Date: Thu, 10 Jul 2014 14:28:08 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: GnuPG computation error checks On 07/10/2014 01:26 PM, Solar Designer wrote: > There was a discussion in 2001 and patches by Florian Weimer to add > extra checks into GnuPG's cipher/rsa.c: check_secret_key() and rsa_sign(): Wow, that was a long time ago. > Given the improved RSA side-channel attack understanding and the > countermeasures added to deal with CVE-2013-4242 and CVE-2013-4576 > (cache timing and acoustic side-channels) in GnuPG, are Florian's added > checks still safe to have, or are they possibly vulnerable to > side-channel leaks on their own? check_secret_key() does perform a very > basic sanity check on the secret key even without Florian's patch, and > this might be a side-channel leak concern too, but Florian's checks are > (purposefully) much more extended The check_secret_key() could be problematic from a side-channel perspective, yes, particularly since mpi_gcd is unlikely to be hardened against such attacks. It might be possible to come up with equivalent checks that are safer, but I'm not sure if that's worth the effort. > and include a check in rsa_sign() as > well (more susceptible since it involves dealing with changing and > possibly attacker-chosen data rather than only with the secret key?) rsa_sign only uses the public exponent (sk.e) and the signature (resarr). It does leak those bits, but I'm not sure if we consider side-channel attacks on RSA *verification* (recovering signatures, document hashes, or public keys—not private key material) as vulnerabilities. I believe OpenSSL has a similar safety check, see RSA_eay_mod_exp() in crypto/rsa/rsa_eay.c. There was some paper about it, but I think it involved deliberately faulty hardware, so it doesn't really count, IMHO. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ