indutny / elliptic

Fast Elliptic Curve Cryptography in plain javascript
1.71k stars 399 forks source link

security consideration with timing attacks on bn.js use #128

Closed pravi closed 7 years ago

pravi commented 7 years ago

As reported here https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861639#10

As with the other pure JS crypto package ITP here recently [1]: has this library been designed with timing attacks in mind? In contrast to the first example, where upstream says that it's so slow that nobody is probably going to use it in real life anyway [2], this library claims to be quite fast - in which case the chance of the library being used in actual real-life applications is higher. And it uses the same bignum library that the other package is also using, which doesn't appear to have been designed with timing considerations in mind. (Which is fine for a bignum library not intended for crypto purposes.)

As with the previous package, the README of the project and the other documentation does not discuss timing attacks at all, which doesn't give me confidence that the author of the library has thought about these issues.

A couple of pointers:

I understand you're probably packaging this because it's a dependency of something else, but I'm seriously concerned about any package that uses this library for real-world applications other than generating key pairs.

Regards, Christian

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860771#10 [2] https://github.com/crypto-browserify/diffie-hellman/issues/22#issuecomment-296645560 [3] Look at CVE-2013-4576 to see how creative these side channel attacks can become.

This is similar to https://github.com/crypto-browserify/diffie-hellman/issues/22

indutny commented 7 years ago

Thanks for opening this. I'm always trying to keep security in mind, but it doesn't look like there is a way to mitigate timing attacks in this library without sacrificing the performance. JS implementation is about 10x-20x times slower than C already, and I don't want to make it even slower than this.