Home Books Training Newsletter Resources
Sign up Log in

Bulletproof TLS Newsletter

58

Elliptic curve implementations vulnerable to Minerva timing attack

31 October 2019

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.

Researchers from Masaryk University have presented a timing attack called Minerva. The attack exploits side-channel vulnerabilities in implementations of elliptic curve signatures, primarily ECDSA. The primary targets of the attack were cryptographic chips, but several open-source libraries were also affected.

The attack works by detecting the length of the nonce value used for signature generation due to a timing side-channel. It’s a well-known property of elliptic curve signatures that if an attacker knows the nonce he can break the private key. However, even partial knowledge of the nonce can be used for a key recovery attack, which is what Minerva uses.

Minerva affected several chips with certifications from FIPS and Common Criteria. The Minerva authors try to explain how that happened as follows: “The FIPS 140-2 certification scheme specifically does not require side-channel resistance to be tested by the lab performing the assessment. So even though the FIPS security targets of the aforementioned cards specify resistance against side-channel attacks, no such testing had to be performed.”

Furthermore, commenting on the case of Common Criteria: “The original Common Criteria certificate DCSSI-CC-2009/11 that introduced the vulnerable functionality did so by stating the functionality is explicitly not protected against SPA/DPA attacks and should not be used on secure data.”

Following the publication of Minerva, Dan Bernstein commented on the applicability of the attack to EdDSA. Originally, the authors of Minerva had claimed that the EdDSA implementation in Libgcrypt was vulnerable to Minerva as well, but though a timing leak is present, it’s not exploitable, which the authors now mention on their web page. Bernstein describes in detail how the design of EdDSA prevented such attacks.

Affected by Minerva are the Libgcrypt, WolfSSL, MatrixSSL, and Crypto++ libraries and the Oracle Java JDK. Libgcrypt has released a fix in version 1.8.5, WolfSSL in 4.1.0.

Subscribe to the Bulletproof TLS Newsletter

This subscription is just for the newsletter; we won't send you anything else.

Short news

  • The Chrome developers published information about UI changes in regard to the deprecation of TLS 1.0 and 1.1.
  • Kaspersky reported on a malware family that compromises TLS implementations and injects malware traffic into connections, involving compromise of the random number generator.
  • Microsoft introduced a feature in the IIS server that allows enforcing TLS versions per certificate.
  • The Chrome developers announced plans to block mixed content on HTTPS web pages.
  • Several VPN providers, including NordVPN, VikingVPN, and Torguard, were compromised in 2018, which included the publication of keys for web page certificates. The details were posted in 2018 in a public forum, but the incident didn’t generate any attention back then. NordVPN and Torguard have published statements on the incident.
  • WolfSSL has published version 4.2.0, including fixes for a DSA vulnerability and some memory safety bugs.
  • Filippo Valsorda has published an early version of AGE, a simple encryption tool.
  • Researchers have published PDFex, an active attack on the encryption of PDF files. PDFs use unauthenticated CBC encryption and thus are vulnerable to malleability attacks.

Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.

Remote and trainer-led, with small classes and a choice of timezones.

Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.

Find out More

THE FINEST IN TLS
AND PKI EDUCATION
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Bulletproof TLS Newsletter
  • SSL/TLS and PKI History
  • Archived Books

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us