Vigil@nce - OpenSSL: obtain the ECC secret key via BN_nist_mod_384
December 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use an error in the BN_nist_mod_384() function, in
order to progressively guess the secret key of a TLS server using
elliptic curves.
Severity: 2/4
Creation date: 01/12/2011
IMPACTED PRODUCTS
– OpenSSL
DESCRIPTION OF THE VULNERABILITY
OpenSSL can be used to create an encrypted session using elliptic
curves:
– ECDH : elliptic curves and Diffie-Hellman
– ECDHE : elliptic curves and Ephemeral Diffie-Hellman
Elliptic curves are defined by the NIST: P-256 et P-384.
The BN_nist_mod_384() function of OpenSSL computes a modulo
operation, for P-256 and P-384. However, due to an optimization,
some values generate invalid results on a 32 bit processor.
An attacker can use these special values, in order to
progressively guess the secret key. Note: with ECDHE and
SSL_OP_SINGLE_ECDH_USE, this secret key in only used once.
An attacker can therefore use an error in the BN_nist_mod_384()
function, in order to guess the secret key of a TLS server using
elliptic curves.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-obtain-the-ECC-secret-key-via-BN-nist-mod-384-11186