OTC VOTE: EVP_PKEY private/public key components
Dick Franks
rwfranks at acm.org
Wed Nov 11 18:48:40 UTC 2020
On Wed, 11 Nov 2020 at 14:14, Nicola Tuveri <nic.tuv at gmail.com> wrote:
>
> In particular in 1.1.1, the key created as depicted in #12612 that
> triggered this discussion (Matt posted a useful reproducer among the
> first comments), is indeed capable of signing in the used pattern, but
> the pattern is conveniently omitting the validation pass that should
> be required in any serious use of the API.
>
The private key is a random or pseudo-random 256-bit integer.
How do you propose to "validate" that?
> `EVP_PKEY_check()`
> (https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_check.html) is
> one of the many places in 1.1.1 where both the documentation and the
> behavior assume that an `EVP_PKEY` object is a keypair.
> Even in the version used by the user that posted the issue, running
> `EVP_PKEY_check()` on the created key would have revealed that the
> user was abusing the API.
>
I was not "abusing the API" as you put it, merely pointing out that the
public key is not a required item for performing ECDSA signature
generation. This is a mathematical fact of life that you are going to have
to learn to live with.
> >8
>
> Omitting the `EVP_PKEY_check()` in the reproducer and the user
> application, would for example allow me to write a DoS attack: the
> secret scalar could easily be hand-picked to trigger an endless loop
> in the sign operation.
>
Nonsense. Each iteration involves a new PRN, which by definition you
cannot predict.
--RWF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-project/attachments/20201111/91380907/attachment.html>
More information about the openssl-project
mailing list