A Poly1305 Timing Attack

In early 2019, I found a CVE in the Java Development Kit. This CVE was assigned the number CVE-2019-2818.

The vulnerability is a timing attack in Java's implementation of the ChaCha20-Poly1305 cipher. The Poly1305 mac verification function was comparing tags using a function that was not constant time. This type of timing attack is a classic mistake, and it serves as a great example of how difficult it can be to get cryptographic code right.

Here is the commit that fixes the issue.

Report Timeline

• March 20, 2019: Initial report. A response from the AdoptOpenJDK representative came quickly, and the issue was escalated into an internal bug tracker.
• April 3, 2019: Issue fixed on an internal repository.
• July 16, 2019: Java 11.0.4 released with the fix.