tl;dr Mozilla Firefox prior to version 72 suffers from Small Subgroups Key Recovery Attack on DH in the WebCrypto 's API. The Firefox's team fixed the issue r emoving completely support for DH over finite fields (that is not in the WebCrypto standard). If you find this interesting read further below. Premise In this blog post I assume you are already knowledgeable about Diffie-Hellman over finite fields and related attacks. If not I recommend to read any cryptography book that covers public key cryptography. Here is a really cool simple explanation by David Wong : I found a cooler way to explain Diffie-Hellman :D pic.twitter.com/DlPvGwZbto — David Wong (@cryptodavidw) January 4, 2020 If you want more details about Small Subgroups Key Recovery Attack on DH I covered some background in one of my previous post ( OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ). There is also an academic pape r where we examine the issue with some more rigors.
Side channel timing attacks against (EC)DSA in RSA BSAFE CVE-2019-3739/CVE-2019-3740 - Project Wycheproof is the AFL for Cryptography
About a year ago I wrote this tweet and now I can finally justify it Project Wycheproof ( https://t.co/wBz9P8atHs ) is the AFL ( https://t.co/JM2l557PZi ) of #crypto . Thanks a lot @XorNinja and team (notably including Bleichenbacher) for providing such a powerful tool — Antonio Sanso (@asanso) April 9, 2018 it is more or less when I found the vulnerabilities discussed in this short post. Introduction RSA BSAFE is a FIPS 140-2 validated cryptography library offered by RSA Security ( now Dell ). After almost a year they just published an advisory containing two fixes of two vulnerabilities I found in their Java ECDSA ( CVE-2019-3739 ) and DSA ( CVE-2019-3740 ) implementations. But here it comes the sweet part: I shamelessly did not do too much in order to find them. The credits are indeed all for Project Wycheproof: a tests crypto libraries against known attacks developed and maintained by members of Google Security (notably Daniel Bleichenbacher and Thai Duong ). DSA Inf