A security vulnerability has recently been discovered in the EdDSA-Java (aka ed25519-java) library, specifically in versions up to and including .3.. This vulnerability, documented as CVE-2020-36843, is related to signature malleability and the inability of the library to satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. As a result, attackers can exploit this weakness to forge new valid signatures that are distinct from previous signatures for a given message. In this long read, we will delve into the specifics of the vulnerability and provide essential information, including code snippets, original references, and exploit details.
Code Snippet
The issue stems from the library's implementation of the EdDSA signature algorithm. In particular, the signing code fails to properly handle the "s" value in the signature, allowing it to be changed without invalidating the signature. Here is a snippet of the affected code:
public class EdDSASignature extends Signature {
private EdDSAEngine engine;
public EdDSASignature(EdDSAParameterSpec spec) {
engine = new EdDSAEngine(MessageDigest.getInstance(spec.getHashAlgorithm()));
engine.setParameterSpec(spec);
}
// ...
protected void engineUpdate(byte b) throws SignatureException {
engine.update(b);
}
protected void engineUpdate(byte[] b, int off, int len) throws SignatureException {
engine.update(b, off, len);
}
protected byte[] engineSign() throws SignatureException {
return engine.sign();
}
protected boolean engineVerify(byte[] sig) throws SignatureException {
return engine.verify(sig);
}
// ...
}
As demonstrated in the code snippet, the library utilizes the EdDSAEngine class to sign and verify messages. This class includes the sign() and verify methods, which handle the actual signing and verification process.
Exploit Details
An attacker can exploit this vulnerability by changing the "s" value in a legitimate signature, effectively creating a new, valid signature for the message. The altered signature will still pass the verification process, even though it is different from the original one.
The attacker intercepts the message and signature.
3. The attacker modifies the "s" value in the signature and creates a new, distinct signature for the message "Hello, World!".
The attacker sends the message with the forged signature.
5. The recipient verifies the message using the EdDSA-Java library, which incorrectly deems the altered signature valid.
Original References
The vulnerability was originally reported by the research team at Openwall and has been assigned CVE-2020-36843 by the CVE organization. For more information regarding the issue and its root cause, refer to the following resources:
- The official CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36843
- The research paper on the vulnerability, detailing the analysis and findings: http://www.openwall.com/papers/202-11-28-eddsa.java_suf-cma.pdf
Mitigation
Users of the EdDSA-Java library are advised to update their installations to the latest version, which addresses this vulnerability. Additionally, developers should periodically review their implementations of cryptographic algorithms and ensure they adhere to current best practices and standards.
In conclusion, the CVE-2020-36843 vulnerability presents a serious security risk in the EdDSA-Java library. By allowing signature malleability, attackers can forge valid signatures for known messages, undermining the integrity and authenticity of communications using the affected library. Therefore, it is imperative for users and developers to update their installations and remain vigilant in monitoring and addressing emerging security threats.
Timeline
Published on: 03/13/2025 06:15:34 UTC