Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Sep 2015 16:08:43 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Factoring RSA Keys With TLS Perfect Forward Secrecy

It turns out that Lenstra's 1996 side-channel attack on the RSA-CRT
optimization still works against some TLS servers:

<https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/>
<https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf>

Fortunately, none of the key leaks were attributed to publicly available
free software.  OpenSSL upstream and NSS already have RSA-CRT hardening.
 OpenJDK was updated in April 2015, as CVE-2015-0478.

libgcrypt upstream received the hardening very recently:

<http://lists.gnupg.org/pipermail/gcrypt-devel/2015-September/003553.html>

For Go, I opened an issue: <https://github.com/golang/go/issues/12453>

Nettle would also benefit from RSA-CRT hardening.  I started a
discussion here:

<http://thread.gmane.org/gmane.comp.encryption.nettle.bugs/1359>

I don't think CVE assignments are needed (although the OpenJDK hardening
received one).

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ