Security of OpenSSL ECDSA signatures

Aris Adamantiadis aris at 0xbadc0de.be
Mon May 23 18:00:09 EST 2011


Dear OpenSSH devs,

I came accross this paper yesterday. http://eprint.iacr.org/2011/232
It states that they were able to recover ECDSA keys from TLS servers by
using timing attacks agains OpenSSL's ECDSA implementation.
Is that known to be exploitable by OpenSSH ? (In my understanding, it's
easy to get a payload signed by ECDSA during the key exchange so my
opinion is that it is). There's a patch for openssl in the paper, that
remove the detectable optimization away. Would you consider blacklisting
openssl versions that do not implement that workaround ?

Abstract follows.

Kr,

Aris

Abstract: For over two decades, timing attacks have been an active area
of research within applied cryptography. These attacks exploit
cryptosystem or protocol implementations that do not run in constant
time. When implementing an elliptic curve cryptosystem that provides
side-channel resistance, the scalar multiplication routine is a critical
component. In such instances, one attractive method often suggested in
the literature is Montgomery's ladder that performs a fixed sequence of
curve and field operations. This paper describes a timing attack
vulnerability in OpenSSL's ladder implementation for curves over binary
fields. We use this vulnerability to steal the private key of a TLS
server where the server authenticates with ECDSA signatures. Using the
timing of the exchanged messages, the messages themselves, and the
signatures, we mount a lattice attack that recovers the private key.
Finally, we describe and implement an effective countermeasure.


More information about the openssh-unix-dev mailing list