Enable RSA blinding
hayward at slothmud.org
hayward at slothmud.org
Wed Mar 19 07:42:17 EST 2003
> Florian Weimer wrote:
>>> After browsing "Remote timing attacks are practical" (Boneh & Brumley,
>> > <http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html>), I
>> > wonder if it might be a good idea to add calls to RSA_blinding_on()
>> > before the OpenSSL RSA decryption routines are invoked.
>>
>> It is on in the snapshots as of tonight (thank Markus).
>>
>Ia saw that.. I'm still interested in a break down to where OpenSSH would
>be prone to such attacks. I'm sure v1 would easily be, but thecomplexity
>of v2 makes me wonder. <shrug> Still better be safe than sorry.
I am interested in this as well. It seems like the attacker has to be
able to communicate to the server with it's public key for quite some
time before it can determine the private key used by the server.
My understanding is that with SSH2, each session gets a different
public/private key pair. Wouldn't this mean that the only private key an
attacker could ever figure out is the key that allows the attacker to
decrypt the data they themselves encrypted?
I'm not an expert, I'm hoping someone who is an expert would comment on
this topic.
Thanks,
Brian Hayward
More information about the openssh-unix-dev
mailing list