Mailinglist Archive: opensuse-bugs (6588 mails)

< Previous Next >
[Bug 1143532] New: VUL-0: CVE-2019-14318: libcryptopp: timing side channel in ECDSA signature generation
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Wed, 31 Jul 2019 06:54:22 +0000
  • Message-id: <bug-1143532-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1143532


Bug ID: 1143532
Summary: VUL-0: CVE-2019-14318: libcryptopp: timing side
channel in ECDSA signature generation
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 15.0
Hardware: Other
URL: https://smash.suse.de/issue/238345/
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: pascal.bleser@xxxxxxxxxxxx
Reporter: atoptsoglou@xxxxxxxx
QA Contact: security-team@xxxxxxx
Found By: Security Response Team
Blocker: ---

CVE-2019-14318

Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature
generation. This allows a local or remote attacker, able to measure the
duration
of hundreds to thousands of signing operations, to compute the private key
used.
The issue occurs because scalar multiplication in ecp.cpp (prime field curves,
small leakage) and algebra.cpp (binary field curves, large leakage) is not
constant time and leaks the bit length of the scalar among other information.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14318
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14318
https://tches.iacr.org/index.php/TCHES/article/view/7337
https://eprint.iacr.org/2011/232.pdf

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages