Skip to content

CVE‐2020‐15522

David Hook edited this page May 10, 2024 · 1 revision

Issue affecting: BC-FJA 1.0.0, BC-FJA 1.0.1, BC-FJA 1.0.2, BC 1.65 or earlier. BC C# .NET 1.8.6 or earlier, BC-FNA 1.0.1.

Fixed versions: BC-FJA 1.0.1.2, BC-FJA 1.0.2.1 and later, BC 1.66 or later, BC-FNA 1.0.1.1 and later, BC C# .NET 1.8.7 or later.

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA 1.0.0, 1.0.1, and 1.0.2, and BC-FNA 1.0.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

See "Yet another GCD based inversion side-channel affecting ECC implementations" by Nir Drucker and Shay Gueron.

If timing issues are a consideration for you, we would recommend moving to more recent releases of the BC APIs for Java and C# as the issue is now addressed in both the BC general releases for Java and C# as well as the FIPS releases for Java and C#.

It is possible to work around this issue in earlier versions by doing your own blinding for deterministic ECDSA if you need to. An example of how the blinding is done can be found in Org.BouncyCastle.Math.EC.ECPoint.cs

https://github.com/bcgit/bc-csharp/blob/196bbb0190164b985580d8c4465f6f10f2306bca/crypto/src/math/ec/ECPoint.cs#L243

Clone this wiki locally