Date: Wed, 2 Sep 2015 16:08:43 +0200 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: Factoring RSA Keys With TLS Perfect Forward Secrecy It turns out that Lenstra's 1996 side-channel attack on the RSA-CRT optimization still works against some TLS servers: <https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/> <https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf> Fortunately, none of the key leaks were attributed to publicly available free software. OpenSSL upstream and NSS already have RSA-CRT hardening. OpenJDK was updated in April 2015, as CVE-2015-0478. libgcrypt upstream received the hardening very recently: <http://lists.gnupg.org/pipermail/gcrypt-devel/2015-September/003553.html> For Go, I opened an issue: <https://github.com/golang/go/issues/12453> Nettle would also benefit from RSA-CRT hardening. I started a discussion here: <http://thread.gmane.org/gmane.comp.encryption.nettle.bugs/1359> I don't think CVE assignments are needed (although the OpenJDK hardening received one). -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ