Re: CVE-2022-0778 - Impact of ECC cipher with valid server ECC certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Mar 26, 2022 at 12:32:03PM +0530, Vipul Mehta wrote:

> If we consider ECDHE_ECDSA cipher based TLS handshake, then it is possible
> that the client can send invalid public session key to the server causing
> the vulnerability. Is this assumption correct ?

The CVE only affects situations in which the untrusted peer can specify
malign "explicit" curve *parameters*, not just the public point.

> If yes, then I think disabling ECC cipher suites should prevent the
> vulnerability if we don't want to upgrade openssl considering there is no
> other cryptographic operation except w.r.t. TLS.

Unless I'm missing something, there's no need to disable ECC ciphers,
since with TLS 1.0 through 1.2 the curve parameters are chosen by the
server.

With the TLS 1.3, the client typically sends a key share first, which
consists of a named group and again a public point.  There is no
mechanism for conveying "explicit" ECC parameters

    https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8
    https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8.2

So either way, TLS servers are safe if they don't solicit client
certificates, or otherwise in some form consume X.509 SPKI public keys
(which with ECC do signal either a named group or provide explicit
parameters).

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux