Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Sep 2015 16:08:43 +0200
From: Florian Weimer <>
Subject: Factoring RSA Keys With TLS Perfect Forward Secrecy

It turns out that Lenstra's 1996 side-channel attack on the RSA-CRT
optimization still works against some TLS servers:


Fortunately, none of the key leaks were attributed to publicly available
free software.  OpenSSL upstream and NSS already have RSA-CRT hardening.
 OpenJDK was updated in April 2015, as CVE-2015-0478.

libgcrypt upstream received the hardening very recently:


For Go, I opened an issue: <>

Nettle would also benefit from RSA-CRT hardening.  I started a
discussion here:


I don't think CVE assignments are needed (although the OpenJDK hardening
received one).

Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ