Re: Clarifications on RSA timing attack CVE-2022-4304

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Hubert,
Thanks for kindly responding to my queries and sharing . I appreciate your support.

I have a few follow up questions.

1. Is this issue applicable for non-CRT implementations as well.
2. What is the number trials (decryption requests) that an attacker requires to mount this attack. Is this in the order of millions/billions ?
3. If the blinding is of random value ( "r" in a given modulus range) for each decryption how does the attacker get meaningful timing information if the unblinding is not a constant time and keeps changing based on the blinding value. Is unblinding an expensive operation which shall give meaningful bits when doing modulus multiplication with "r^-1". Please correct me if I am missing any basic math here.

Thanks,
Girish

On Mon, Mar 13, 2023 at 5:12 AM Hubert Kario <hkario@xxxxxxxxxx> wrote:
On Saturday, 11 March 2023 04:10:58 CET, Girish Yerra wrote:
> Hi All,
> I am not sure if this is the right forum to discuss the aspects
> of the CVE. Feel free to close this and point me to the right
> forum.
>
> I am looking for some more specific details on the attack
> description. I am mainly looking for some of the details and
> clarifications.
>
> 1. For timing attacks the popular counter measure is to apply
> blinding which makes it timing resistant. Does this
> countermeasure fail in this case?

While blinding protects against a leaky mod-exp implementation, unblinding
still has to be done in constant time manner. That wasn't done.
See some of the discussions in
https://github.com/openssl/openssl/pull/20281

> 2. What is the order of the trials that an attacker requires to
> mount this attack ?
>
> Please share any reference paper giving more details of this attack.

We're still working on a paper.

--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux