sm-crypto Private Key Recovery Vulnerability in SM2 Decryption Logic

A private key recovery vulnerability has been identified in the SM2 decryption logic of the sm-crypto library, in versions prior to 0.3.14. This vulnerability allows an attacker to fully recover a private key by interacting with the SM2 decryption interface multiple times, approximately several hundred interactions are needed to complete the recovery.

Impact

Exploitation of this vulnerability allows for the recovery of private keys, which could compromise the security of cryptographic operations relying on those keys.

Reproduction

The vulnerability can be reproduced by encrypting data with a public key using the SM2 encryption method, and then decrypting it with the corresponding private key. This process can be automated to repeat multiple times, gradually recovering the private key from the decrypted data. The recovery process takes advantage of the decryption logic's handling of the encryption parameters, specifically the C1 point, which can be manipulated to extract key information.

Remediation

Users can upgrade to sm-crypto version 0.3.14 or later, where this vulnerability has been patched.