Vulnerability Note VU#536044

OpenSSL leaks ECDSA private key through a remote timing attack

Original Release date: 17 May 2011 | Last revised: 01 Jun 2011


The OpenSSL ladder implementation for scalar multiplication of points on elliptic curves over binary fields is susceptible to a timing attack vulnerability. This vulnerability can be used to steal the private key of a TLS server that authenticates with ECDSA signatures and binary curves.


Billy Bob Brumley's and Nicola Tuveri's paper "Remote Timing Attacks are Still Practical" states:

"For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery’s ladder that performs a fixed sequence of curve and field operations.

This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key."


A remote attacker can retrieve the private key of a TLS server that authenticates with ECDSA signatures and binary curves.


We are currently unaware of a practical solution to this problem.

Do not use ECDSA signatures and binary curves for authentication.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
OpenSSLAffected29 Mar 201111 May 2011
Apache-SSLUnknown21 Apr 201121 Apr 2011
Apple Inc.Unknown10 May 201110 May 2011
CentOSUnknown10 May 201110 May 2011
Debian GNU/LinuxUnknown10 May 201110 May 2011
FreeBSD ProjectUnknown10 May 201110 May 2011
Gentoo LinuxUnknown10 May 201110 May 2011
Mandriva S. A.Unknown10 May 201110 May 2011
NetBSDUnknown10 May 201110 May 2011
Red Hat, Inc.Unknown10 May 201110 May 2011
Slackware Linux Inc.Unknown10 May 201110 May 2011
SUSE LinuxUnknown10 May 201110 May 2011
UbuntuUnknown10 May 201110 May 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Billy Brumley for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2011-1945
  • Date Public: 17 May 2011
  • Date First Published: 17 May 2011
  • Date Last Updated: 01 Jun 2011
  • Severity Metric: 0.13
  • Document Revision: 13


If you have feedback, comments, or additional information about this vulnerability, please send us email.