Security of OpenSSL ECDSA signatures
Damien Miller
djm at mindrot.org
Mon May 23 22:31:49 EST 2011
On Mon, 23 May 2011, Aris Adamantiadis wrote:
> Dear OpenSSH devs,
>
> I came accross this paper yesterday. http://eprint.iacr.org/2011/232
> It states that they were able to recover ECDSA keys from TLS servers by
> using timing attacks agains OpenSSL's ECDSA implementation.
> Is that known to be exploitable by OpenSSH ? (In my understanding, it's
> easy to get a payload signed by ECDSA during the key exchange so my
> opinion is that it is). There's a patch for openssl in the paper, that
> remove the detectable optimization away. Would you consider blacklisting
> openssl versions that do not implement that workaround
This result concerns binary/GF(2m) fields only and not the prime fields
that OpenSSH uses in recent versions.
Unless a similar timing oracle is found for GF(p) fields then no
OpenSSH-side workaround is required.
-d
More information about the openssh-unix-dev
mailing list