Clarifications on RSA timing attack CVE-2022-4304
Girish Yerra
yerracs86 at gmail.com
Tue Mar 14 01:56:39 UTC 2023
Hi Hubert,
Thanks for kindly responding to my queries and sharing . I appreciate your
support.
I have a few follow up questions.
1. Is this issue applicable for non-CRT implementations as well.
2. What is the number trials (decryption requests) that an attacker
requires to mount this attack. Is this in the order of millions/billions ?
3. If the blinding is of random value ( "*r"* in a given modulus range) for
each decryption how does the attacker get meaningful timing information if
the unblinding is not a constant time and keeps changing based on the
blinding value. Is unblinding an expensive operation which shall give
meaningful bits when doing modulus multiplication with "r^-1". Please
correct me if I am missing any basic math here.
Thanks,
Girish
On Mon, Mar 13, 2023 at 5:12 AM Hubert Kario <hkario at redhat.com> wrote:
> On Saturday, 11 March 2023 04:10:58 CET, Girish Yerra wrote:
> > Hi All,
> > I am not sure if this is the right forum to discuss the aspects
> > of the CVE. Feel free to close this and point me to the right
> > forum.
> >
> > I am looking for some more specific details on the attack
> > description. I am mainly looking for some of the details and
> > clarifications.
> >
> > 1. For timing attacks the popular counter measure is to apply
> > blinding which makes it timing resistant. Does this
> > countermeasure fail in this case?
>
> While blinding protects against a leaky mod-exp implementation, unblinding
> still has to be done in constant time manner. That wasn't done.
> See some of the discussions in
> https://github.com/openssl/openssl/pull/20281
>
> > 2. What is the order of the trials that an attacker requires to
> > mount this attack ?
> >
> > Please share any reference paper giving more details of this attack.
>
> We're still working on a paper.
>
> --
> Regards,
> Hubert Kario
> Principal Quality Engineer, RHEL Crypto team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230313/1948210f/attachment.htm>
More information about the openssl-users
mailing list