Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VPN)  >   OpenSSL Vendors:
OpenSSL ecdsa_sign_setup() Timing Flaw Lets Local Users Recover Private Keys
SecurityTracker Alert ID:  1037575
SecurityTracker URL:
CVE Reference:   CVE-2016-7056   (Links to External Site)
Date:  Jan 10 2017
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.1u and prior
Description:   A vulnerability was reported in OpenSSL. A local user can recover ECDSA P-256 private keys.

The ecdsa_sign_setup() function in 'crypto/ec/ecdsa_ossl.c' does not properly set the BN_FLG_CONSTTIME for nonces when signing with the P-256 elliptic curve. As a result, a local user can conduct a cache-timing attack to exploit this side channel timing flaw in the signing function and recover ECDSA P-256 private keys.

The original advisory is available at:

Cesar Pereida Garcia and Billy Bob Brumley (Tampere University of Technology) reported this vulnerability.

Impact:   A local user can recover ECDSA P-256 private keys.
Solution:   No solution was available at the time of this entry.

A proposed patch is available in the original advisory at:

[Editor's note: The decoded proposed patch from the original advisory is provided below.]

Subject: [PATCH] ECDSA vulnerable to cache-timing attack. BN_mod_inverse fails
to take constant-time path, thus leaking nonce's information.

crypto/ecdsa/ecs_ossl.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 4c5fa6b..72e7c05 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -147,6 +147,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
if (!BN_add(k, k, order))
goto err;

+ BN_set_flags(k, BN_FLG_CONSTTIME);
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {

Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 31 2017 (Ubuntu Issues Fix) OpenSSL ecdsa_sign_setup() Timing Flaw Lets Local Users Recover Private Keys
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10.

 Source Message Contents

Subject:  [oss-security] CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)

Attack Vector: Local

Vendor: OpenSSL, LibreSSL, BoringSSL

Versions Affected:
OpenSSL 1.0.1u and previous versions
LibreSSL (pre 6.0 errata 16, pre 5.9 errata 33)
BoringSSL pre November 2015

The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versio=
ns and forks
is vulnerable to timing attacks when signing with the standardized elliptic
curve P-256 despite featuring constant-time curve operations and modular in=
A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, faili=
to take a secure code path in the BN_mod_inverse method and therefore resul=
in a cache-timing attack vulnerability.
A malicious user with local access can recover ECDSA P-256 private keys.

Users of OpenSSL with the affected versions should apply
the patch available in the manuscript at [1].

Users of LibreSSL should apply the official patch from OpenBSD [2,3].

Users of BoringSSL should upgrade to a more recent version.

This issue was reported by Cesar Pereida Garc=EDa and Billy Brumley
(Tampere University of Technology).

19 Dec 2016 Disclosure to OpenSSL, LibreSSL, BoringSSL security teams
29 Dec 2016 Embargo lifted


- Cesar=

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC