openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: Security of OpenSSL ECDSA signatures

Re: Security of OpenSSL ECDSA signatures

From: Damien Miller <djm_at_nospam>
Date: Mon May 23 2011 - 12:31:49 GMT
To: Aris Adamantiadis <>

On Mon, 23 May 2011, Aris Adamantiadis wrote:

> Dear OpenSSH devs,
> I came accross this paper yesterday.
> It states that they were able to recover ECDSA keys from TLS servers by
> using timing attacks agains OpenSSL's ECDSA implementation.
> Is that known to be exploitable by OpenSSH ? (In my understanding, it's
> easy to get a payload signed by ECDSA during the key exchange so my
> opinion is that it is). There's a patch for openssl in the paper, that
> remove the detectable optimization away. Would you consider blacklisting
> openssl versions that do not implement that workaround

This result concerns binary/GF(2m) fields only and not the prime fields
that OpenSSH uses in recent versions.

Unless a similar timing oracle is found for GF(p) fields then no
OpenSSH-side workaround is required.

openssh-unix-dev mailing list