Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <53BE86D8.7020706@redhat.com>
Date: Thu, 10 Jul 2014 14:28:08 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: GnuPG computation error checks

On 07/10/2014 01:26 PM, Solar Designer wrote:
> There was a discussion in 2001 and patches by Florian Weimer to add
> extra checks into GnuPG's cipher/rsa.c: check_secret_key() and rsa_sign():

Wow, that was a long time ago.

> Given the improved RSA side-channel attack understanding and the
> countermeasures added to deal with CVE-2013-4242 and CVE-2013-4576
> (cache timing and acoustic side-channels) in GnuPG, are Florian's added
> checks still safe to have, or are they possibly vulnerable to
> side-channel leaks on their own?  check_secret_key() does perform a very
> basic sanity check on the secret key even without Florian's patch, and
> this might be a side-channel leak concern too, but Florian's checks are
> (purposefully) much more extended

The check_secret_key() could be problematic from a side-channel 
perspective, yes, particularly since mpi_gcd is unlikely to be hardened 
against such attacks.  It might be possible to come up with equivalent 
checks that are safer, but I'm not sure if that's worth the effort.

> and include a check in rsa_sign() as
> well (more susceptible since it involves dealing with changing and
> possibly attacker-chosen data rather than only with the secret key?)

rsa_sign only uses the public exponent (sk.e) and the signature 
(resarr[0]).  It does leak those bits, but I'm not sure if we consider 
side-channel attacks on RSA *verification* (recovering signatures, 
document hashes, or public keys—not private key material) as 
vulnerabilities.

I believe OpenSSL has a similar safety check, see RSA_eay_mod_exp() in 
crypto/rsa/rsa_eay.c.  There was some paper about it, but I think it 
involved deliberately faulty hardware, so it doesn't really count, IMHO.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.