advisory: Double Public Key Signing Function Oracle Attack on Ed25519 by blackheaven · Pull Request #268 · haskell/security-advisories

blackheaven · 2025-03-26T23:18:20Z

Advisory

It's not duplicated
All fields are filled
It is validated by hsec-tools

Discussed here: awakesecurity/gen-ed25-keypair#8 (comment)

advisories/hackage/cryptonite/HSEC-2025-0002.md

TristanCacqueray · 2025-03-27T22:42:00Z

Thinking about it some more, I wonder if the affected libraries can/will fix this issue. Perhaps this should only concern users who don't validate that the public key is valid, like the gen-ed25-keypair tool. I guess it may be acceptable for crypton* to expose dangerous functions when the caller is responsible of using them correctly.

blackheaven · 2025-03-27T22:54:38Z

Thinking about it some more, I wonder if the affected libraries can/will fix this issue. Perhaps this should only concern users who don't validate that the public key is valid, like the gen-ed25-keypair tool. I guess it may be acceptable for crypton* to expose dangerous functions when the caller is responsible of using them correctly.

I'm not sure we can actually prevent it, but, at least, it should be part of the documentation of exposed functions.

frasertweedale · 2025-03-28T06:12:16Z

If we issue the advisory, please also include this article in the references:

https://github.com/MystenLabs/ed25519-unsafe-libs

I am unsure whether issuing an advisory against the cryptographic implementations themselves is the correct approach.
The functions are not vulnerable per se. Instead, the API is susceptible to misuse / error by consuming libraries. It is certainly the case that documentation of these functions should be improved. Here are my thoughts / observations:

Any identified libraries / programs that use the affected API(s) in an insecure way should have advisories (we can group them all under HSEC-2025-0002).
The Ed448 implementation also seems to have been vulnerable up until crypton-1.0.1, where the cbits got an update and they now unconditionally rederive the public key. See commit kazu-yamamoto/crypton@b6bac16 . We could include this info in the advisory too, or issue a separate historical advisory for Ed448.
Before merging the advisory we should liaise with crypton maintainers to see what they want to do. Given Ed448 implementation rederives the public key, perhaps they can apply the same approach for Ed25519. Alternatively, they could extend the API with safer variant(s) (suggestions below), and/or improve the documentation.

-- | Derives public key from secret key
signSafe :: ByteArrayAccess ba => SecretKey -> ba -> Signature

-- | Checks that public key corresponds to secret key
signChecked :: ByteArrayAccess ba => SecretKey -> PublicKey -> ba -> CryptoFailable Signature

Ping @kazu-yamamoto - what do you think?

frasertweedale · 2025-03-28T06:13:10Z

advisories/hackage/cryptonite/HSEC-2025-0002.md

+[advisory]
+id = "HSEC-2025-0002"
+cwe = []
+keywords = ["crypto", "historical"]


I think we should drop the historical tag here, because the issue is in current releases.

Thanks, I've dropped it

kazu-yamamoto · 2025-03-28T07:31:17Z

Thank you for informing this issue. Either approach (1) and approach (2) is fine with me.

Keep the backward compatibility: keep sign as is but add the deprecated pragma, add new functions and release a minor version.
Make the libary completely safe: change the definition of safe and release a major version.

I don't have a strong opinion on this but it seems to me that approach (2) seems better in the long run.

kazu-yamamoto · 2025-03-28T07:34:36Z

Or what about changing the currentsign to ignore the parameter of public key?

frasertweedale · 2025-03-28T08:04:47Z

Or what about changing the currentsign to ignore the parameter of public key?

@kazu-yamamoto yes, if you ignore the argument and re-derive the public key internally, that is the safest way. The downside is that it causes a constant overhead for every signing operation (this is why the "optimisation" exists in the first place). I think it's acceptable to change sign to ignore the public key argument, and it is a backwards-compatible change.

It might be worth considering exposing the existing behaviour as a functional named, say, signUnsafe, with appropriate warnings, for performance-critical use cases.

kazu-yamamoto · 2025-03-28T09:22:05Z

Please give a look at: kazu-yamamoto/crypton#47

If OK, I will change Ed448, too.

frasertweedale · 2025-03-28T09:33:38Z

@kazu-yamamoto thanks! I left some comments in the PR.

blackheaven · 2025-04-02T19:18:21Z

Added the fixed release for crypton

frasertweedale · 2025-04-03T12:07:30Z

I added a couple additional references, and updated the fixed field to v1.0.3 (1.0.4 just fixed a minor performance regression).

Thanks for preparing the advisory. Merging now.

TristanCacqueray approved these changes Mar 27, 2025

View reviewed changes

advisories/hackage/cryptonite/HSEC-2025-0002.md Outdated Show resolved Hide resolved

advisories/hackage/cryptonite/HSEC-2025-0002.md Show resolved Hide resolved

advisories/hackage/cryptonite/HSEC-2025-0002.md Outdated Show resolved Hide resolved

mihaimaruseac approved these changes Mar 27, 2025

View reviewed changes

blackheaven force-pushed the advisory/HSEC-2025-0002 branch from 55cd96b to 1578ad2 Compare March 27, 2025 19:55

TristanCacqueray approved these changes Mar 27, 2025

View reviewed changes

blackheaven force-pushed the advisory/HSEC-2025-0002 branch from 1578ad2 to 68556b9 Compare March 27, 2025 23:03

frasertweedale reviewed Mar 28, 2025

View reviewed changes

blackheaven force-pushed the advisory/HSEC-2025-0002 branch 5 times, most recently from 975d84d to 4451c98 Compare April 2, 2025 19:17

TristanCacqueray approved these changes Apr 2, 2025

View reviewed changes

advisory: Double Public Key Signing Function Oracle Attack on Ed25519

6388c18

frasertweedale force-pushed the advisory/HSEC-2025-0002 branch from 4451c98 to 6388c18 Compare April 3, 2025 11:49

frasertweedale merged commit ebd46a6 into main Apr 3, 2025
13 checks passed

frasertweedale deleted the advisory/HSEC-2025-0002 branch April 3, 2025 12:07

Conversation

blackheaven commented Mar 26, 2025

Advisory

Uh oh!

Uh oh!

Uh oh!

Uh oh!

TristanCacqueray commented Mar 27, 2025

Uh oh!

blackheaven commented Mar 27, 2025

Uh oh!

frasertweedale commented Mar 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

frasertweedale Mar 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

blackheaven Mar 28, 2025

Choose a reason for hiding this comment

Uh oh!

kazu-yamamoto commented Mar 28, 2025

Uh oh!

kazu-yamamoto commented Mar 28, 2025

Uh oh!

frasertweedale commented Mar 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kazu-yamamoto commented Mar 28, 2025

Uh oh!

frasertweedale commented Mar 28, 2025

Uh oh!

blackheaven commented Apr 2, 2025

Uh oh!

frasertweedale commented Apr 3, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

frasertweedale commented Mar 28, 2025 •

edited

Loading

frasertweedale Mar 28, 2025 •

edited

Loading

frasertweedale commented Mar 28, 2025 •

edited

Loading