Researchers from the University of Masaryk information about in various implementations of the ECDSA/EdDSA digital signature creation algorithm, which allow restoring the value of a private key based on the analysis of leaks of information about individual bits that pop up when applying analysis methods through third-party channels. The vulnerabilities were codenamed Minerva.
The most well-known projects affected by the proposed attack method are OpenJDK/OracleJDK (CVE-2019-2894) and the library (CVE-2019-13627) used by GnuPG. The problem is also , , , , , , , , and Athena IDProtect smart cards. Valid S/A IDflex V, SafeNet eToken 4300, and TecSec Armored Card cards, which use the generic ECDSA module, have also been reported as potentially vulnerable.
The problem has already been fixed in the libgcrypt 1.8.5 and wolfCrypt 4.1.0 releases, the rest of the projects have not generated updates yet. You can follow the fix of the vulnerability in the libgcrypt package in distributions on these pages: , , , , , , .
Vulnerabilities OpenSSL, Botan, mbedTLS and BoringSSL. Not yet tested Mozilla NSS, LibreSSL, Nettle, BearSSL, cryptlib, OpenSSL in FIPS mode, Microsoft .NET crypto,
libkcapi from the Linux kernel, Sodium and GnuTLS.
The problem is caused by the ability to determine the values ββof individual bits during scalar multiplication in elliptic curve operations. To extract information about bits, indirect methods are used, such as estimation of the delay in performing calculations. An attack requires unprivileged access to the host on which the digital signature is generated (not and a remote attack, but it is highly complicated and requires a large amount of data for analysis, so it can be considered as unlikely). For loading tools used for the attack.
Despite the insignificant size of the leak, even a few bits with information about the initialization vector (nonce) are sufficient for ECDSA to perform an attack to sequentially recover the entire private key. According to the authors of the method, to successfully recover the key, it is enough to analyze from several hundred to several thousand digital signatures generated for messages known to the attacker. For example, 90 digital signatures were analyzed using the secp256r1 elliptic curve to determine the private key used on an Athena IDProtect smart card based on the Inside Secure AT11SC chip. The total attack time was 30 minutes.
Source: opennet.ru