.”

Following the publication of Minerva, Dan Bernstein commented on the applicability of the attack to EdDSA. Originally, the authors of Minerva had claimed that the EdDSA implementation in Libgcrypt was vulnerable to Minerva as well, but though a timing leak is present, it’s not exploitable, which the authors now mention on their web page. Bernstein describes in detail how the design of EdDSA prevented such attacks.

Affected by Minerva are the Libgcrypt, WolfSSL, MatrixSSL, and Crypto++ libraries and the Oracle Java JDK. Libgcrypt has released a fix in version 1.8.5, WolfSSL in 4.1.0.

Short news