Enable RSA blinding

hayward at slothmud.org hayward at slothmud.org
Wed Mar 19 07:42:17 EST 2003

> Florian Weimer wrote:
>>> After browsing "Remote timing attacks are practical" (Boneh & Brumley,
>> > <http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html>), I
>> > wonder if it might be a good idea to add calls to RSA_blinding_on()
>> > before the OpenSSL RSA decryption routines are invoked.
>> It is on in the snapshots as of tonight (thank Markus).

>Ia saw that.. I'm still interested in a break down to where OpenSSH would
>be prone to such attacks.  I'm sure v1 would easily be, but thecomplexity
>of v2 makes me wonder.  <shrug> Still better be safe than sorry.

I am interested in this as well.  It seems like the attacker has to be 
able to communicate to the server with it's public key for quite some 
time before it can determine the private key used by the server.

My understanding is that with SSH2, each session gets a different 
public/private key pair.  Wouldn't this mean that the only private key an 
attacker could ever figure out is the key that allows the attacker to 
decrypt the data they themselves encrypted?

I'm not an expert, I'm hoping someone who is an expert would comment on 
this topic.

Brian Hayward

More information about the openssh-unix-dev mailing list