Closed
Bug 834116
Opened 11 years ago
Closed 11 years ago
RSA PKCS#1 v1.5 decryption is not constant time
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 577498
People
(Reporter: ryan.sleevi, Assigned: ryan.sleevi)
References
Details
The decryption of PKCS#1 v1.5 formatted blocks in softoken is not performed in constant time. This allows an attacker to distinguish the various error conditions involved and mount a variant of Bleichenbacher's attack. From RFC 3447, 7.2.2 (RSAES-PKCS1-V1_5-DECRYPT (K, C) ) Note. Care shall be taken to ensure that an opponent cannot distinguish the different error conditions in Step 3, whether by error message or timing. Otherwise an opponent may be able to obtain useful information about the decryption of the ciphertext C, leading to a strengthened version of Bleichenbacher's attack [6]; compare to Manger's attack [36].
Assignee | ||
Comment 1•11 years ago
|
||
The decode also does not correctly validate that the padding string is at least 8 octets.
Comment 2•11 years ago
|
||
Is there enough timing difference to mount this attack remotely? How bad a problem is it for a browser in practice?
Assignee | ||
Comment 3•11 years ago
|
||
I've not investigated how significant the timing distinction is, but it is a clear point that the NSS PKCS#1 v1.5 operation is non-constant-time, so it means it is possible to mount a Bleichenbacher attack. The existing implementation has the following issues 1) Non-constant comparison of the first two bytes 2) Short-circuits (goto done) if the first two bytes are not correct 3) Non-constant search for the end of the padding string 4) short-circuits if the padding string terminator is not found 5) Non-constant time copy into the caller's buffer These are all enough to provide enough distinguishers for a Bleichenbacher attack. Whether the difference is enough to observe remotely, I don't know, but when considering other consumers of NSS (including potential Web Crypto), it's enough to be 'an issue'. This is further exacerbated by the fact that libssl doesn't pre-generate the random key used to defend against TLS-layer Bleichenbacher attacks, which means there are even more distinguishing differences between valid and invalid PKCS#1v1.5 messages. See http://mxr.mozilla.org/security/source/security/nss/lib/ssl/ssl3con.c?mark=7935-7936,7943-7948#7929 Note that this results in the acquisition of several mutexes and non-constant-time operations, which may make it even more practical to mount an attack against NSS servers.
Assignee | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•