Home GnuPG

ecc: Add input validation for X25519.

Description

ecc: Add input validation for X25519.

* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
(_gcry_mpi_ec_bad_point): New.

Following is the paper describing the attack:

May the Fourth Be With You: A Microarchitectural Side Channel Attack
on Real-World Applications of Curve25519
by Daniel Genkin, Luke Valenta, and Yuval Yarom

In the current implementation, we do output checking and it results an
error for those bad points. However, when attacked, the computation
will done with leak of private key, even it will results errors. To
mitigate leak, we added input validation.

Note that we only list bad points with MSB=0. By X25519, MSB is
always cleared.

In future, we should implement constant-time field computation. Then,
this input validation could be removed, if performance is important
and we are sure for no leak.

CVE-id: CVE-2017-0379

  • Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

Details

Provenance
gniibeAuthored on Aug 25 2017, 11:13 AM
wernerCommitted on Aug 27 2017, 9:08 AM
Parents
rC5417a2933642: indent: Typo fix.
Branches
Unknown
Tags
Unknown