320582 - ECDSA_SignDigestWithSeed should doublecheck the generated signature.

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement, P3)

Description

[Wan-Teh Chang]

ANSI X9.62, Section 5.3.4 says:

  As an optional security check (to guard against
  malicious or non-malicious errors in the signature
  generation process), the signer may verify that
  (r, s) is indeed a valid signature for message M
  using the signature verification process described
  in Section 5.4 [Signagture Verification].

We may want to implement this optional security check
in ECDSA_SignDigestWithSeed.

For RSA, we have two versions of the private key operation
function: RSA_PrivateKeyOp and RSA_PrivateKeyOpDoubleChecked.
I'm wondering if we should do the same with
ECDSA_SignDigestWithSeed.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Yes, I agree NSS should do this.  I'm surprised it's not a FIPS requirement.
But maybe ECDSA isn't vulnerable in the same way RSA is to this issue. ?

Comment 2

[Douglas Stebila]

(In reply to comment #1)
> Yes, I agree NSS should do this.  I'm surprised it's not a FIPS requirement.
> But maybe ECDSA isn't vulnerable in the same way RSA is to this issue. ?

In our conference call we noted that this would be quite detrimental to performance (more than doubling the time of an ECDSA_SignDigest call, since an ECDSA verification is more expensive than an ECDSA signing.  I recommend we close this bug.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

I'd be satisfied even if this test occurred only in Debug builds.

Comment 4

[Anna Weine]

Attachment: Bug 320582 - Implementation of the double-signing of the message for ECDSA.

Comment 5

[John Schanck [:jschanck]]

https://hg.mozilla.org/projects/nss/rev/9478ce57b905ac6a4242d6ac4def39f7cd54adf6