Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-10932: Side channel attack on ECDSA — Mbed TLS documentation

An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by exploiting side channels in the conversion to affine coordinates; (2) using an attack described by Naccache, Smart, and Stern in 2003 to recover a few bits of the ephemeral scalar from those projective coordinates via several measurements; and (3) using a lattice attack to get from there to the long-term ECDSA private key used for the signatures. Typically an attacker would have sufficient access when attacking an SGX enclave and controlling the untrusted OS.

CVE
#vulnerability#ssl

Mbed TLS

Title

Side channel attack on ECDSA

CVE

CVE-2020-10932

Date

14th of April, 2020 ( Updated on 16th of April, 2020 )

Affects

All versions of Mbed TLS and Mbed Crypto

Impact

A local attacker can extract the private key

Severity

High

Credit

Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia

Vulnerability

The modular inverse operation as implemented in Mbed TLS is vulnerable to a single-trace side channel attack discovered by Alejandro Cabrera Aldaya and Billy Brumley which may allow a local adversary to recover the full value of the operand. (Some consequences of this attack on RSA and ECDSA were fixed in previous releases.)

Mbed TLS, like most libraries implementing ECC, uses projective coordinates to represent points internally. It is known that leaking the coordinates allows an attacker to recover a few bits of the private value. The conversion back from projective coordinates involves a modular inverse operation and is therefore vulnerable to the above new attack. An attacker who is able to obtain the coordinates from several ECDSA signature operations with the same key can eventually recover the private key through a lattice attack.

A complete description of the attack is available in this paper.

Impact

An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can fully recover an ECDSA private key after observing a number of signature operations.

Resolution

Affected users will want to upgrade to Mbed TLS 2.22.0, 2.16.6 or 2.7.15 depending on the branch they’re currently using.

Work-around

There is no known work-around. Affected users need to upgrade.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907