Re: Clarifications on RSA timing attack CVE-2022-4304

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday, 14 March 2023 02:56:39 CET, Girish Yerra wrote:
Hi Hubert,
Thanks for kindly responding to my queries and sharing . I appreciate your support.

I have a few follow up questions.

1. Is this issue applicable for non-CRT implementations as well.

Haven't tested but don't see why it wouldn't. CRT affects how modular
exponentiation is performed, not how blinding or serialisation is performed.

2. What is the number trials (decryption requests) that an attacker requires to mount this attack. Is this in the order of millions/billions ?

It hugely depends on the particular attack scenario, worst case is practical over network in less than a day per decryption. Details will be in the paper.

3. If the blinding is of random value ( "r" in a given modulus range) for each decryption how does the attacker get meaningful timing information if the unblinding is not a constant time and keeps changing based on the blinding value. Is unblinding an expensive operation which shall give meaningful bits when doing modulus multiplication with "r^-1". Please correct me if I am missing any basic math here.

Because while the inputs to the unblinding operation are effectively random, the output isn't: it will be the same every time the input to the decryption
operation is the same. So the leaks caused by the randomness of the inputs
will average out, but the leaks with regards to the output won't.

And the unblinding operation leaked in respect to the output.

Thanks,
Girish

On Mon, Mar 13, 2023 at 5:12 AM Hubert Kario <hkario@xxxxxxxxxx> wrote:
On Saturday, 11 March 2023 04:10:58 CET, Girish Yerra wrote:
Hi All,
I am not sure if this is the right forum to discuss the aspects of the CVE. Feel free to close this and point me to the right forum.

I am looking for some more specific details on the attack description. I am mainly looking for some of the details and clarifications.

1. For timing attacks the popular counter measure is to apply blinding which makes it timing resistant. Does this countermeasure fail in this case?

While blinding protects against a leaky mod-exp implementation, unblinding
still has to be done in constant time manner. That wasn't done.
See some of the discussions in https://github.com/openssl/openssl/pull/20281

2. What is the order of the trials that an attacker requires to mount this attack ?

Please share any reference paper giving more details of this attack.

We're still working on a paper.


--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux