IAIK JCE Side Channel Attack

2020.05.23
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

IAIK JCE is a provider for the Java Cryptography Extension that, according to the vendor, "supplements the security functionality of the default JDK". It is a commercial product developed by Stiftung Secure Information and Communication Technologies: https://jce.iaik.tugraz.at/about-us/ The way that some of the computations involved in the signature generation are carried out introduces a side channel that leaks timing information about the ephemeral number k. Full details about the vulnerability are available here: http://sbudella.altervista.org/blog/20200521-iaik-timing.html Giuseppe Cocomazzi http://sbudella.altervista.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top