Vulnerability Disclosure: ECDSA signing operations and nonce size leaks

Settings that mitigate this vulnerability in affected versions (secp256r1 only, all other curves are affected):

  • –enable-sp
  • –enable-sp-asm
  • –enable-fpecc

Affected Users:

Users with long-term private ECC ECDSA keys performing ECDSA sign operations with the USE_FAST_MATH setting (–enable-fastmath).

Users who have disabled the default enabled timing resistance while also using fastmath (–disable-harden) or using normal math (–disable-fastmath) will continue to be susceptible to timing attacks including this vulnerability.

Summary:

There is a potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used to recover private ECC keys in wolfSSL versions prior to release 4.1.0.

Recommendation:

Users with long-term private ECC ECDSA keys, performing ECDSA signing operations with the fastmath library should:

  1.  update to wolfSSL version 4.1.0
  2. replace any long-term private ECC ECDSA keys.
  3. Not disable timing resistance

Research:

The research for this vulnerability is not yet publicly available, a public disclosure containing more details is currently scheduled for September 2nd 2019. CVE-2019-13628 has been reserved for when the public disclosure is made available.

Additional details:

More available upon public disclosure of research. The patch fixing this issue can be viewed at this link: https://github.com/wolfSSL/wolfssl/pull/2353/files

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Related Items:
https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/
https://www.wolfssl.com/docs/security-vulnerabilities/
https://github.com/wolfSSL/wolfssl/pull/2353