Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Leak the Secret Key of Elgamal Encryption in Cryptopp via Rowhammer #1262

Open
liang-junkai opened this issue Feb 19, 2024 · 1 comment
Open

Comments

@liang-junkai
Copy link

liang-junkai commented Feb 19, 2024

Hi Team,

We are writing to report a potential security issue about the implementation of Elgamal Encryption in Cryptopp.

Specifically, we cloned Cryptopp-8.9 from cryptopp.com on February 1, 2024 and analyzed the source code of the Elgamal encryption scheme (more precisely, elgamal.h). Based on our analysis, its decryption implementation (Line 78 in elgamal.h}) is vulnerable to fault injection.

As you may know, Rowhammer is a software-induced DRAM fault, which can induce bit flips in main memory that runs a commodity system. In our attack scenario, a malicious user process co-resides in the same system with a victim process that runs the Elgamal decryption of Cryptopp. As both processes share the main memory, the adversary can induce bit flips to the secret key before it is used by the victim to decrypt a ciphertext, resulting in a faulty decryption message. With enough faulty decryption messages released, the adversary can recover/leak the secret key. For more details of the analysis and possible countermeasures, they are provided in the attached pdf Vulnerability_report.pdf.

Prior to this report, we have reported similar vulnerabilities in RSA encryption and EdDSA signature schemes implemented in WolfSSL. Its security team have acknowledged our findings, fixed RSA encryption via a commit and EdDSA signature via another commit. Before our reports to WolfSSL, RSA signature in both WolfSSL and OpenSSL has been proven to be vulnerable to Rowhammer-based attacks. WolfSSL tracked the RSA signature vulnerability via CVE-2019-19962. OpenSSL fixed it by a commit.

If you have any question or need more details, please let us know. We are looking forward to your reply. Thank you.

Best Regards,

Junkai Liang (Peking University)

Zhi Zhang (The University of Western Australia)

Xin Zhang (Peking University)

Qingni Shen (Peking University)

@carnil
Copy link

carnil commented May 22, 2024

This issue appears to relate to the assigned CVE CVE-2024-28285

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants