Vigil@nce - Libgcrypt: information disclosure via ECDH
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is located near the computer, can capture
electromagnetic data during an ECDH encryption on Libgcrypt, in
order to obtain information about the private key.
Impacted products: Debian, GnuPG, openSUSE, Slackware, Ubuntu,
Unix (platform) not comprehensive.
Severity: 1/4.
Creation date: 15/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Libgcrypt library implements an encryption algorithm based on
ECDH (Elliptic Curve Diffie Hellman).
However, during the encryption of a known chosen ciphertext, an
attacker can capture electromagnetic emanations from the computer,
to obtain information about interruptions, and compute the ECDH
key.
An attacker, who is located near the computer, can therefore
capture electromagnetic data during an ECDH encryption on
Libgcrypt, in order to obtain information about the private key.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Libgcrypt-information-disclosure-via-ECDH-18938