git.librecmc.org Git - oweals/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Tue, 19 Jun 2018 14:07:02 +0000 (15:07 +0100)
committer	Matt Caswell <matt@openssl.org>
	Thu, 21 Jun 2018 09:24:31 +0000 (10:24 +0100)
commit	77b6b171a3b0a0f19ffcc8d4e682090fb88f0d10
tree	2096da53c4c9a19c37a015e43b85888d9359af1f	tree \| snapshot
parent	56c91e6dda3252b40396fcecd4005a823a8c7bf5	commit \| diff

Add blinding to a DSA signature

This extends the recently added ECDSA signature blinding to blind DSA too.

This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.

Normally, as in ECDSA, during signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6523)

CHANGES		diff \| blob \| history
crypto/dsa/dsa_ossl.c		diff \| blob \| history
crypto/ec/ecdsa_ossl.c		diff \| blob \| history