Go: crypto/elliptic: CPU DoS vulnerability affecting P-521 and P-384

Created on 23 Jan 2019  ·  8Comments  ·  Source: golang/go

A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

This issue is CVE-2019-6486. It was found and reported by the Wycheproof project.

FrozenDueToAge Security
Source
picture julieqiu

Most helpful comment

Can you elaborate on this, thank you:

"if an ECDH private key is reused more than once, the attack can also lead to key recovery."

picture mirtchovski on 23 Jan 2019
👍6 😕1

All 8 comments

Change https://golang.org/cl/159218 mentions this issue: crypto/elliptic: reduce subtraction term to prevent long busy loop

gopherbot picture gopherbot on 23 Jan 2019

Can you elaborate on this, thank you:

"if an ECDH private key is reused more than once, the attack can also lead to key recovery."

mirtchovski picture mirtchovski on 23 Jan 2019
👍6 😕1

Can you elaborate on this, thank you:

"if an ECDH private key is reused more than once, the attack can also lead to key recovery."

If ECDH is used in an Ephemeral-Static protocol, the attacker can use multiple tries to recover the static private key. crypto/tls does not reuse ECDH private keys, so is unaffected, but certain JWT encryption modes are based on ECDH-ES, so would be affected if the private key is a P-384 or P-521 key.

FiloSottile picture FiloSottile on 24 Jan 2019
👍31

Was this issue introduced with go v1.10? Should we be updating projects using versions below v1.10?

pawanrawal picture pawanrawal on 24 Jan 2019

Was this issue introduced with go v1.10? Should we be updating projects using versions below v1.10?

No, this was introduced earlier, but we only support the last two Go releases.

FiloSottile picture FiloSottile on 24 Jan 2019
👍3

Out of curiosity, why didn't we remove this "Add(P)" altogether ? Mod(P) is always called afterwards and the specification of big.Int.Mod says it will never return a negative number if P > 0.

remyoudompheng picture remyoudompheng on 25 Jan 2019

@remyoudompheng Security patches aim to be as minimal as possible. A follow-up change will indeed significantly simplify that function.

FiloSottile picture FiloSottile on 25 Jan 2019

This was not mentioned in the announcement by my mistake, but this issue was found by running Wycheproof test vectors, and reported by the Wycheproof team.

FiloSottile picture FiloSottile on 14 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gopherbot picture gopherbot  ·  3Comments
myitcv picture myitcv  ·  3Comments
jayhuang75 picture jayhuang75  ·  3Comments
mingrammer picture mingrammer  ·  3Comments
rsc picture rsc  ·  3Comments