Skip to content
  1. Aug 01, 2018
  2. Jul 26, 2018
  3. Jul 25, 2018
  4. Jul 23, 2018
  5. Jul 22, 2018
  6. Jul 13, 2018
  7. Jul 03, 2018
  8. Jun 28, 2018
  9. Jun 25, 2018
  10. Jun 24, 2018
  11. Jun 21, 2018
  12. Jun 19, 2018
  13. Jun 18, 2018
  14. Jun 13, 2018
    • Matt Caswell's avatar
      Add blinding to an ECDSA signature · 949ff366
      Matt Caswell authored
      
      
      Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
      ECDSA signature operation. During signing the signer calculates:
      
      s:= k^-1 * (m + r * priv_key) mod order
      
      The addition operation above provides a sufficient signal for a
      flush+reload attack to derive the private key given sufficient signature
      operations.
      
      As a mitigation (based on a suggestion from Keegan) we add blinding to
      the operation so that:
      
      s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
      
      Since this attack is a localhost side channel only no CVE is assigned.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      949ff366
  15. Jun 12, 2018
  16. Jun 09, 2018
  17. Jun 02, 2018
  18. May 31, 2018
  19. May 29, 2018
  20. May 23, 2018
  21. May 21, 2018
  22. May 18, 2018
  23. May 17, 2018
    • Matt Caswell's avatar
      Make BN_GF2m_mod_arr more constant time · 7e5292ba
      Matt Caswell authored
      
      
      Experiments have shown that the lookup table used by BN_GF2m_mod_arr
      introduces sufficient timing signal to recover the private key for an
      attacker with access to cache timing information on the victim's host.
      This only affects binary curves (which are less frequently used).
      
      No CVE is considered necessary for this issue.
      
      The fix is to replace the lookup table with an on-the-fly calculation of
      the value from the table instead, which can be performed in constant time.
      
      Thanks to Youngjoo Shin for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6270)
      
      (cherry picked from commit b336ce57)
      7e5292ba
  24. May 14, 2018
  25. May 12, 2018
  26. May 11, 2018