Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Johan Wevers
On 29-06-2017 9:28, Werner Koch wrote:

> The GnuPG Project is pleased to announce the availability of Libgcrypt
> version 1.7.8.  This release fixes a local side-channel attack.

Is 1.4 vulnerable to this attack as well? I know it ows not use
libgcrypt but I'm not sure about the vulnerability.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Werner Koch
On Tue,  4 Jul 2017 12:05, [hidden email] said:

> Is 1.4 vulnerable to this attack as well? I know it ows not use
> libgcrypt but I'm not sure about the vulnerability.

Maybe.  And probably also to a lot of other local side channel attacks.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Johan Wevers
On 04-07-2017 18:30, Werner Koch wrote:

>> Is 1.4 vulnerable to this attack as well? I know it ows not use
>> libgcrypt but I'm not sure about the vulnerability.
>
> Maybe.  And probably also to a lot of other local side channel attacks.

Is that going to be fixed, or is 1.4 now really considered EOL?

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Peter Lebbing
On 04/07/17 21:03, Johan Wevers wrote:
> Is that going to be fixed, or is 1.4 now really considered EOL?

I think you need to see it in the context of this part of the announcement:

> Allowing execute access to a box with private keys should be considered
> as a game over condition, anyway.  Thus in practice there are easier
> ways to access the private keys than to mount this side-channel attack.

If you're worried about cross-VM crypto attacks, perhaps host your essential
crypto on a box that doesn't host potentially hostile VM's. Security has its
cost, or: there's no such thing as a free lunch.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Bernhard Reiter-7
In reply to this post by Werner Koch
Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
> On Tue,  4 Jul 2017 12:05, [hidden email] said:
> > Is 1.4 vulnerable to this attack as well? I know it ows not use
> > libgcrypt but I'm not sure about the vulnerability.
>
> Maybe.  And probably also to a lot of other local side channel attacks.

In general I think it would be useful to have information available that
shows which versions of GnuPG and libgcrypt are exposed to this or other
weaknesses and what the consequences are.

People now know which that there are versions
with this vulnerability and without it.

My concept so far:
not vulnerable:
  libgcrypt 1.7.8
  libgcrypt 1.8 -beta since commit
    Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
    8725c99ffa41778f382ca97233183bcd687bb0ce

vulnerable
  libgcrypt v<=?
  GnuPG v1.?

Best regards,
Bernhard
--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

GnuPG - User mailing list
On 07/05/2017 04:13 PM, Bernhard Reiter wrote:

> Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
>> On Tue,  4 Jul 2017 12:05, [hidden email] said:
>>> Is 1.4 vulnerable to this attack as well? I know it ows not use
>>> libgcrypt but I'm not sure about the vulnerability.
>>
>> Maybe.  And probably also to a lot of other local side channel attacks.
>
> In general I think it would be useful to have information available that
> shows which versions of GnuPG and libgcrypt are exposed to this or other
> weaknesses and what the consequences are.
>
> People now know which that there are versions
> with this vulnerability and without it.
>
> My concept so far:
> not vulnerable:
>   libgcrypt 1.7.8
>   libgcrypt 1.8 -beta since commit
>     Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
>     8725c99ffa41778f382ca97233183bcd687bb0ce
>
> vulnerable
Caveat: I have only looked at the code of the oldest and newest
versions.  Remember that old versions may not even have 64-bit support,
so they run on different CPU architectures.  But the code is essentially
the same as the vulnerable code in libgcrypt 1.7.7 for these:

>   libgcrypt v<=?

Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
is the oldest I could find).

>   GnuPG v1.?

Probably all versions from 1.0.4 up to 1.4.21.  (I could not find 1.0.3,
which according to the NEWS file is the first version with RSA support).

I made a backport of the patch for GPG 1.4.21 here:

https://dev.gnupg.org/D438

I have also found a paper that indicates that the exponent blinding
defense is not as solid as one might think naively, and in which the
author indicates that OpenSSL defended against these kind of attacks
conclusively in 0.9.8f (Oct 2007). I have only glanced over the claims,
but it's certainly intriguing:

Schindler, W.: Exclusive Exponent Blinding May Not Suffice
to Prevent Timing Attacks on RSA (2015), Bundesamt für Sicherheit in der
Informationstechnik

Preprint available at https://eprint.iacr.org/2014/869.pdf






_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Bernhard Reiter-7
Am Mittwoch 05 Juli 2017 21:39:26 schrieb Marcus Brinkmann via Gnupg-users:
> Caveat: I have only looked at the code of the oldest and newest
> versions.  Remember that old versions may not even have 64-bit support,
> so they run on different CPU architectures.  But the code is essentially
> the same as the vulnerable code in libgcrypt 1.7.7 for these:

> Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
> is the oldest I could find).

Thanks for your useful examinations.

> >   GnuPG v1.?
> Probably all versions from 1.0.4 up to 1.4.21.  (I could not find 1.0.3,
> which according to the NEWS file is the first version with RSA support).
>
> I made a backport of the patch for GPG 1.4.21 here:
> https://dev.gnupg.org/D438

Yes good, though Werner' s comment there shows that there will be more things
to consider.

Like:

> I have also found a paper that indicates that the exponent blinding
> defense is not as solid as one might think naively,

> Preprint available at https://eprint.iacr.org/2014/869.pdf

To my conculsion for users so far is:
The side-channel attack from CVE-2017-7526 and related side-channel attacks
and implementation fixes are under active examination by the GnuPG-Dev team.

My current understanding:
To prevent exploitation for GnuPG 1.4: prevent other users on the machine.
To be extra sure: Do not share a machine by VMs (unless they are well
separated.)
For GnuPG 2.1: Update to a version using libgcrypt 1.7.8 or later
(or alternatively apply the same measures as for GnuPG 1.4).

We should take in depth discussions to gnupg-devel@ I guess.

Best Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Werner Koch
In reply to this post by GnuPG - User mailing list
On Wed,  5 Jul 2017 21:39, [hidden email] said:

>>   libgcrypt v<=?
>
> Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
> is the oldest I could find).

Actaully starting at 1.6.0 which introduced the sliding window method to
catch up performance losses due to other side channel attack
mitigations.  Earlier versions than 1.6 may be affected by other side
channel attacks.


Salam-Shalom,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Loading...