ECDSA: Fix side channel vulnerability The blinding applied to the scalar before modular inversion is inadequate. Bignum is not constant time/constant trace, side channel attacks can retrieve the blinded value, factor it (it is smaller than RSA keys and not guaranteed to have only large prime factors). Then the key can be recovered by brute force. Reducing the blinded value makes factoring useless because the adversary can only recover pk*t+z*N instead of pk*t.

commit: 6bd8c0ae2ac418b0c157998dac42da53634c36ef [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Thu Oct 17 10:18:51 2019 +0100
committer: Simon Butcher <simon.butcher@arm.com> Fri Mar 13 15:25:39 2020 +0000
tree: 6b49660711043fb76feaa7a9dfc3a343e7d79339
parent: bb3d55665e111eb85202a13d90dae8268b468f0d [diff] [blame]
diff --git a/library/ecdsa.c b/library/ecdsa.c
index a9734f6..6577785 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c

@@ -363,6 +363,7 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
commit	6bd8c0ae2ac418b0c157998dac42da53634c36ef	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Thu Oct 17 10:18:51 2019 +0100
committer	Simon Butcher <simon.butcher@arm.com>	Fri Mar 13 15:25:39 2020 +0000
tree	6b49660711043fb76feaa7a9dfc3a343e7d79339
parent	bb3d55665e111eb85202a13d90dae8268b468f0d [diff] [blame]