|
| 1 | +```toml |
| 2 | +[advisory] |
| 3 | +id = "HSEC-2025-0002" |
| 4 | +cwe = [] |
| 5 | +keywords = ["crypto", "historical"] |
| 6 | +related = ["GHSA-w5vr-6qhr-36cc"] |
| 7 | + |
| 8 | +[[affected]] |
| 9 | +package = "cryptonite" |
| 10 | +cvss = "CVSS:3.1/ AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N/E:U/RL:X/RC:C/CR:H/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:N/MI:H/MA:N" |
| 11 | +[[affected.versions]] |
| 12 | +introduced = "0.1" |
| 13 | + |
| 14 | +[[affected]] |
| 15 | +package = "crypton" |
| 16 | +cvss = "CVSS:3.1/ AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N/E:U/RL:X/RC:C/CR:H/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:N/MI:H/MA:N" |
| 17 | +[[affected.versions]] |
| 18 | +introduced = "0.31" |
| 19 | + |
| 20 | +[[references]] |
| 21 | +type = "ARTICLE" |
| 22 | +url = "https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft" |
| 23 | +[[references]] |
| 24 | +type = "ADVISORY" |
| 25 | +url = "https://github.com/advisories/GHSA-w5vr-6qhr-36cc" |
| 26 | +[[references]] |
| 27 | +type = "EVIDENCE" |
| 28 | +url = "https://hackage.haskell.org/package/cryptonite-0.30/docs/src/Crypto.PubKey.Ed25519.html#sign" |
| 29 | +[[references]] |
| 30 | +type = "EVIDENCE" |
| 31 | +url = "https://github.com/haskell-crypto/cryptonite/blob/cryptonite-v0.30/cbits/ed25519/ed25519.c#53" |
| 32 | +[[references]] |
| 33 | +type = "EVIDENCE" |
| 34 | +url = "https://github.com/kazu-yamamoto/crypton/blob/48fb9df2de5ee752196724b081f4d3cdb57576ed/cbits/ed25519/ed25519.c#L53" |
| 35 | + |
| 36 | +``` |
| 37 | + |
| 38 | +# Double Public Key Signing Function Oracle Attack on Ed25519 |
| 39 | + |
| 40 | +The standard specification of Ed25519 message signing involves providing the |
| 41 | +algorithm with a message and private key. |
| 42 | + |
| 43 | +The function will use the private key to compute the public key and sign the message. |
| 44 | +Some libraries provide a variant of the message signing function that also takes |
| 45 | +the pre-computed public key as an input parameter. |
| 46 | + |
| 47 | +Libraries that allow arbitrary public keys as inputs without checking if the |
| 48 | +input public key corresponds to the input private key are vulnerable to the |
| 49 | +following attack. |
| 50 | + |
| 51 | +By using several public keys and messages, a malicious user with access to the |
| 52 | +signing mechanism may build up insights into the private key parameters |
| 53 | +resulting in access to the private key. |
| 54 | + |
| 55 | +This shortcoming means that an attacker could use the signing function as an |
| 56 | +Oracle, perform crypto-analysis and ultimately get at secrets. |
| 57 | +For example, an attacker who can’t access the private key but can access |
| 58 | +the signing mechanism through an API call could use several public keys and |
| 59 | +messages to gradually build up insights into private key parameters. |
0 commit comments