Closed Bug 1488723 Opened 7 years ago Closed 7 years ago

No constant-time implementation of P384

Categories

(Cloud Services :: Security, defect)

Product:
Cloud Services
Component:
Security
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: u621419, Unassigned)

References

Details

(Keywords: sec-low)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180808222917 Steps to reproduce: The content signature code in Autograph makes use of the \ac{ECDSA} module from Golang's default cryptography library for implementing P256-, P384- and P521-ECDSA signatures. The implementation of big number arithmetic and elliptic curve \ac{DSA} in Golang's cryptography library for P384 and P521 is not constant-time, i.e. the time a computation of a signature takes, depends on bits of the secret key. Normandy (and Firefox) is hard-coded to only use P386-ECDSA, which is affected. An Autograph user, with correct credentials to sign data could mount an attack to extract information about the protected secret key from Autograph by requesting signatures and measuring the time until the requests are answered. To deduce the complete secret key a great number of requests would be necessary.
Group: firefox-core-security → cloud-services-security
Component: Untriaged → Security
Product: Firefox → Cloud Services
QA Contact: jvehent
Wontfix, for two reasons: 1. requires valid autograph credentials that would let an attacker sign arbitrary stuff, so the constant time issue is secondary. 2. the plan is to move crypto operations to an HSM in Q4, so we will move away from Golang's ecdsa crypto in the near future.
Group: cloud-services-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Keywords: sec-low
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.