Headline
CVE-2019-18222: Side channel attack on ECDSA — Mbed TLS documentation
The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks.
Mbed TLS
Title
Side channel attack on ECDSA
CVE
CVE-2019-18222
Date
15th January 2020 ( Updated on 27th January 2020 )
Affects
All versions of Mbed TLS and Mbed Crypto
Impact
The private key is recoverable through side channels.
Severity
High
Credit
Alejandro Cabrera Aldaya and Billy Brumley
Vulnerability
Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
Impact
If the adversary is in the position to launch a cache attack, then they may be able to recover the private key.
Resolution
Affected users should upgrade to one of the most recent versions of Mbed TLS, including 2.20.0, 2.16.4 or 2.7.13 or later. Similarly, affected users should upgrade to the most recent version of Mbed Crypto, including 3.0.1 or later.
edit: Earlier, this document falsely stated that Mbed Crypto 3.0.0 fixes this issue. This is not true, Mbed Crypto 3.0.1 is the earliest version with the fix. Users should upgrade to Mbed Crypto 3.0.1 or later.
Workaround
There are no known workarounds.