Verification Bugs (VRF) Examples

CVE-2001-1585

BF Taxonomy

Cause: Missing Verification Step (challenge-response) in public key authentication

Attributes:
Verified Data: Any Secret/Public
Data State: Transferred (over network)
Algorithm: Digital Signature (not using such allows private key not to be verified by public key)
Security Service: Identity Authentication

Consequence: IEX

BF Description

Missing verification step (challenge-response) in public key authentication allows private key for digital signature not to be verified by public key, which leads to identity authentication failure and may be exploited for IEX. [1]

CVE Description

"SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file." [2]

Analysis

The following analysis is based on information in [3, 4]:

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

CVE-2015-2141

BF Taxonomy

Cause: Modification of Verification Algorithm by adding a step (blinding)

Attributes:
Verified Data: Any Secret/Public
Data State: Transferred (over network)
Algorithm: Digital Signature (Rabin-Williams) (that allows obtaining the private key in cases of incorrect unblinding)
Security Service: Identity Authentication

Consequence: IEX

BF Description

Modification of verification algorithm (digital signature, Rabin-Williams) by adding a step (blinding before signing) allows obtaining the private key in cases of incorrect unblinding, which leads to identity authentication failure and may be exploited for IEX. [1]

CVE Description

"The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack." [5]

Analysis

The following analysis is based on information in [6, 7]: Having the private key allows an attacker to be authenticated as the owner of that key.

The software intends to use blinding to defend against a timing attack, as follows: Instead of signing the data directly, the data is first transformed using a secret random value (blinding) and then is digitally signed using a private key. At the end, the effect is removed (unblinding), so that there is signed data as if no transformation took place. See [6, 7] for blinding used for RSA.

The flaw in this CVE is in doing blinding/ unblinding incorrectly, so that in some cases the effect of the transformation is not removed from the data. This enables the attacker to use the transformed data to recover the private key using a mathematical calculation as described in [6]. In [6] it is observed that if the secret random integer used to transform the message is a quadratic residue modulo an appropriate integer, then the unblinding step correctly undoes the transformation. The fix in [20] assures that the integer is such a quadratic residue.

Source Code

Code With Bug

1 2 3 4 5 6 7 8 9 10 11 DoQuickSanityCheck(); ModularArithmetic modn(m_n); Integer r, rInv; do {// do this in a loop for people using small numbers for testing r.Randomize(rng, Integer::One(), m_n - Integer::One()); rInv = modn.MultiplicativeInverse(r); } while (rInv.IsZero()); Integer re = modn.Square(r); re = modn.Multiply(re, x); // blind

Code With Fix

1 2 3 4 5 6 7 8 9 10 11 DoQuickSanityCheck(); ModularArithmetic modn(m_n); Integer r, rInv; do {// do this in a loop for people using small numbers for testing r.Randomize(rng, Integer::One(), m_n - Integer::One()); // Squaring to satisfy Jacobi requirements suggested by JPM. r = modn.Square(r); rInv = modn.MultiplicativeInverse(r); } while (rInv.IsZero()); Integer re = modn.Square(r); re = modn.Multiply(re, x); // blind

References

[1] Bojanova, I., Black, P. E., Yesha, Y., Wu, Yan, Evans, Z., Poster: The Bugs Framework (BF) – First Classes: Buffer Overflow (BOF), Injection (INJ), Control of Interaction Frequency (CIF), STC 2017, NIST, Gaithersburg, MD, USA.

[2] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2001-1585.

[3] OpenBSD Security Advisory, Authentication By-Pass Vulnerability in OpenSSH-2.3.1.

[4] S. Tatham, PuTTY User Manual – Chapter 8: "Using public keys for SSH authentication."

[5] The MITRE Corporation, CVE-2015-2141.

[6] Bugzilla – Bug 936435, VUL-0: CVE-2015-2141: libcryptopp: libcrypto++ -- security update.

[7] E. Sidorov, "Breaking the Rabin-Williams digital signature system implementation in the Crypto++ library."

[8] Wikipedia, Blinding Cryptography.

[9] Github, Fix for CVE-2015-2141.