Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ed25519-dalek PK Oracle #1360

Closed
pinkforest opened this issue Aug 14, 2022 · 2 comments · Fixed by #1744
Closed

ed25519-dalek PK Oracle #1360

pinkforest opened this issue Aug 14, 2022 · 2 comments · Fixed by #1744
Labels
crypto Crypto lib notice

Comments

@pinkforest
Copy link
Contributor

pinkforest commented Aug 14, 2022
edited
Loading

EDIT: This issue was about both the PK oracle in pub API as well as mainenance issue - Maintenace status was / has been resolved but older versions still have PK oracle where we should nudge people to bump.

NOTE: This does NOT necessarily mean the crypto on ed25519-dalek is inherently broken or insecure as of now

e.g. Depending on how we classify / see broken / insecure - people often see crypto-failure where pub API was not misused

Nonetheless facts -

6,821,009 downloads all time - 12k per day

Major downstream include ed25519, libp2p-core, solana-runtime, solana-sdk, signatory, lettre, ..

Crate has not had new publish in two years - EDIT: Release imminent.
https://crates.io/crates/ed25519-dalek

There may be a potential PrivateKey exposure that relies on public API misuse:

Considering the above alone it might be feasible to flag Notice on this at least.

Crates ed25519 and Signatory are downstream high level / proxies for this
@pinkforest pinkforest added Unmaintained Informational / Unmaintained cryptographic failure breakage in cryptographic confidentiality or authenticity labels Aug 14, 2022
This was referenced Aug 14, 2022
Closed
Closed
@pinkforest pinkforest changed the title ed25519-dalek Maintenance status ed25519-dalek Status Aug 14, 2022
@pinkforest pinkforest added crypto Crypto lib notice and removed cryptographic failure breakage in cryptographic confidentiality or authenticity labels Aug 14, 2022
@pinkforest pinkforest mentioned this issue Aug 17, 2022
Merged
4 tasks
@pinkforest pinkforest changed the title ed25519-dalek Status ed25519-dalek Status Aug 27, 2022
@tarcieri
Copy link
Member

It’s maintained now

@pinkforest pinkforest reopened this Dec 9, 2022
@pinkforest
Copy link
Contributor Author

pinkforest commented Dec 9, 2022
edited
Loading

This is also a notice about older versions being vulnerable, not just a maintenance issue.
I wil keep open until the fix and advisory is merged to track it.
I've also edited to reflect the issue that it is solely now for the PK oracle which probably still should have a notice.

@pinkforest pinkforest reopened this Dec 9, 2022
@pinkforest pinkforest changed the title ed25519-dalek Status ed25519-dalek PK Oracle Dec 9, 2022
@pinkforest pinkforest removed the Unmaintained Informational / Unmaintained label Dec 9, 2022
tarcieri added a commit that referenced this issue Aug 14, 2023
@tarcieri
Add Double Public Key Signing Function Oracle Attack on ed25519-dalek
dff5555 
Closes #1360
@tarcieri tarcieri mentioned this issue Aug 14, 2023
Merged
tarcieri added a commit that referenced this issue Aug 14, 2023
@tarcieri
Add Double Public Key Signing Function Oracle Attack on `ed25519-dale…
9012b65 
…k` (#1744)

Closes #1360
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crypto Crypto lib notice
Projects
None yet
Milestone
No milestone
2 participants
@tarcieri @pinkforest