AnsweredAssumed Answered

weakness in the signature algorithms on non-accelerated hardware in the cryptographic library

Question asked by jose.luu on Aug 25, 2017
Latest reply on Aug 25, 2017 by Clive One

Hi all,


The signature algorithms (DSA or ECDSA) all require a random number. If this random number can be guessed, the signature becomes weak and the private key can be recovered (cf. the Sony PS3 signature affair).


It seems that this random number cannot be set at signature time (functions RSA_PKCS1v15_Sign
 or  ECDSAsign) and the the security in non hardware-RNG mode likely relies on the pseudo-random generator and on its initialization (as this is usually difficult to get properly done).


It would be a nice improvement to the library to add this capability via an extra argument, as one could use a value like HMAC(message,priv_key) as this is done in ED25519 and in some systems.


Does anyone has experience with the quality of the signatures in the different modes (hardware and firmware RNG) ?