t8m
commented
1 month ago In comparison to the PPC64 and ARM results here the signal is much bigger (tenths of ns).
Open GeorgePantelakis opened 1 month ago
t8m
commented
1 month ago In comparison to the PPC64 and ARM results here the signal is much bigger (tenths of ns).
holger-dengler
commented
1 month ago We'll take a look.
holger-dengler
commented
1 month ago After analysis it has been determined not to be an issue in OpenSSL. IBM Z and LinuxONE customers are advised to stay current with their service and refer to the IBM Z and LinuxONE Security Portal for information about security vulnerabilities. See also https://www.ibm.com/support/pages/ibm-security-vulnerability-management .
@tomato42 and I have tested OpenSSL in s390x architecture with z15 microarchitecture and we found that it may be vulnerable to a variant of the Minerva attack. We used statistical analysis to confirm the presence of side channels but we did not perform the Minerva attack against the implementation.
In the test scenario, we measure the time of signing of random messages using the
EVP_DigestSignAPI (Init,Update, andFinal) and then use the private key to extract the K value (nonce) from the signatures. Then based on the bit size of the extracted nonce we compare the signing time of full-sized nonces to signatures that used smaller nonces using statistical tests.In our initial test, we found side-channels in curves P-256, P-364, and P-521. In these results we can see a clear leak: there is a dependency between the bit size of K and the size of the side channel.
For the non-deterministic path of the code:
Results for P-256. Skilling-Mack test p-value: 0. The sample tested has 143,963,933 observations.
For the deterministic path of the code:
Results for P-256. Skilling-Mack test p-value: 0. The sample tested has 143,961,755 observations.