Hello 👋
I'm Emil, Security Engineer at Wire (github.com/wireapp) an E2EE secure messenger. We recently conducted a security audit of our core-crypto library which implements the MLS standard and the external researchers found an issue in the P256 + RFC6979 implementation leading to non conforming signatures.
private key = 1888cb732fea4353451b856e4f2c0715163bcf4bb7788ab44f70ef9ff9727167
message = 049a27b521c74e81
Expected signature:
9ac51396b0c8d0a5a082b5d88b45760504c1e7c8ba1a49e8b40f4098ac74c757563050ecbfc45165503f9ef57b3039baae0000d6eebcecd922bb280b35d2db79
Actual signature using p256 version 0.13.2
5dcd6baac9e02e2351763333d40d73157d4fee343954c7a380c7fb688f9ef9609f473dcdbc0fbc2bcf020ac3cf5eeed9d88634c0014419a0bdc4c0f88341ca57
This seems to have been fixed in p256 0.14.0-pre.0 which produces the correct signature.
Since this doesn't have security implications for Wire but might have implications for other users, I'd suggest investigating the implementation.
Cheers & thank you for your work <3
PS: A more detailed writeup is available to @tarcieri
Hello 👋
I'm Emil, Security Engineer at Wire (github.com/wireapp) an E2EE secure messenger. We recently conducted a security audit of our core-crypto library which implements the MLS standard and the external researchers found an issue in the P256 + RFC6979 implementation leading to non conforming signatures.
Expected signature:
9ac51396b0c8d0a5a082b5d88b45760504c1e7c8ba1a49e8b40f4098ac74c757563050ecbfc45165503f9ef57b3039baae0000d6eebcecd922bb280b35d2db79Actual signature using p256 version 0.13.2
5dcd6baac9e02e2351763333d40d73157d4fee343954c7a380c7fb688f9ef9609f473dcdbc0fbc2bcf020ac3cf5eeed9d88634c0014419a0bdc4c0f88341ca57This seems to have been fixed in
p256 0.14.0-pre.0which produces the correct signature.Since this doesn't have security implications for Wire but might have implications for other users, I'd suggest investigating the implementation.
Cheers & thank you for your work <3
PS: A more detailed writeup is available to @tarcieri