Adding a nounce before hashing as covert channel
andrewg
andrewg at andrewg.com
Fri Dec 13 18:28:08 CET 2024
On 2024-12-13 17:07, James Bottomley wrote:
> On Fri, 2024-12-13 at 12:59 +0000, andrewg via Gnupg-devel wrote:
>>
>> Fault attacks require the generation of multiple signatures over the
>> same message digest. With an unsalted signature, it is sufficient to
>> induce a victim to sign the same message twice with the same
>> timestamp. With a salted signature, it is vanishingly improbable that
>> the same digest will ever be produced.
>
> Hey, that's a bit misleading.
Sorry, I did gloss over a lot of detail...
> For Elliptic Curves a distinct nonce is
> a required part of the signature scheme and the weakness is that if two
> different messages are ever signed by the same key using the *same*
> nonce then the private key can be mathematically recovered.
Sure, but in deterministic ECC signature schemes the nonce is calculated
from the message. In OpenPGP, the ECC "message" is the OpenPGP digest,
so adding a salt to the digest ensures that both the nonce and the
message are unique for every signature.
> However, while the faulted message attack sounds more
> plausible the same signature faulted second message is only achievable
> in a limited timeframe, the timespan for pulling off a faulted rng
> attack is the key lifetime, giving a determined attacker much more
> leeway to produce an identical nonce.
In OpenPGP all signatures contain a timestamp, so even if a determined
attacker was able to generate a large number of signatures using a
faulty RNG, the timestamp field would keep incrementing. The attacker
would need to either force a duplicate salt within ~1s, or find a hash
collision.
A
More information about the Gnupg-devel
mailing list