tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

ECDSA and key leaks due to RNG problems.



With respect to NetBSD-SA2013-003.

Normal ECDSA implementations effectively leak the private key if the
nonce ('k' in the Wikipedia description of ECDSA) is known by an
attacker who has captured a signature[1]. Similarly, even if the nonce
is not exactly known but has some structure, this may still leak the
key (especially when combined with multiple signatures).

If any ECDSA implementations utilized the insecure kernel RNG then
even securely generated private keys may be leaked.

Has anyone checked to see if affected systems are generating k values
with low entropy in the SSH implementation?  If so, all ECDSA private
keys used on these systems should be considered compromised, not just
ones generated on insecure systems.

[1] http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/


Home | Main Index | Thread Index | Old Index