Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.

A new type of side-channel vulnerability called Hertzbleed was published recently. The attack relies on dynamic frequency scaling, a power-saving and performance feature on modern CPUs.

What the authors discovered is that certain CPU operations can lead to frequency changes depending on the processed data. This makes common constant-time programming methods insufficient to mitigate this type of attack.

The Hertzbleed authors were able to demonstrate their attack against SIKE, a post-quantum algorithm based on supersingular isogenies. But it should be noted that the attack is more generic, and it’s expected that variations of it may impact other cryptographic algorithms.

According to the authors, a possible mitigation to Hertzbleed is to disable frequency boosting features on CPUs. On Intel CPUs, this feature is called Turbo Boost; on AMD, it’s called Turbo Core or Precision Boost. It's possible to disable these features via BIOS settings or via the operating system, but it will cause a slowdown of the system.

In response to the attack Daniel Bernstein has created a webpage with links to research and resources about timing attacks.

A mitigation for the specific attack on SIKE is also available. A previous research paper, published in January, has already identified a power side-channel that works similarly to the attack the Hertzbleed authors demonstrated, and the mitigation proposed in that paper works here as well. However, it adds a significant overhead of between 5 and 11 percent to the already slow SIKE algorithm.

Short news

Here are some things that caught our attention since the previous newsletter:

• OpenSSL released updated versions 3.0.4 and 1.1.1p, fixing an injection vulnerability in the c_rehash script.
• Researchers from ETH Zürich have identified flaws in the cryptography used by the MEGA file-hosting service. Thomas Ptacek wrote a blog post analyzing the attack.
• A research project by the Open Technology Fund has analyzed censorship of the QUIC protocol and identified some countries where the protocol is blocked.
• An issue in several libraries implementing the Ed25519 signature scheme may lead to key compromise if the API takes an attacker-controlled public key.
• Michael Driscoll created a web page illustrating the internals of the QUIC protocol.
• The ECC root certificates from Trustwave, included in Mozilla’s root certificate store, contain a malformed bitstring, which was pointed out on Mozilla’s security policy mailing list. These certificates were issued in 2017, and the issue can be detected with the x509lint tool.
• The Security. Cryptography. Whatever. podcast has published several episodes that may be of interest for our readers. They discussed the Tink library with Sophie Schmieg, Zero Trust architecture within the US government with Eric Mill, and the Hertzbleed attack.
• GnuTLS has released version 3.7.6, fixing a bug that can cause heap corruption.
• Sophos has published a blog post that gives a detailed explanation of CVE-2022-0778, a denial-of-service vulnerability in OpenSSL’s square root function. We mentioned this vulnerability in our March newsletter.
• Nettle has released version 3.8, which adds optimized assembly implementations of several cryptographic algorithms for ARM64 and S390X.
• DigiCert, primarily known for its certificate authority business, has announced that it has acquired the DNS Made Easy company.
• Carl Tashian posted an image titled “If OpenSSL Were a GUI.” The image illustrates the complexity of X.509 certificates and the OpenSSL command line in an ironic way.
• NCC has published an audit of a Threshold ECDSA implementation.
• NSS released version 3.80, with three new root certificates and a couple of bug fixes.
• A memory corruption bug in the Montgomery exponentiation in OpenSSL was found. It affects version 3.0.4; older version branches aren’t affected.
• The website at elligator.org explains the Elligator key exchange, a method to use an elliptic curve key exchange that can be hidden in random noise. This method is based on a paper from 2013 by Bernstein et al.
• AWS announced that it will stop supporting TLS versions older than 1.2 on its API endpoints.
• Cossack Labs published several cryptographic flaws found in RF devices.
• SIDN, the organization managing the .nl top level domain, has published a detailed DNS tutorial, also including explanations of DNS-over-HTTPS, DNS-over-TLS and DNSSEC.

Interesting jobs

Here are some interesting jobs we've come across in the last month:

• Embedded Systems Software Engineer - wolfSSL, via wolfssl.com
• Software Engineer, Security Server Applications - Apple, via Careers at Apple
• Software Engineer - Crypto Services, Apple, via Careers at Apple
• Senior Software Development Engineer, AWS Crypto - Amazon, via Amazon Jobs
• Software Development Engineer, Private Certificate Authority - Amazon, via Amazon Jobs
• Senior Software Developer - Oracle, via Oracle Jobs

If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.