Researchers from the University of Masaryk
The most well-known projects affected by the proposed attack method are OpenJDK/OracleJDK (CVE-2019-2894) and the library
The problem has already been fixed in the libgcrypt 1.8.5 and wolfCrypt 4.1.0 releases, the rest of the projects have not generated updates yet. You can follow the fix of the vulnerability in the libgcrypt package in distributions on these pages:
Vulnerabilities
libkcapi from the Linux kernel, Sodium and GnuTLS.
The problem is caused by the ability to determine the values of individual bits during scalar multiplication in elliptic curve operations. To extract information about bits, indirect methods are used, such as estimation of the delay in performing calculations. An attack requires unprivileged access to the host on which the digital signature is generated (not
Despite the insignificant size of the leak, even a few bits with information about the initialization vector (nonce) are sufficient for ECDSA to perform an attack to sequentially recover the entire private key. According to the authors of the method, to successfully recover the key, it is enough to analyze from several hundred to several thousand digital signatures generated for messages known to the attacker. For example, 90 digital signatures were analyzed using the secp256r1 elliptic curve to determine the private key used on an Athena IDProtect smart card based on the Inside Secure AT11SC chip. The total attack time was 30 minutes.
Source: opennet.ru