CVE-2020-15522

Vulnerability

A timing side-channel vulnerability exists in the elliptic curve (EC) math library of Bouncy Castle. It affects BC Java before version 1.66, BC C# .NET before 1.8.7, BC-FJA versions 1.0.0, 1.0.1, and 1.0.2 (fixed in 1.0.1.2 and 1.0.2.1), and BC-FNA version 1.0.1 (fixed in 1.0.1.1) [1][4]. The issue occurs in the code path that performs the EC scalar multiplication for deterministic ECDSA signatures; no special configuration is required beyond using the affected library versions with ECDSA.

Exploitation

An attacker must be able to observe precise timing information for the generation of multiple deterministic ECDSA signatures (i.e., signatures that use RFC 6979 or similar deterministic nonce generation). The attacker needs network-level or local access capable of measuring the time taken by the affected code path. By collecting many timing measurements, the attacker can exploit the timing variation to recover information about the private key [1][4].

Impact

Successful exploitation allows the attacker to gain information about the private key used for ECDSA signing. This can lead to a full compromise of the signing key, enabling the attacker to forge signatures or impersonate the legitimate key holder. The impact is a breach of authentication and non-repudiation, potentially affecting all systems relying on the compromised key [1][4].

Mitigation

The vulnerability is fixed in BC Java 1.66 and later, BC C# .NET 1.8.7 and later, BC-FJA 1.0.1.2 and 1.0.2.1 and later, and BC-FNA 1.0.1.1 and later [4]. All users should upgrade to the fixed versions. As a workaround, users can implement their own blinding for deterministic ECDSA signatures; an example is available in the ECPoint.java source file at line 240 [4].