Enable RSA blinding

Ben Lindstrom mouring at etoh.eviladmin.org
Sun Mar 16 03:24:43 EST 2003

On Sun, 16 Mar 2003, Damien Miller wrote:

> Florian Weimer wrote:
> > After browsing "Remote timing attacks are practical" (Boneh & Brumley,
> > <http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html>), I
> > wonder if it might be a good idea to add calls to RSA_blinding_on()
> > before the OpenSSL RSA decryption routines are invoked.
> It is on in the snapshots as of tonight (thank Markus).

I saw that.. I'm still interested in a break down to where OpenSSH would
be prone to such attacks.  I'm sure v1 would easily be, but the complexity
of v2 makes me wonder.  <shrug> Still better be safe than sorry.

> > The issue is not a LAN-only issue, BTW.  Packet delay variation is
> > usually higher in LANs than in WANs.
> I'm curious about this - do you have a reference or some evidence?

I don't agree with him.  t may take longer for a WAN connection, but you
can easily isolate the timing at anytime between two points on a WAN.  It
has been proven many times.  Just because the timing rate changes does not
make it impossible.

- Ben

More information about the openssh-unix-dev mailing list