Products Openwall GNU/*/linux server OS John the Ripper password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists for password cracking passwdqc policy enforcement phpass password hashing in PHP crypt_blowfish ditto in C/C++ tcb better password shadowing Pluggable Authentication Modules scanlogd port scan detector popa3d tiny POP3 daemon blists web interface to mailing lists msulogin single user mode login php_mt_seed mt_rand() cracker Services Publications Articles Presentations Community Mailing lists Community wiki OVE IDs Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new
Follow us on Twitter or via RSS feeds with complete announcement texts or excerpts
[<prev] [next>] [thread-next>] [day] [month] [year] [list] Date: Wed, 8 Jun 2016 11:54:31 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Hi, Just off Twitter: <mjos_crypto> Out today: This is the OpenSSL side-channel vulnerability I mentioned last week; now on ePrint. Also CVE-2016-2178. http://eprint.iacr.org/2016/594 <@...s_crypto> @mjos_crypto Currently unfixed in essentially all distros. <mjos_crypto> Note that CVE-2016-2178 / http://eprint.iacr.org/2016/594.pdf most severely actually impacts OpenSSH, which uses the OpenSSL library. <mjos_crypto> Cesar's CVE-2016-2178 patch for the OpenSSL library from Monday. https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2 http://eprint.iacr.org/2016/594 | "Make Sure DSA Signing Exponentiations Really are Constant-Time'' | | Cesar Pereida Garca and Billy Bob Brumley and Yuval Yarom | | Abstract: TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server. | | Category / Keywords: applied cryptography; digital signatures; side-channel analysis; timing attacks; cache-timing attacks; DSA; OpenSSL; CVE-2016-2178 | | Date: