Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

1. Elliptic curve implementations vulnerable to Minerva timing attack
2. Short news

Elliptic curve implementations vulnerable to Minerva timing attack

Researchers from Masaryk University have presented a timing attack called Minerva. The attack exploits side-channel vulnerabilities in implementations of elliptic curve signatures, primarily ECDSA. The primary targets of the attack were cryptographic chips, but several open-source libraries were also affected.

The attack works by detecting the length of the nonce value used for signature generation due to a timing side-channel. It’s a well-known property of elliptic curve signatures that if an attacker knows the nonce he can break the private key. However, even partial knowledge of the nonce can be used for a key recovery attack, which is what Minerva uses.

Minerva affected several chips with certifications from FIPS and Common Criteria. The Minerva authors try to explain how that happened as follows: “The FIPS 140-2 certification scheme specifically does not require side-channel resistance to be tested by the lab performing the assessment. So even though the FIPS security targets of the aforementioned cards specify resistance against side-channel attacks, no such testing had to be performed.”

Furthermore, commenting on the case of Common Criteria: “The original Common Criteria certificate DCSSI-CC-2009/11 that introduced the vulnerable functionality did so by stating the functionality is explicitly not protected against SPA/DPA attacks and should not be used on secure data.”

Following the publication of Minerva, Dan Bernstein commented on the applicability of the attack to EdDSA. Originally, the authors of Minerva had claimed that the EdDSA implementation in Libgcrypt was vulnerable to Minerva as well, but though a timing leak is present, it’s not exploitable, which the authors now mention on their web page. Bernstein describes in detail how the design of EdDSA prevented such attacks.

Affected by Minerva are the Libgcrypt, WolfSSL, MatrixSSL, and Crypto++ libraries and the Oracle Java JDK. Libgcrypt has released a fix in version 1.8.5, WolfSSL in 4.1.0.

Short news

• The Chrome developers published information about UI changes in regard to the deprecation of TLS 1.0 and 1.1.
• Kaspersky reported on a malware family that compromises TLS implementations and injects malware traffic into connections, involving compromise of the random number generator.
• Microsoft introduced a feature in the IIS server that allows enforcing TLS versions per certificate.
• The Chrome developers announced plans to block mixed content on HTTPS web pages.
• Several VPN providers, including NordVPN, VikingVPN, and Torguard, were compromised in 2018, which included the publication of keys for web page certificates. The details were posted in 2018 in a public forum, but the incident didn’t generate any attention back then. NordVPN and Torguard have published statements on the incident.
• WolfSSL has published version 4.2.0, including fixes for a DSA vulnerability and some memory safety bugs.
• Filippo Valsorda has published an early version of AGE, a simple encryption tool.
• Researchers have published PDFex, an active attack on the encryption of PDF files. PDFs use unauthenticated CBC encryption and thus are vulnerable to malleability attacks.