[Pkg-openssl-devel] openssl 1.0.0e vulnerability
Julian Gilbey
jdg at debian.org
Thu Oct 6 16:15:51 UTC 2011
On Thu, Oct 06, 2011 at 02:23:31PM +0200, Florian Weimer wrote:
> * Julian Gilbey:
>
> > In the file crypto/rsa/rsa_eay.c, at line 850, if the CRT-based
> > modular exponentiation has failed, a second attempt is tried using
> > bn_mod_exp (line 862 or 866). However, the results of this attempt
> > are NOT then verified. The paper then describes how this weakness can
> > be exploited.
>
> IIRC, this requires faulty hardware, on a very thin line where the
> system still mostly works, but the modular exponentiation fail
> nevertheless. This seems rather unlikely. In addition, such an
> attack wouldn't work against TLS servers because they do not perform
> RSA signing.
>
> I always thought that this paper was a great compliment to the OpenSSL
> authors---usually, you don't have to resort to faulty hardware to
> uncover security issues. 8-)
:-)
A careful reading of the paper shows that the hardware was perfectly
functional but forced to fail in a very specific way due to carefully
changing the input power voltage. The only reason that this attack
was capable of being successful was because the openssl code took care
to protect against the possibility of the CRT approach being
compromised but not the fallback method. It seems fairly
straightforward to fix this potential hole, especially as this exploit
is now available for all to read.
Julian
More information about the Pkg-openssl-devel
mailing list