summaryrefslogtreecommitdiffstats
path: root/moon-abe/pbc-0.5.14/doc/security.txt
blob: c59cf4ba9cddff01a5d1dd1692e2e2a2cf70be40 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
== Security issues ==

Potential problems for the paranoid.

*Truncated hashes*

For points on an elliptic curve over the base field, +element_from_hash()+
will truncate the input hash until it can represent an x-coordinate in that
field. (PBC then computes a corresponding y-coordinate.) Ideally the hash
length should be smaller than size of the base field and also the size of the
elliptic curve group.

Hashing to elements in field extensions does not take advantage of the fact
that the extension has more elements than the base field. I intend to rewrite
the code so that for a degree n extension code, PBC splits the hash into n
parts and determine each polynomial coefficient from one ofthe pieces. At the
moment every coefficient is the same and depends on the whole hash.

This is harmless for the base field, because all the pairing types implemented
so far use an integer mod ring as the base field, rather than an extension of
some low characteristic field.

*Zeroed memory*

Unlike OpenSSL, there are no functions to zero memory locations used in
sensitive computations. To some extent, one can use +element_random()+ to
overwrite data.

*PRNG determinism*

On platforms without `/dev/urandom` PBC falls back on a deterministic
pseudo-random number generator, except on Windows where it attempts to
use the Microsoft Crypto API.

Also, `/dev/urandom` differs from `/dev/random`. A quote from its manpage:

____
A  read  from  the  /dev/urandom device will not block waiting for more
entropy.  As a result, if  there  is  not  sufficient  entropy  in  the
entropy  pool,  the  returned  values are theoretically vulnerable to a
cryptographic attack on the algorithms used by the  driver.   Knowledge
of how to do this is not available in the current non-classified literature,
but it is theoretically possible that such an attack may  exist.
If this is a concern in your application, use /dev/random instead.
____