IAIK JCE is a provider for the Java Cryptography Extension and has an issue where the way that some of the computations involved in the signature generation are carried out introduce a side channel that leaks timing information about the ephemeral number k.
f5ad1c0c8b85d6c758118f5f39ba83bfe826c49bf267f2a4b522e0fbfd5390a1IAIK JCE is a provider for the Java Cryptography Extension that,
according to the vendor, "supplements the security functionality of
the default JDK". It is a commercial product developed by Stiftung
Secure Information and Communication Technologies:
https://jce.iaik.tugraz.at/about-us/
The way that some of the computations involved in the signature
generation are carried out introduces a side channel that leaks timing
information about the ephemeral number k.
Full details about the vulnerability are available here:
http://sbudella.altervista.org/blog/20200521-iaik-timing.html
Giuseppe Cocomazzi
http://sbudella.altervista.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed