git.librecmc.org Git - oweals/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Tue, 19 Jun 2018 14:07:02 +0000 (15:07 +0100)
committer	Matt Caswell <matt@openssl.org>
	Thu, 21 Jun 2018 09:28:20 +0000 (10:28 +0100)
commit	41d23d435221411b4d70c08b6c5424d0afcf4c19
tree	88886e5b8b3298a8d37dccd554936f7f263e1514	tree \| snapshot
parent	8fbbbdd5fcfeca62d339d1db11887da2a298ee8e	commit \| diff

Add blinding to a DSA signature

This extends the recently added ECDSA signature blinding to blind DSA too.

This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.

Normally, as in ECDSA, during signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6524)

CHANGES		diff \| blob \| history
crypto/dsa/dsa_ossl.c		diff \| blob \| history
crypto/ecdsa/ecs_ossl.c		diff \| blob \| history