Crypto Review Finding #2: Missing validations for ECDSA signature verification

Question

Crypto Review Finding #2: Missing validations for ECDSA signature verification

lorenz-loesch-ynx opened this issue 3 years ago · comments

Vulnerability details

The validation of an ECDSA signature is implemented in the PublicKey.swift file in the class ECPublicKey [1]:

The ECDSA procedure is well explained, for example, in Section 4.4.1 "ECDSA" of [2]. The algorithm for verifying such a signature is described in Algorithm 4.30 "ECDSA Signature Verification".

In this implementation, the following validation steps are not performed:

it is not checked whether the two signature values r and s are between 1 and the group order order (step 1 in [2])
it is not checked whether the calculated point R (X in [2]) is the far point of the curve (step 6 in [2])

This may lead to an incorrect result in the signature check [3].

Countermeasures

It is essential to complete the specified check steps in the specified function.

References

[1] Source code of the verify function: https://github.com/leif-ibsen/SwiftECC/blob/621c70126966e5c289c4dc0ff801c6282b6baa05/Sources/SwiftECC/PublicKey.sw
ift#L112
[2] D. Hankerson, A. Menezes, S. Vanstone. Guide to Elliptic Curve Cryptography:
https://www.springer.com/gp/book/9780387952734
[3] ECDSA Signature Verfication Checks: https://crypto.stackexchange.com/a/80252

Leif Ibsen · Answer 1 · Tue Jul 20 2021 21:02:14 GMT+0800 (China Standard Time)

The missing checks in the verification method are there now since release 1.1.0