[12845] in cryptography@c2.net mail archive
Re: Brumley & Boneh timing attack on OpenSSL
daemon@ATHENA.MIT.EDU (Anton Stiglic)
Tue Mar 25 11:41:03 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
From: "Anton Stiglic" <astiglic@okiok.com>
To: "Nomen Nescio" <nobody@dizum.com>,
<cryptography@wasabisystems.com>
Date: Tue, 25 Mar 2003 00:20:59 -0500
----- Original Message -----
From: "Nomen Nescio" <nobody@dizum.com>
To: <cryptography@wasabisystems.com>
Sent: Monday, March 24, 2003 1:20 PM
Subject: Re: Brumley & Boneh timing attack on OpenSSL
> Regarding using blinding to defend against timing attacks, and supposing
> that a crypto library is going to have support for blinding:
>
> - Should it do blinding for RSA signatures as well as RSA decryption?
If you are a client, and you manually control the signature generation (like
you use PGP to sign email messages), I wouldn't implement blinding.
But if you are a server (or a client that automatically responds to
requests)
that signs message for some reason, and you receive many requests, I would.
RSA decryption, yes for servers.
> - How about for ElGamal decryption?
>
> - Non-ephemeral (static) DH key exchange?
Again, if you are automatically answer to requests, yes I would. In the
Freedom network, servers had non-ephemeral keys and did a DH key
exchange with clients (client side used ephemeral keys and was anonymous),
we implemented blinding on the server side to counter timing attacks because
we had a hunch that they could work over network connections.
> - Ephemeral DH key exchange?
No, I wouldn't. I would be very surprised if you could do timing attacks on
one execution of a modulo exponentiation, unless there is some way to trick
a server in using the same secret on different inputs, even though it's
suppose
to do ephemeral DH.
> - How about for DSS signatures?
Yes if you automatically answer to requests. Paul Kocher's initial paper on
the
subject explicitly mentions DH, RSA and DSS.
If there is a possibility that you can be used as an oracle, and you have a
static
key, you should be careful.
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
