lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4276CC31.9000307@securescience.net>
Date: Mon, 02 May 2005 17:56:17 -0700
From: SSC Advisory Notice <bugtraq@...urescience.net>
To: Secure Science Corporation Advisory Notice <bugtraq@...urityfocus.com>
Subject: Secure Science Corporation Advisory CSA-056


Secure Science Corporation Advisory CSA-056
http://www.securescience.net
e-response@...urescience.net
877-570-0455

---------------------------------------------------------

LibTomCrypt version <=1.02 contained weak signature scheme used
with ECC keys, allowing trivial signature forgeries.

---------------------------------------------------------

Vulnerability Classification: Cryptography - arbitrary message signing

Discovery Date: May 1, 2005
Vendor Reported Advisory
Discovery Published: May 2, 2005

Abstract:
---------
LibTomCrypt is a fairly comprehensive, modular and portable 
cryptographic toolkit that provides developers with a vast array of well 
known published block ciphers, one-way hash functions, chaining modes, 
pseudo-random number generators, public key cryptography and a plethora 
of other routines. A vulnerability was found by the author within the 
signature scheme used with the Elliptic Curve Cryptosystem routines that 
will allow arbitrary signatures to be created by an attacker.

Description:
------------
During recent cryptographic review by the author, a mathematical flaw 
was found within the implementation of the El Gamal signature algorithm 
used in LibTomCrypt versions <=1.02 An attacker can create a valid 
random signature by selecting a random value for a, and then computing 
(a^-1)C (where the inverse is modulo the order of the curve), 
essentially allowing an attacker to sign arbitrary messages without the 
private key.


Affected Vendors:
---------------
All vendors using LTC <=1.02 that apply ECC with signatures.

Vendor and Patch Information:
-----------------------------
Secure Science Corporation is distributing this advisory on behalf of 
the author. The author has stated that LibTomCrypt 1.03 will be released 
May 7, 2005 with X9.62 ECDSA implemented, a FIPS 180-2 standard.

Solution:
---------
X9.62 ECDSA implementation.


Credits:
--------
Secure Science Corporation - Tom St Denis

Disclaimer:
-----------
Secure Science Corporation is not responsible for the misuse of any of 
the information we provide on this website and/or through our security 
advisories. Our advisories are a service to our customers intended to 
promote secure installation and use of Secure Science Corporation products.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ