[12863] in cryptography@c2.net mail archive
Re: Brumley & Boneh timing attack on OpenSSL
daemon@ATHENA.MIT.EDU (Marc Branchaud)
Tue Mar 25 13:31:29 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
Date: Tue, 25 Mar 2003 09:53:46 -0800
From: Marc Branchaud <marcnarc@rsasecurity.com>
To: cryptography@wasabisystems.com
In-Reply-To: <001d01c2f28e$561a09a0$629f6395@p1038mobile>
Anton Stiglic wrote:
>>
>> - Should it do blinding for RSA signatures as well as RSA
>> decryption?
>
> If you are a client, and you manually control the signature
> generation (like you use PGP to sign email messages), I wouldn't
> implement blinding. But if you are a server (or a client that
> automatically responds to requests) that signs message for some
> reason, and you receive many requests, I would.
The way I understand the attack, you have to throw a million
specially-chosen guesses at the server, which it will blindly attempt to
decrypt and use. Basically, you're getting the server to decrypt chosen
ciphertext for you.
I don't see how the attack can apply to signatures, where the server
itself is formatting the data to be signed. Unless the server is just
directly signing (RSA-encrypting) arbitrary client-supplied data, but
that's a no-no anyway.
This is slightly more than theoretical, as OCSP servers do nothing but
emit signed responses. An OCSP client can only indirectly influence
some of the data that a server signs, and so it seems very difficult to
pull off the attack.
M.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
