git.openssl.org Git - openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Tue, 19 Jun 2018 14:07:02 +0000 (15:07 +0100)
committer	Matt Caswell <matt@openssl.org>
	Thu, 21 Jun 2018 09:15:57 +0000 (10:15 +0100)
commit	7f9822a48213dd2feca845dbbb6bcb8beb9550de
tree	36b9afd40719605332a498a4ea37aa627d14f04e	tree \| snapshot
parent	95aec8641fb6f596f170f97852e1e2839f4ec2fc	commit \| diff

Add blinding to a DSA signature

This extends the recently added ECDSA signature blinding to blind DSA too.

This is based on side channel attacks demonstrated by Keegan Ryan (NCC
Group) for ECDSA which are likely to be able to be applied to DSA.

Normally, as in ECDSA, during signing the signer calculates:

s:= k^-1 * (m + r * priv_key) mod order

In ECDSA, the addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.

As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:

s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order

Since this attack is a localhost side channel only no CVE is assigned.

This commit also tweaks the previous ECDSA blinding so that blinding is
only removed at the last possible step.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6522)

CHANGES		diff \| blob \| history
crypto/dsa/dsa_ossl.c		diff \| blob \| history
crypto/ec/ecdsa_ossl.c		diff \| blob \| history