{officially on vacation till Labor Day, but weighing-in briefly}
Hi Filippo:
I had a brief look at the CVEs you referenced and at your Blackhat 2018
presentation.
Some observations on your Blackhat 2018 presentaton: (a) the attack
seems to be a reincarnation of the so-called Goubin attack presented 19
years earlier (in 1999); (b) the attack requires many (100s) of reuses
of the same private key string. Both the 1999 attack and your Blackhat
2018 version can be easily prevented if one uses blinded private keys.
A closer look at your referenced CVEs suggests these can be classified
as (i) lack of checking for improperly generated DH groups; (ii)
exploiting overflow/underflow/carry bugs. To me, nothing seems to be new
here and more likely a failure of implementers to heed to results and
advice predating the CVEs by years (and sometimes decades) or in QA
processes. E.g., with respect to (i), one had not gotten oneself into
trouble if one had actually bothered to implement domain parameter
checks. In the literature of implementation attacks, OpenSSL has proven
to be an excellent "implementation security flaw paper generator".
I have yet to see evidence that ephemeral-static ECDH would be
inherently insecure.
Rene
On 2021-08-27 9:34 a.m., Filippo Valsorda wrote:
[snip]
This is empirically disproved by a number of vulnerabilities that are
exploitable (or near-misses for other reasons) only in
ephemeral-static mode, such as CVE-2016-0701, CVE-2016-7055,
CVE-2017-3732, CVE-2017-3736, CVE-2017-3738, CVE-2019-1551 just in the
past 5 years in OpenSSL, and CVE-2017-8932 and CVE-2021-3114 in Go.
https://eprint.iacr.org/2011/633 <https://eprint.iacr.org/2011/633>
gives a good explanation of how these attacks work, and you might find
https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf
<https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf>
interesting as well.
OpenSSL:
CVE-2016-0701: improper generation of Diffie-Hellman group
The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2
before 1.0.2f does not ensure that prime numbers are appropriate for
Diffie-Hellman (DH) key exchange, which makes it easier for remote
attackers to discover a private DH exponent by making multiple
handshakes with a peer that chose an inappropriate number, as
demonstrated by a number in an X9.42 file.
CVE-2016-7055: carry-propagation bug
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that
handles input lengths divisible by, but longer than 256 bits. Analysis
suggests that attacks against RSA, DSA and DH private keys are
impossible. This is because the subroutine in question is not used in
operations with the private key itself and an input of the attacker's
direct choice. Otherwise the bug can manifest itself as transient
authentication and key negotiation failures or reproducible erroneous
outcome of public-key operations with specially crafted input. Among
EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely.
Namely multiple clients have to choose the curve in question and the
server has to share the private key among them, neither of which is
default behaviour. Even then only clients that chose the curve will be
affected.
CVE-2017-3732: carry-propagation bug
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No
EC algorithms are affected. Analysis suggests that attacks against RSA
and DSA as a result of this defect would be very difficult to perform
and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary
to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be very
significant and likely only accessible to a limited number of
attackers. An attacker would additionally need online access to an
unpatched system using the target private key in a scenario with
persistent DH parameters and a private key that is shared between
multiple clients. For example this can occur by default in OpenSSL DHE
based SSL/TLS ciphersuites. Note: This issue is very similar to
CVE-2015-3193 but must be treated as a separate problem.
CVE-2017-3736: carry-propagation bug
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC
algorithms are affected. Analysis suggests that attacks against RSA
and DSA as a result of this defect would be very difficult to perform
and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary
to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be very
significant and likely only accessible to a limited number of
attackers. An attacker would additionally need online access to an
unpatched system using the target private key in a scenario with
persistent DH parameters and a private key that is shared between
multiple clients. This only affects processors that support the BMI1,
BMI2 and ADX extensions like Intel Broadwell (5th generation) and
later or AMD Ryzen.
CVE-2017-3738: overflow bug
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. No EC
algorithms are affected. Analysis suggests that attacks against RSA
and DSA as a result of this defect would be very difficult to perform
and are not believed likely. Attacks against DH1024 are considered
just feasible, because most of the work necessary to deduce
information about a private key may be performed offline. The amount
of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have
to share the DH1024 private key among multiple clients, which is no
longer an option since CVE-2016-0701. This only affects processors
that support the AVX2 but not ADX extensions like Intel Haswell (4th
generation). Note: The impact from this issue is similar to
CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version
1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n.
Due to the low severity of this issue we are not issuing a new release
of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL
1.1.0h when it becomes available. The fix is also available in commit
e502cc86d in the OpenSSL git repository.
CVE-2019-1551: overflow bug
There is an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against
DH512 are considered just feasible. However, for an attack the target
would have to re-use the DH512 private key, which is not recommended
anyway. Also applications directly using the low level API BN_mod_exp
may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e
(Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
Go:
CVE-2017-8932: arithmetic bug
A bug in the standard library ScalarMult implementation of curve P-256
for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2
causes incorrect results to be generated for specific input points. An
adaptive attack can be mounted to progressively extract the scalar
input to ScalarMult by submitting crafted points and observing
failures to the derive correct output. This leads to a full key
recovery attack against static ECDH, as used in popular JWT libraries.
CVE-2021-3114: underflow bug
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go
can generate incorrect outputs, related to an underflow of the lowest
limb during the final complete reduction in the P-224 field.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
--
email: rstruik....@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
