ProHoster > Блог > labaran intanet > Sabuwar Dabarar Harin Tashar Side don Mai da Maɓallan ECDSA

Sabuwar Dabarar Harin Tashar Side don Mai da Maɓallan ECDSA

Masu bincike daga Jami'ar. Masari fallasa bayanai game da rauni a cikin aiwatarwa daban-daban na ECDSA/EdDSA dijital sa hannu na ƙirƙira algorithm, wanda ke ba ku damar dawo da ƙimar maɓalli mai zaman kansa bisa nazarin leaks na bayanai game da raƙuman mutum ɗaya waɗanda ke fitowa yayin amfani da hanyoyin bincike na ɓangare na uku. An sanya wa raunin raunin suna Minerva.

Sanannun ayyukan da tsarin harin da aka tsara ya shafa su ne OpenJDK/OracleJDK (CVE-2019-2894) da ɗakin karatu. Labaran (CVE-2019-13627) ana amfani dashi a cikin GnuPG. Hakanan mai saukin kamuwa da matsalar MatrixSSL, Crypto ++, wolfCrypt, elliptical, jsrsasign, Python-ecdsa, ruby_ecdsa, azumi, sauki-ecc da Athena IDProtect smart cards. Ba a gwada shi ba, amma Valid S/A IDflex V, SafeNet eToken 4300 da TecSec Armored Card Cards, waɗanda ke amfani da daidaitaccen tsarin ECDSA, ana kuma ayyana su a matsayin masu yuwuwar rauni.

An riga an gyara matsalar a cikin sakewar libgcrypt 1.8.5 da wolfCrypt 4.1.0, sauran ayyukan ba su haifar da sabuntawa ba tukuna. Kuna iya bin diddigin gyara don rauni a cikin fakitin libgcrypt a cikin rabawa akan waɗannan shafuka: Debian, Ubuntu, RHEL, Fedora, budeSUSE / SUSE, FreeBSD, Arch.

Rashin lahani ba mai saukin kamuwa ba BudeSSL, Botan, mbedTLS da BoringSSL. Har yanzu ba a gwada Mozilla NSS, LibreSSL, Nettle, BearSSL, cryptlib, OpenSSL a yanayin FIPS ba, Microsoft .NET crypto,
libkcapi daga Linux kernel, Sodium da GnuTLS.

Matsalar tana faruwa ne ta hanyar ikon tantance ƙimar raƙuman raƙuman mutum ɗaya yayin haɓaka scalar a cikin ayyukan elliptical curve. Ana amfani da hanyoyin kai tsaye, kamar ƙididdige jinkiri na lissafin lissafi, don fitar da ɗan bayani. Harin yana buƙatar samun dama ga mai masaukin da aka samar da sa hannun dijital akansa (ba cire da kuma hari mai nisa, amma yana da matukar rikitarwa kuma yana buƙatar babban adadin bayanai don bincike, don haka ana iya la'akari da shi ba zai yiwu ba). Don lodawa akwai kayan aikin da ake amfani da su don kai hari.

Duk da ƙarancin girman yoyon, ga ECDSA gano ko da ƴan kaɗan ne tare da bayani game da vector farawa (babu ɗaya) ya isa a kai hari don dawo da maɓalli na sirri a jere. A cewar marubutan hanyar, don samun nasarar dawo da maɓalli, nazarin sa hannun dijital da yawa zuwa dubu da yawa da aka samar don saƙon da aka sani ga maharin ya isa. Misali, an yi nazarin sa hannun dijital dubu 90 ta amfani da secp256r1 elliptic curve don tantance maɓalli mai zaman kansa da aka yi amfani da shi akan katin wayo na Athena IDProtect bisa guntuwar Inside Secure AT11SC. Jimlar lokacin harin shine mintuna 30.

source: budenet.ru

Add a comment