Security of OpenSSL ECDSA signatures

Dan Kaminsky dan at doxpara.com
Mon May 23 23:13:03 EST 2011


>
> This result concerns binary/GF(2m) fields only and not the prime fields
> that OpenSSH uses in recent versions.
>
> Unless a similar timing oracle is found for GF(p) fields then no
> OpenSSH-side workaround is required.
>
>
OpenSSL has had timing attacks against most of their production ciphers
(RSA, AES, etc).  Has the author of the paper weighed in on whether he
thinks his attack will affect GF(p)?

--Dan


More information about the openssh-unix-dev mailing list