ECDSA: Fix side channel vulnerability The blinding applied to the scalar before modular inversion is inadequate. Bignum is not constant time/constant trace, side channel attacks can retrieve the blinded value, factor it (it is smaller than RSA keys and not guaranteed to have only large prime factors). Then the key can be recovered by brute force. Reducing the blinded value makes factoring useless because the adversary can only recover pk*t+z*N instead of pk*t.

commit: d65df1fa67ca80a5142909036d1b75d8c370f89d [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Thu Oct 17 10:18:51 2019 +0100
committer: Janos Follath <janos.follath@arm.com> Fri Oct 25 09:11:21 2019 +0100
tree: 272428777fceed24f75b061762e83bcc337be570
parent: 069fb0e09a01b1a45004093f29923d0554f87c12 [diff] [blame]
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 2b48006..3cf3d7c 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c

@@ -363,6 +363,7 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
commit	d65df1fa67ca80a5142909036d1b75d8c370f89d	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Thu Oct 17 10:18:51 2019 +0100
committer	Janos Follath <janos.follath@arm.com>	Fri Oct 25 09:11:21 2019 +0100
tree	272428777fceed24f75b061762e83bcc337be570
parent	069fb0e09a01b1a45004093f29923d0554f87c12 [diff] [blame]