ECDSA and key leaks due to RNG problems.

To: tech-security%NetBSD.org@localhost
Subject: ECDSA and key leaks due to RNG problems.
From: Gregory Maxwell <gmaxwell%gmail.com@localhost>
Date: Mon, 25 Mar 2013 15:50:26 -0700

With respect to NetBSD-SA2013-003.

Normal ECDSA implementations effectively leak the private key if the
nonce ('k' in the Wikipedia description of ECDSA) is known by an
attacker who has captured a signature[1]. Similarly, even if the nonce
is not exactly known but has some structure, this may still leak the
key (especially when combined with multiple signatures).

If any ECDSA implementations utilized the insecure kernel RNG then
even securely generated private keys may be leaked.

Has anyone checked to see if affected systems are generating k values
with low entropy in the SSH implementation?  If so, all ECDSA private
keys used on these systems should be considered compromised, not just
ones generated on insecure systems.

[1] http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/

Prev by Date: Ѷ‌Ῐ‌ἅ‌Ģ‌ℜ‌ἅ
Next by Date: NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak Cryptographic Keys (REVISED)
Previous by Thread: Ѷ‌Ῐ‌ἅ‌Ģ‌ℜ‌ἅ
Next by Thread: NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak Cryptographic Keys (REVISED)
Indexes:

Home | Main Index | Thread Index | Old Index