CVE-2019-18222 states that the recovery of the private key is possible by a cache attack. Is this a weakness on the signature verification side, or is it relevant for the signature generation?
Is a more detailed description of this attack scenario available?
Hi @McAndrews
Thank you for your question!
During signature verification, the private key isn’t involved, therefore you cannot expose it.
As the CVE descriuption: “Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key.”
During signature verification, there is no blinding of the private key, so it cannot be exposed.
Regards,
Mbed TLS Support
Ron
Thank your for your quick response. If I get it right, an attacker needs to attack the signing machine in order to recover the private key?
Or is it possible to extract the key from the signature of a signed message?
Hi @McAndrews
If I get it right, an attacker needs to attack the signing machine in order to recover the private key?
Correct. The signature doesn’t contain the private key, but it is a result of a mathematic operation (the signing function) that used the private key. The verification uses the opposite operation using the public key
Regards