Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-conforming ECDSA signature generation #833

Closed
emil-wire opened this issue Jul 26, 2024 · 2 comments
Closed

Non-conforming ECDSA signature generation #833

emil-wire opened this issue Jul 26, 2024 · 2 comments

Comments

@emil-wire
Copy link

Hello 👋
I'm Emil, Security Engineer at Wire (github.com/wireapp) an E2EE secure messenger. We recently conducted a security audit of our core-crypto library which implements the MLS standard and the external researchers found an issue in the P256 + RFC6979 implementation leading to non conforming signatures.

private key = 1888cb732fea4353451b856e4f2c0715163bcf4bb7788ab44f70ef9ff9727167
message = 049a27b521c74e81

Expected signature:

9ac51396b0c8d0a5a082b5d88b45760504c1e7c8ba1a49e8b40f4098ac74c757563050ecbfc45165503f9ef57b3039baae0000d6eebcecd922bb280b35d2db79

Actual signature using p256 version 0.13.2

5dcd6baac9e02e2351763333d40d73157d4fee343954c7a380c7fb688f9ef9609f473dcdbc0fbc2bcf020ac3cf5eeed9d88634c0014419a0bdc4c0f88341ca57

This seems to have been fixed in p256 0.14.0-pre.0 which produces the correct signature.

Since this doesn't have security implications for Wire but might have implications for other users, I'd suggest investigating the implementation.

Cheers & thank you for your work <3

PS: A more detailed writeup is available to @tarcieri
@tarcieri
Copy link
Member

tarcieri commented Jul 26, 2024
edited
Loading

This was likely fixed in #777, which was an oversight. I could potentially backport it to older versions of ecdsa.

While it's a bug, it's one I don't believe to be security-critical in that the miscomputed k values are still uniformly random HMAC-DRBG output, and in that regard if someone were to use our buggy implementation as well as a correct one which produce two different k values for the same message, that's no different from signing the same message twice with two different (uniformly) randomly generated k values.

Security critical impacts would either involve reuse of k or producing a k which is not uniformly random, neither of which is happening here.

@tarcieri
Copy link
Member

Hmm, I tried cherry-picking #777 onto ecdsa v0.16.9, but that didn't seem to address the issue, so I'm not sure there's a quick fix here.

There was some significant work on the rfc6979 crate to improve it and bring it more in line with the RFC, which also included API changes (#773, #781, #775).

I'm going to close this as "fixed on master" as I can't figure out an easy way to backport the fixes to v0.16.x.

@tarcieri tarcieri mentioned this issue Nov 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @emil-wire