Executive Summary

This vulnerability exists in the SM2 Public Key Encryption implementation of the RustCrypto elliptic-curves library. Due to a unit mismatch error, the ephemeral nonce 'k' used during encryption is generated with only 32 bits of randomness instead of the intended 256 bits. This happens because the function generating 'k' mistakenly treats a byte length parameter as a bit length, resulting in a severely biased nonce mostly consisting of zeros. This drastically reduces the security level from 128-bit to about 16-bit, making it trivial for an attacker to recover the nonce 'k' and decrypt any ciphertext using only the public key and ciphertext. The flaw allows practical attacks to recover plaintext and potentially the private key. The issue was fixed by replacing the flawed nonce generation with a secure, unbiased method using rejection sampling to generate a proper non-zero scalar 'k'. [1, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete loss of confidentiality for any data encrypted using the affected SM2 public key encryption implementation. Because the ephemeral nonce 'k' has drastically reduced entropy, an attacker can efficiently recover 'k' using only the public key and ciphertext. With the recovered nonce, the attacker can decrypt the ciphertext without needing the private key. This compromises the security of encrypted communications, exposing sensitive information to unauthorized parties. The attack is computationally feasible on modern hardware and can be executed within seconds. [1, 4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying ciphertexts encrypted using the vulnerable SM2PKE implementation that generates ephemeral nonce k with only 32 bits of entropy instead of 256 bits. A practical detection method involves attempting to recover the nonce k from captured ciphertexts using the Baby-Step Giant-Step (BSGS) algorithm over the reduced 2^32 search space. The repository provides a proof-of-concept (PoC) example in `examples/bsgs_recover.rs` demonstrating this attack workflow. To detect the vulnerability on your system, you can run this PoC code against ciphertexts suspected to be generated by the vulnerable versions (0.14.0-pre.0 and 0.14.0-rc.0) of the RustCrypto SM2 library. There are no simple shell commands provided, but running the PoC Rust example is the recommended approach to confirm exploitation of the vulnerability. [4]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the RustCrypto elliptic-curves library to a version that includes the patch fixing the nonce generation flaw. The patch replaces the flawed `next_k` function with a secure `Generate` trait implementation using `NonZeroScalar::try_generate_from_rng`, ensuring proper 256-bit entropy for the ephemeral nonce k. If upgrading is not immediately possible, avoid using the vulnerable versions (0.14.0-pre.0 and 0.14.0-rc.0) of the SM2 crate for encryption. Additionally, consider re-encrypting any sensitive data encrypted with the vulnerable versions after applying the fix. Monitoring for suspicious decryption attempts using the BSGS attack method is also advised. [1, 3, 4]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes a complete loss of confidentiality for all data encrypted with the affected SM2 Public Key Encryption implementation due to severely reduced nonce entropy allowing trivial recovery of plaintext. Such a loss of confidentiality can lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require adequate protection of sensitive data. Therefore, organizations using the vulnerable SM2 implementation risk violating these regulations because encrypted data can be decrypted by attackers without authorization. [4]

Useful 0 Not Useful 0