Bug 944835 - VUL-0: RSA-CRT key leaks overall tracker bug
VUL-0: RSA-CRT key leaks overall tracker bug
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/156271/
:
Depends on: 944836 CVE-2015-5738
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-08 13:16 UTC by Marcus Meissner
Modified: 2015-09-22 09:11 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-09-08 13:16:59 UTC
+++ This bug was initially created as a clone of Bug #944456 +++

This is the overall tracker bug. Make clones for specific packages.

Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures. This changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.

An observer of the private key leak can use this information to cryptographically impersonate the server, after redirecting network traffic, conducting a man-in-the-middle attack. Either the client making the TLS handshake can see this leak, or a passive observer capturing network traffic. The key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack. However, forward secrecy must be enabled in the server for this kind of key leak to happen in the first place, and with such a server configuration, most clients will use forward secrecy, so an active attack will be required for configurations which can theoretically lead to RSA-CRT key leaks.


References:
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
Comment 1 Sebastian Krahmer 2015-09-08 13:24:32 UTC
Some background that this can also happen due to mistakes in BN
implementations, not just on HW faults:

http://comsecuris.com/research/slides-bignum-bhus2015.pdf
Comment 2 Swamp Workflow Management 2015-09-08 22:00:30 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2015-09-22 09:11:22 UTC
openSUSE-SU-2015:1596-1: An update that contains security fixes can now be installed.

Category: security (low)
Bug References: 944835
CVE References: 
Sources used:
openSUSE 13.2 (src):    libgcrypt-1.6.1-8.10.1
openSUSE 13.1 (src):    libgcrypt-1.5.4-2.12.1