Clarifications on RSA timing attack CVE-2022-4304

Hubert Kario hkario at redhat.com
Tue Mar 14 10:48:43 UTC 2023 

On Tuesday, 14 March 2023 02:56:39 CET, Girish Yerra wrote:
> Hi Hubert,
> Thanks for kindly responding to my queries and sharing . I 
> appreciate your support.
>
> I have a few follow up questions.
>
> 1. Is this issue applicable for non-CRT implementations as well.

Haven't tested but don't see why it wouldn't. CRT affects how modular
exponentiation is performed, not how blinding or serialisation is 
performed.

> 2. What is the number trials (decryption requests) that an 
> attacker requires to mount this attack. Is this in the order of 
> millions/billions ?

It hugely depends on the particular attack scenario, worst case is 
practical
over network in less than a day per decryption. Details will be in the 
paper.

> 3. If the blinding is of random value ( "r" in a given modulus 
> range) for each decryption how does the attacker get meaningful 
> timing information if the unblinding is not a constant time and 
> keeps changing based on the blinding value. Is unblinding an 
> expensive operation which shall give meaningful bits when doing 
> modulus multiplication with "r^-1". Please correct me if I am 
> missing any basic math here.

Because while the inputs to the unblinding operation are effectively 
random,
the output isn't: it will be the same every time the input to the 
decryption
operation is the same. So the leaks caused by the randomness of the inputs
will average out, but the leaks with regards to the output won't.

And the unblinding operation leaked in respect to the output.

> Thanks,
> Girish
>
> On Mon, Mar 13, 2023 at 5:12 AM Hubert Kario <hkario at redhat.com> wrote:
> On Saturday, 11 March 2023 04:10:58 CET, Girish Yerra wrote:
>> Hi All,
>> I am not sure if this is the right forum to discuss the aspects 
>> of the CVE. Feel free to close this and point me to the right 
>> forum.
>>
>> I am looking for some more specific details on the attack 
>> description. I am mainly looking for some of the details and 
>> clarifications.
>>
>> 1. For timing attacks the popular counter measure is to apply 
>> blinding which makes it timing resistant. Does this 
>> countermeasure fail in this case?
>
> While blinding protects against a leaky mod-exp implementation, unblinding
> still has to be done in constant time manner. That wasn't done.
> See some of the discussions in 
> https://github.com/openssl/openssl/pull/20281
>
>> 2. What is the order of the trials that an attacker requires to 
>> mount this attack ?
>>
>> Please share any reference paper giving more details of this attack.
>
> We're still working on a paper.
>

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

More information about the openssl-users mailing list