On Tuesday, 14 March 2023 02:56:39 CET, Girish Yerra wrote:
Hi Hubert,
Thanks for kindly responding to my queries and sharing . I
appreciate your support.
I have a few follow up questions.
1. Is this issue applicable for non-CRT implementations as well.
Haven't tested but don't see why it wouldn't. CRT affects how modular
exponentiation is performed, not how blinding or serialisation is
performed.
2. What is the number trials (decryption requests) that an
attacker requires to mount this attack. Is this in the order of
millions/billions ?
It hugely depends on the particular attack scenario, worst case is
practical
over network in less than a day per decryption. Details will be in the
paper.
3. If the blinding is of random value ( "r" in a given modulus
range) for each decryption how does the attacker get meaningful
timing information if the unblinding is not a constant time and
keeps changing based on the blinding value. Is unblinding an
expensive operation which shall give meaningful bits when doing
modulus multiplication with "r^-1". Please correct me if I am
missing any basic math here.
Because while the inputs to the unblinding operation are effectively
random,
the output isn't: it will be the same every time the input to the
decryption
operation is the same. So the leaks caused by the randomness of the inputs
will average out, but the leaks with regards to the output won't.
And the unblinding operation leaked in respect to the output.
Thanks,
Girish
On Mon, Mar 13, 2023 at 5:12 AM Hubert Kario <hkario@xxxxxxxxxx> wrote:
On Saturday, 11 March 2023 04:10:58 CET, Girish Yerra wrote:
Hi All,
I am not sure if this is the right forum to discuss the aspects
of the CVE. Feel free to close this and point me to the right
forum.
I am looking for some more specific details on the attack
description. I am mainly looking for some of the details and
clarifications.
1. For timing attacks the popular counter measure is to apply
blinding which makes it timing resistant. Does this
countermeasure fail in this case?
While blinding protects against a leaky mod-exp implementation, unblinding
still has to be done in constant time manner. That wasn't done.
See some of the discussions in
https://github.com/openssl/openssl/pull/20281
2. What is the order of the trials that an attacker requires to
mount this attack ?
Please share any reference paper giving more details of this attack.
We're still working on a paper.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic