Analysis of SM2 Encryption and Decryption Vulnerability in OpenSSL

doi:10.3969/j.issn.1671-1122.2022.11.006

Abstract

Abstract:

OpenSSL is a popular open source library for cryptography. On August 26,2021 a buffer overflow vulnerability was patched in OpenSSL, which is caused by the fact that the buffer size calculated by the SM2 decryption function could be smaller than the actual plaintext size. This paper firstly analyzed the principle of buffer overflow based on the OpenSSL source code, and then analyzed the feasibility of overflow attack according to the overflow principle. Finally this paper designed an experiment to verify the feasibility of overflow attack. It’s concluded that when SM2 decryption function calculates the size of the buffer to accommodate the plaintext, it doesn’t consider the encoding of the points on the elliptic curve, when the encoding length is smaller than the preset length, resulting in the buffer size being smaller than the actual plaintext size. Attacker can obtain appropriate points by exhaustion and further construct appropriate ciphertext for buffer overflow attack according the above feature and can use the same point to perform buffer overflow attacks on SM2 decryptors holding different key pairs.

Key words: OpenSSL, SM2 encryption and decryption interface, buffer overflow, vulnerability analysis

CLC Number:

TP309

LIU Zhenya, LIN Jingqiang. Analysis of SM2 Encryption and Decryption Vulnerability in OpenSSL[J]. Netinfo Security, 2022, 22(11): 47-54.

Figures/Tables 14

References 12

[1]	OpenSSL. OpenSSL Technical Committee: OpenSSL Project[EB/OL]. [2022-05-27]. .
[2]	MITRE Corporation. CVE-2021-3711[EB/OL]. (2021-08-24) [2022-06-16] .
[3]	GM/T 0003. 4-2012. Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves-Part 4: Public Key Encryption Algorithm[S].BeiJing: China Cryptography Administration, 2012.
	GM/T 0003.4-2012. 椭圆曲线公钥密码算法第4部分:公钥加密算法[S]. 北京: 国家密码管理局, 2012.
[4]	DU Wenliang. Computer Security: A Hands-On Approach[M]. BeiJing: Higher Education Press, 2020.
	杜文亮. 计算机安全导论[M]. 北京: 高等教育出版社, 2020.
[5]	MITRE Corporation. CVE-2010-1633[EB/OL]. (2010-06-03)[2022-06-16]. .
[6]	MITRE Corporation. CVE-2016-3959[EB/OL]. (2016-05-23)[2022-06-16]. .
[7]	MITRE Corporation. CVE-2018-0734[EB/OL]. (2018-10-30)[2022-06-16]. .
[8]	MITRE Corporation. CVE-2018-0735[EB/OL]. (2018-10-29)[2022-06-16]. .
[9]	MITRE Corporation. CVE-2021-43570[EB/OL]. (2021-11-09)[2022-06-16]. .
[10]	RANDAL E B, HALLARON D R. Computer Systems: A Programmer’s Perspective Third Edition[M]. BeiJing: China Machine Press, 2016.
	兰德尔, 奥哈拉伦. 深入理解计算机系统[M]. 北京: 机械工业出版社, 2016.
[11]	DHAVAL K. Heap-Exploitation[EB/OL]. [2022-06-16].
[12]	BARKER E, KELSEY J. NIST SP 800-90 A Rev. 1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators[EB/OL]. [2022-06-10]. https://dl.acm.org/doi/book/10.5555/2206302.

参数	值
k	D0FC16B7 3D959BC1 66805B1E 2B6A4498 4B99687A 94062E81 6C9F138F A069939A
x	004F6B14 71481291 A43E0B85 6A219E1A 0DB747BC 8B4DBB7C C5AA9158 1AA504E4
y	116A87CF 7F66BF5D DFEF744A 93AC0936 0EA509FA A1668244 FB9B7DBC E607219C
穷举次数/次	56
穷举时间/s	0.0054

实验次数	穷举次数/次	穷举时间/s
1	82	0.070
2	171	0.140
3	146	0.121
4	70	0.062
5	43	0.042

参数	值
k	A2E52B39 D94CE870 9587FE69 BFA4D7AD 754DFE96 435A1284 40B72BB4 FB57820A
x	003AFCB4 ECA4FF01 8AACCA4D 67E5B7D8 D1BB0071 B90E66F9 606086F5 0D7F0625
y	016653D5 8976D00C 51E7A2AC 6C835D3F 33D4C0BA B68D24DC 24FFC031 50ABEF50
穷举次数/次	13846
穷举时间/s	10.612

参数	值
k	66BC2D4E 6ED17E54 B9F832D4 4E358BA9 A94EC4CE B021BA49 DE070E5E E705F3FC
x	00000279 6C494931 16949F0C BC41EAA8 6816862E 44C93AC5 69D1CA91 90A98366
y	1197820B 6DF502FF 677341F7 DA4B5A4B 227807E1 2C0CE791 057184FE EFF010DE
穷举次数/次	2209316
穷举时间/s	1712.480