search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSL leaks ECDSA private key through a remote timing attack

Vulnerability Note VU#536044

Original Release Date: 2011-05-17 | Last Revised: 2011-06-01

Overview

The OpenSSL ladder implementation for scalar multiplication of points on elliptic curves over binary fields is susceptible to a timing attack vulnerability. This vulnerability can be used to steal the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

Description

Billy Bob Brumley's and Nicola Tuveri's paper "Remote Timing Attacks are Still Practical" states:

"For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery’s ladder that performs a fixed sequence of curve and field operations.

This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key."

Impact

A remote attacker can retrieve the private key of a TLS server that authenticates with ECDSA signatures and binary curves.

Solution

We are currently unaware of a practical solution to this problem.

Do not use ECDSA signatures and binary curves for authentication.

Vendor Information

536044
 

OpenSSL Affected

Notified:  March 29, 2011 Updated: May 11, 2011

Status

Affected

Vendor Statement

"The OpenSSL team have reviewed the paper, and although the result is significant, we believe that the affected code (ECDSA used with binary curves) is very rarely used at present. We therefore do not plan on issuing a security release but expect to patch this in the future."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apache-SSL Unknown

Notified:  April 21, 2011 Updated: April 21, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified:  May 10, 2011 Updated: May 10, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 13 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Billy Brumley for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2011-1945
Severity Metric: 0.13
Date Public: 2011-05-17
Date First Published: 2011-05-17
Date Last Updated: 2011-06-01 15:39 UTC
Document Revision: 14

Sponsored by CISA.