Ubuntu
strongswan package

disable BLISS for known side-channel attack

Bug #1866765 reported by Christian Ehrhardt 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
High
Unassigned

Bug Description

While enabling NTRU (that was ok) I thought I should also enable BLISS which is for the same post-quantum use cases. See bug 1863749.

But I got an info from upstream there:
Tobias Brunner (tobias-strongswan) wrote on 2020-03-05: #14
Enabling the bliss Plugin is probably not such a good idea. There is a potential local side-channel attack on strongSwan's BLISS implementation (https://eprint.iacr.org/2017/505).

The ntru plugin should be fine. However, using NTRU with IKEv2 is not standardized (uses an algorithm identifiers from the private use range etc.).

Multiple IKEv2 protocol extensions are currently being developed, for instance, additional exchanges to use fragmentation during the key exchange or using multiple and more generic key exchanges, in particular, post-quantum key encapsulation mechanisms (KEM, of which most have quite large public keys). The latter (plus signature algorithms) are currently being standardized by NIST (https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization) and versions of NTRU are among the contenders in round 2 (https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions). BLISS is not, but CRYSTALS-DILITHIUM is designed by the same people. It might be a while until strongSwan supports the protocol extensions (there is a branch with a partial implementation) and especially the new algorithms (we currently use the liboqs library in said branch, https://github.com/open-quantum-safe/liboqs/).

---

Based on that lets drop BLISS again and keep just NTRU.

Related branches

~paelzer/ubuntu/+source/strongswan:lp-1863749-re-add-ntru-focal
Andreas Hasenack: Approve
Canonical Server: Pending requested
git-ubuntu developers: Pending requested
Diff: 83 lines (+8/-9)
4 files modified
debian/changelog (+8/-0)
debian/control (+0/-3)
debian/libstrongswan-extra-plugins.install (+0/-5)
debian/rules (+0/-1)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Just four days in the past this was disabled and we will now disable it again.
Lets keep the release Team working on important things and not file an FFe (again) for changing this.

Changed in strongswan (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI uploaded to focal.

Changed in strongswan (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.8.2-1ubuntu3

---------------
strongswan (5.8.2-1ubuntu3) focal; urgency=medium

  * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
    there is a potential local side-channel attack on strongSwan's BLISS
    implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)

 -- Christian Ehrhardt <email address hidden> Tue, 10 Mar 2020 07:56:56 +0100

Changed in strongswan (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.