Verification Bugs (VRF) Examples
CVE20011585
BF Taxonomy
Cause: Missing Verification Step (challengeresponse) in public key authentication
Attributes:
Verified Data: Any Secret/Public
Data State: Transferred (over network)
Algorithm: Digital Signature (not using such allows private key not to be verified by public key)
Security Service: Identity Authentication
BF Description
Missing verification step (challengeresponse) in public key authentication allows private key for digital signature not to be verified by public key, which leads to identity authentication failure and may be exploited for IEX. [1]
CVE Description
"SSH protocol 2 (aka SSH2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 20010118 through 20010208, does not perform a challengeresponse step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file." [2]
Analysis
The following analysis is based on information in [3, 4]:
Source Code
Code With Bug 
Code With Fix 
Source Code Not Available


Source Code Not Available


CVE20152141
BF Taxonomy
Cause: Modification of Verification Algorithm by adding a step (blinding)
Attributes:
Verified Data: Any Secret/Public
Data State: Transferred (over network)
Algorithm: Digital Signature (RabinWilliams) (that allows obtaining the private key in cases of incorrect unblinding)
Security Service: Identity Authentication
BF Description
Modification of verification algorithm (digital signature, RabinWilliams) by adding a step (blinding before signing) allows obtaining the private key in cases of incorrect unblinding, which leads to identity authentication failure and may be exploited for IEX. [1]
CVE Description
"The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the RabinWilliams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack." [5]
Analysis
The following analysis is based on information in [6, 7]: Having the private key allows an attacker to be authenticated as the owner of that key.
The software intends to use blinding to defend against a timing attack, as follows: Instead of signing the data directly, the data is first transformed using a secret random value (blinding) and then is digitally signed using a private key. At the end, the effect is removed (unblinding), so that there is signed data as if no transformation took place. See [6, 7] for blinding used for RSA.
The flaw in this CVE is in doing blinding/ unblinding incorrectly, so that in some cases the effect of the transformation is not removed from the data. This enables the attacker to use the transformed data to recover the private key using a mathematical calculation as described in [6]. In [6] it is observed that if the secret random integer used to transform the message is a quadratic residue modulo an appropriate integer, then the unblinding step correctly undoes the transformation. The fix in [20] assures that the integer is such a quadratic residue.
Source Code
Code With Bug 
1
2
3
4
5
6
7
8
9
10
11
 DoQuickSanityCheck();
ModularArithmetic modn(m_n);
Integer r, rInv;
do {// do this in a loop for people using small numbers for testing
r.Randomize(rng, Integer::One(), m_n  Integer::One());
rInv = modn.MultiplicativeInverse(r);
} while (rInv.IsZero());
Integer re = modn.Square(r);
re = modn.Multiply(re, x); // blind


Code With Fix 
1
2
3
4
5
6
7
8
9
10
11
 DoQuickSanityCheck();
ModularArithmetic modn(m_n);
Integer r, rInv;
do {// do this in a loop for people using small numbers for testing
r.Randomize(rng, Integer::One(), m_n  Integer::One());
// Squaring to satisfy Jacobi requirements suggested by JPM.
r = modn.Square(r);
rInv = modn.MultiplicativeInverse(r);
} while (rInv.IsZero());
Integer re = modn.Square(r);
re = modn.Multiply(re, x); // blind


References
[1] Bojanova, I., Black, P. E., Yesha, Y., Wu, Yan, Evans, Z., Poster: The Bugs Framework (BF) – First Classes: Buffer Overflow (BOF), Injection (INJ), Control of Interaction Frequency (CIF), STC 2017, NIST, Gaithersburg, MD, USA.
[2] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE20011585.