/*
* This function is a wrapper on modpow(). It has the same effect
* as modpow(), but employs RSA blinding to protect against timing
* attacks.
*/
static Bignum rsa_privkey_op(Bignum input, struct RSAKey *key)
{
Bignum random, random_encrypted, random_inverse;
Bignum input_blinded, ret_blinded;
Bignum ret;
SHA512_State ss;
unsigned char digest512[64];
int digestused = lenof(digest512);
int hashseq = 0;
/*
* Start by inventing a random number chosen uniformly from the
* range 2..modulus-1. (We do this by preparing a random number
* of the right length and retrying if it's greater than the
* modulus, to prevent any potential Bleichenbacher-like
* attacks making use of the uneven distribution within the
* range that would arise from just reducing our number mod n.
* There are timing implications to the potential retries, of
* course, but all they tell you is the modulus, which you
* already knew.)
*
* To preserve determinism and avoid Pageant needing to share
* the random number pool, we actually generate this `random'
* number by hashing stuff with the private key.
*/
while (1) {
int bits, byte, bitsleft, v;
random = copybn(key->modulus);
/*
* Find the topmost set bit. (This function will return its
* index plus one.) Then we'll set all bits from that one
* downwards randomly.
*/
bits = bignum_bitcount(random);
byte = 0;
bitsleft = 0;
while (bits--) {
if (bitsleft <= 0) {
bitsleft = 8;
/*
* Conceptually the following few lines are equivalent to
* byte = random_byte();
*/
if (digestused >= lenof(digest512)) {
unsigned char seqbuf[4];
PUT_32BIT(seqbuf, hashseq);
pSHA512_Init(&ss);
SHA512_Bytes(&ss, "RSA deterministic blinding", 26);
SHA512_Bytes(&ss, seqbuf, sizeof(seqbuf));
sha512_mpint(&ss, key->private_exponent);
pSHA512_Final(&ss, digest512);
hashseq++;
/*
* Now hash that digest plus the signature
* input.
*/
pSHA512_Init(&ss);
SHA512_Bytes(&ss, digest512, sizeof(digest512));
sha512_mpint(&ss, input);
pSHA512_Final(&ss, digest512);
digestused = 0;
}
byte = digest512[digestused++];
}
v = byte & 1;
byte >>= 1;
bitsleft--;
bignum_set_bit(random, bits, v);
}
/*
* Now check that this number is strictly greater than
* zero, and strictly less than modulus.
*/
if (bignum_cmp(random, Zero) <= 0 ||
bignum_cmp(random, key->modulus) >= 0) {
freebn(random);
continue;
} else {
break;
}
}
/*
* RSA blinding relies on the fact that (xy)^d mod n is equal
* to (x^d mod n) * (y^d mod n) mod n. We invent a random pair
* y and y^d; then we multiply x by y, raise to the power d mod
* n as usual, and divide by y^d to recover x^d. Thus an
* attacker can't correlate the timing of the modpow with the
* input, because they don't know anything about the number
* that was input to the actual modpow.
*
* The clever bit is that we don't have to do a huge modpow to
* get y and y^d; we will use the number we just invented as
* _y^d_, and use the _public_ exponent to compute (y^d)^e = y
* from it, which is much faster to do.
*/
random_encrypted = modpow(random, key->exponent, key->modulus);
random_inverse = modinv(random, key->modulus);
input_blinded = modmul(input, random_encrypted, key->modulus);
ret_blinded = modpow(input_blinded, key->private_exponent, key->modulus);
ret = modmul(ret_blinded, random_inverse, key->modulus);
freebn(ret_blinded);
freebn(input_blinded);
freebn(random_inverse);
freebn(random_encrypted);
freebn(random);
return ret;
}
static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
{
/*
* The basic DSS signing algorithm is:
*
* - invent a random k between 1 and q-1 (exclusive).
* - Compute r = (g^k mod p) mod q.
* - Compute s = k^-1 * (hash + x*r) mod q.
*
* This has the dangerous properties that:
*
* - if an attacker in possession of the public key _and_ the
* signature (for example, the host you just authenticated
* to) can guess your k, he can reverse the computation of s
* and work out x = r^-1 * (s*k - hash) mod q. That is, he
* can deduce the private half of your key, and masquerade
* as you for as long as the key is still valid.
*
* - since r is a function purely of k and the public key, if
* the attacker only has a _range of possibilities_ for k
* it's easy for him to work through them all and check each
* one against r; he'll never be unsure of whether he's got
* the right one.
*
* - if you ever sign two different hashes with the same k, it
* will be immediately obvious because the two signatures
* will have the same r, and moreover an attacker in
* possession of both signatures (and the public key of
* course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
* and from there deduce x as before.
*
* - the Bleichenbacher attack on DSA makes use of methods of
* generating k which are significantly non-uniformly
* distributed; in particular, generating a 160-bit random
* number and reducing it mod q is right out.
*
* For this reason we must be pretty careful about how we
* generate our k. Since this code runs on Windows, with no
* particularly good system entropy sources, we can't trust our
* RNG itself to produce properly unpredictable data. Hence, we
* use a totally different scheme instead.
*
* What we do is to take a SHA-512 (_big_) hash of the private
* key x, and then feed this into another SHA-512 hash that
* also includes the message hash being signed. That is:
*
* proto_k = SHA512 ( SHA512(x) || SHA160(message) )
*
* This number is 512 bits long, so reducing it mod q won't be
* noticeably non-uniform. So
*
* k = proto_k mod q
*
* This has the interesting property that it's _deterministic_:
* signing the same hash twice with the same key yields the
* same signature.
*
* Despite this determinism, it's still not predictable to an
* attacker, because in order to repeat the SHA-512
* construction that created it, the attacker would have to
* know the private key value x - and by assumption he doesn't,
* because if he knew that he wouldn't be attacking k!
*
* (This trick doesn't, _per se_, protect against reuse of k.
* Reuse of k is left to chance; all it does is prevent
* _excessively high_ chances of reuse of k due to entropy
* problems.)
*
* Thanks to Colin Plumb for the general idea of using x to
* ensure k is hard to guess, and to the Cambridge University
* Computer Security Group for helping to argue out all the
* fine details.
*/
struct dss_key *dss = (struct dss_key *) key;
SHA512_State ss;
unsigned char digest[20], digest512[64];
Bignum proto_k, k, gkp, hash, kinv, hxr, r, s;
unsigned char *bytes;
int nbytes, i;
SHA_Simple(data, datalen, digest);
/*
* Hash some identifying text plus x.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, "DSA deterministic k generator", 30);
sha512_mpint(&ss, dss->x);
SHA512_Final(&ss, digest512);
/*
* Now hash that digest plus the message hash.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, digest512, sizeof(digest512));
SHA512_Bytes(&ss, digest, sizeof(digest));
SHA512_Final(&ss, digest512);
memset(&ss, 0, sizeof(ss));
/*
* Now convert the result into a bignum, and reduce it mod q.
*/
proto_k = bignum_from_bytes(digest512, 64);
k = bigmod(proto_k, dss->q);
freebn(proto_k);
memset(digest512, 0, sizeof(digest512));
/*
* Now we have k, so just go ahead and compute the signature.
*/
gkp = modpow(dss->g, k, dss->p); /* g^k mod p */
r = bigmod(gkp, dss->q); /* r = (g^k mod p) mod q */
freebn(gkp);
hash = bignum_from_bytes(digest, 20);
kinv = modinv(k, dss->q); /* k^-1 mod q */
hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */
s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */
freebn(hxr);
freebn(kinv);
freebn(hash);
/*
* Signature blob is
*
* string "ssh-dss"
* string two 20-byte numbers r and s, end to end
*
* i.e. 4+7 + 4+40 bytes.
*/
nbytes = 4 + 7 + 4 + 40;
bytes = snewn(nbytes, unsigned char);
PUT_32BIT(bytes, 7);
memcpy(bytes + 4, "ssh-dss", 7);
PUT_32BIT(bytes + 4 + 7, 40);
for (i = 0; i < 20; i++) {
bytes[4 + 7 + 4 + i] = bignum_byte(r, 19 - i);
bytes[4 + 7 + 4 + 20 + i] = bignum_byte(s, 19 - i);
}
freebn(r);
freebn(s);
*siglen = nbytes;
return bytes;
}
Bignum *dss_gen_k(const char *id_string, Bignum modulus, Bignum private_key,
unsigned char *digest, int digest_len)
{
/*
* The basic DSS signing algorithm is:
*
* - invent a random k between 1 and q-1 (exclusive).
* - Compute r = (g^k mod p) mod q.
* - Compute s = k^-1 * (hash + x*r) mod q.
*
* This has the dangerous properties that:
*
* - if an attacker in possession of the public key _and_ the
* signature (for example, the host you just authenticated
* to) can guess your k, he can reverse the computation of s
* and work out x = r^-1 * (s*k - hash) mod q. That is, he
* can deduce the private half of your key, and masquerade
* as you for as long as the key is still valid.
*
* - since r is a function purely of k and the public key, if
* the attacker only has a _range of possibilities_ for k
* it's easy for him to work through them all and check each
* one against r; he'll never be unsure of whether he's got
* the right one.
*
* - if you ever sign two different hashes with the same k, it
* will be immediately obvious because the two signatures
* will have the same r, and moreover an attacker in
* possession of both signatures (and the public key of
* course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
* and from there deduce x as before.
*
* - the Bleichenbacher attack on DSA makes use of methods of
* generating k which are significantly non-uniformly
* distributed; in particular, generating a 160-bit random
* number and reducing it mod q is right out.
*
* For this reason we must be pretty careful about how we
* generate our k. Since this code runs on Windows, with no
* particularly good system entropy sources, we can't trust our
* RNG itself to produce properly unpredictable data. Hence, we
* use a totally different scheme instead.
*
* What we do is to take a SHA-512 (_big_) hash of the private
* key x, and then feed this into another SHA-512 hash that
* also includes the message hash being signed. That is:
*
* proto_k = SHA512 ( SHA512(x) || SHA160(message) )
*
* This number is 512 bits long, so reducing it mod q won't be
* noticeably non-uniform. So
*
* k = proto_k mod q
*
* This has the interesting property that it's _deterministic_:
* signing the same hash twice with the same key yields the
* same signature.
*
* Despite this determinism, it's still not predictable to an
* attacker, because in order to repeat the SHA-512
* construction that created it, the attacker would have to
* know the private key value x - and by assumption he doesn't,
* because if he knew that he wouldn't be attacking k!
*
* (This trick doesn't, _per se_, protect against reuse of k.
* Reuse of k is left to chance; all it does is prevent
* _excessively high_ chances of reuse of k due to entropy
* problems.)
*
* Thanks to Colin Plumb for the general idea of using x to
* ensure k is hard to guess, and to the Cambridge University
* Computer Security Group for helping to argue out all the
* fine details.
*/
SHA512_State ss;
unsigned char digest512[64];
Bignum proto_k, k;
/*
* Hash some identifying text plus x.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, id_string, strlen(id_string) + 1);
sha512_mpint(&ss, private_key);
SHA512_Final(&ss, digest512);
/*
* Now hash that digest plus the message hash.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, digest512, sizeof(digest512));
SHA512_Bytes(&ss, digest, digest_len);
while (1) {
SHA512_State ss2 = ss; /* structure copy */
SHA512_Final(&ss2, digest512);
smemclr(&ss2, sizeof(ss2));
/*
* Now convert the result into a bignum, and reduce it mod q.
*/
proto_k = bignum_from_bytes(digest512, 64);
k = bigmod(proto_k, modulus);
freebn(proto_k);
if (bignum_cmp(k, One) != 0 && bignum_cmp(k, Zero) != 0) {
smemclr(&ss, sizeof(ss));
smemclr(digest512, sizeof(digest512));
return k;
}
/* Very unlikely we get here, but if so, k was unsuitable. */
freebn(k);
/* Perturb the hash to think of a different k. */
SHA512_Bytes(&ss, "x", 1);
/* Go round and try again. */
}
}
