Avoid using unblinded Montgomery ladder during ECC key generation - botan.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Jack Lloyd <[email protected]>	2018-12-16 20:33:49 -0500
committer	Jack Lloyd <[email protected]>	2018-12-18 10:20:35 -0500
commit	70aa7303acfff9eefc24598c289a84db3579ebd1 (patch)
tree	56506633ac75588c95c7b9277e61e13d932aa85e /src/lib/x509/x509_ca.cpp
parent	c36f2885b896de0db5713b1bda0a294fc4060909 (diff)

Avoid using unblinded Montgomery ladder during ECC key generation

As doing so means that information about the high bits of the scalar can leak via timing since the loop bound depends on the length of the scalar. An attacker who has such information can perform a more efficient brute force attack (using Pollard's rho) than would be possible otherwise. Found by Ján Jančár (@J08nY) using ECTester (https://github.com/crocs-muni/ECTester) CVE-2018-20187

Diffstat (limited to 'src/lib/x509/x509_ca.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: