[Cryptography] Montgomery multiplication bug in OpenSSL?
Hanno Böck
hanno at hboeck.de
Sun Dec 6 18:16:02 EST 2015
On Sun, 6 Dec 2015 18:07:09 -0500
"Perry E. Metzger" <perry at piermont.com> wrote:
> The latest OpenSSL security announcement alluded to a bug in carries
> in the Montgomery multiplication code. This is a sufficiently
> unusual security bug in cryptographic code that it piqued my
> interest. Does anyone know details that they're willing to share with
> the list, both about the bug itself and what the likely implications
> are?
I'm the one who discovered this bug. Here's a writeup:
https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html
It is still an open question whether this is really exploitable. The DH
case seems to be the most plausible exploit scenario.
Also I have reason to believe this is not that unusual. We already had
a bug in BN_sqr earlier this year. I think testing bignum libraries is
something that needs to be done more thoroughly.
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151207/f9e3325a/attachment.sig>
More information about the cryptography
mailing list