PyCA cryptography Missing Subgroup Validation Vulnerability in Elliptic Curve Functions

A vulnerability exists in the PyCA cryptography library in versions prior to 46.0.5, specifically within the functions public_key_from_numbers, EllipticCurvePublicNumbers.public_key(), load_der_public_key(), and load_pem_public_key(). These functions fail to verify that the provided public key point belongs to the expected prime-order subgroup of the elliptic curve. This lack of validation allows an attacker to introduce a public key point from a small-order subgroup, potentially leading to security issues. The vulnerability affects SECT curves, where an attacker could exploit the weakness in key exchange (ECDH) to leak information about the private key, or in signature verification (ECDSA) to forge signatures.

Impact

Exploitation of this vulnerability could result in the leakage of private key information when using ECDH, particularly the least significant bits of the private key for curves with a cofactor greater than one. Additionally, the vulnerability allows for forgery of ECDSA signatures by exploiting weak public keys from small subgroups.

Reproduction

To reproduce this vulnerability, create a public key using a point from a small-order subgroup on a SECT curve. This can be done by bypassing the missing validation in the affected functions. Once the weak public key is generated, it can be used in an ECDH key exchange, which will inadvertently leak parts of the private key. Alternatively, the weak key can be used in ECDSA signature generation, where the lack of subgroup validation can be exploited to forge signatures.

Remediation

Users are advised to upgrade to PyCA cryptography version 46.0.5 or later, where this vulnerability has been addressed.