Date: Wed, 25 Apr 2018 11:11:14 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-0737 OpenSSL: RSA key generation follows several non constant time code paths On 04/24/2018 09:18 PM, Billy Brumley wrote: >>> Look for our preprint on http://eprint.iacr.org/ soon -- working title >>> is "One Shot, One Trace, One Key: Cache-Timing Attacks on RSA Key >>> Generation". We'll update the list with the full URL once it's posted. >>> >> >> >> Can you post a link to the draft here please? > > The preprint is now up: https://eprint.iacr.org/2018/367 > >> The attack vector is not clear, does the attacker need to be on the same >> physical machine or is this a cross-vm attack? > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-0737 > > Your statement is pretty accurate. (Although I fail to see the > difference between physical machine and cross-vm.) > Physical machine implies, the attacker and victim is on the same host (real computer or a vm). Cross-vm implies attacker and the victim can be on two different virtual machines, running on the same hypervisor. > BBB > -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ