Security of OpenSSL ECDSA signatures

Damien Miller djm at
Mon May 23 22:31:49 EST 2011

On Mon, 23 May 2011, Aris Adamantiadis wrote:

> Dear OpenSSH devs,
> I came accross this paper yesterday.
> It states that they were able to recover ECDSA keys from TLS servers by
> using timing attacks agains OpenSSL's ECDSA implementation.
> Is that known to be exploitable by OpenSSH ? (In my understanding, it's
> easy to get a payload signed by ECDSA during the key exchange so my
> opinion is that it is). There's a patch for openssl in the paper, that
> remove the detectable optimization away. Would you consider blacklisting
> openssl versions that do not implement that workaround

This result concerns binary/GF(2m) fields only and not the prime fields
that OpenSSH uses in recent versions.

Unless a similar timing oracle is found for GF(p) fields then no
OpenSSH-side workaround is required.


More information about the openssh-unix-dev mailing list