privacybydesign / gabi Goto Github PK

In go neither of modular exponentiation, multiplication nor gcd are constant time, and thus they can aid an attacker at recovering sensitive information.

In gabi in most instances there is a random element in the functions using the non-const time arithmetic, thus if an attacker is only able to invoke and measure the gabi function (for example over the network), they all have considerable noise due to the random elements and most of the time their sample size is limited to one, since the random element is unique for each invocation. Thus such an attacker has a negligible chance of succeeding. However an attacker that is hosted on the same CPU and can do more precise measurements only targeting the exp/mul/gcd without the added noise around them, has a good chance of exploiting this. It is thus recommended to implement (and possibly upstream) const-time exp/gcd arithmetic.

One instance of timing sensitive mul is when the modulus n is being computed from the issuers secret key q' and p' by multiplying them. Since these two values are not needed for anything else, it is recommended to replace them with the calculated value of n and thus eliminate the multiplication of them and storing them altogether.

The secret key of the issuer, the private attributes of the prover are not protected in RAM from being swapped to disk and they are not sanitized after they are not needed anymore, and thus they can linger for an attacker with a appropriate info leak vulnerability to extract this information. It is recommended to use memguard https://spacetime.dev/memory-security-go - to store all sensitive information and to limit any kind of exposure to info leaks.

1. The keyshare server can sample statistics about the times a user shows credentials and track the users IP address'
2. The keyshare server can act as a target for Denial of Service for all IRMA users.

User Statistics

Each user has one "record" stored at the keyshare server and this record is accessed every time the user shows their credentials. Thus even a honest-but-curious server can learn when a user shows their credentials. In the worst case this can lead to time correlation attacks and break anonymity/unlinkability. Furthermore the keyshare server learns the IP address of the user.

Target for Denial of Service attacks

The keyshare server breaks decentralization of the protocol and acts as a possible target for DoS attacks which will have as a result that none of the users will be able to show their credentials.

In ./gabi/keys.go func (privk *PrivateKey) WriteToFile() writes privkey to file, permissions are not set at all, or to 0666 which is very lax.

Recommendation: change the access rights to 0600.

In file keys.go:315 in the function func (pubk *PublicKey) WriteToFile(filename string, forceOverwrite bool) (int64, error)

    os.OpenFile(filename, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)

This makes it trivially easy for an attacker to change the public keys to some values controlled by them.

Recommendation: change this to 0644.

The deserialization functions NewPrivateKeyFrom...() in gabi/keys.go do not do any sanity checks, loaded keys can be bogus, non-safeprimes, composites, etc.