Security of OpenSSL ECDSA signatures
Damien Miller
djm at mindrot.org
Tue May 24 07:36:35 EST 2011
On Mon, 23 May 2011, Dan Kaminsky wrote:
> > Unless a similar timing oracle is found for GF(p) fields then no
> > OpenSSH-side workaround is required.
> >
> >
> OpenSSL has had timing attacks against most of their production ciphers
> (RSA, AES, etc). Has the author of the paper weighed in on whether he
> thinks his attack will affect GF(p)?
The Brumley and Tuveri attack is against a scalar multiplication
algorithm that is specific to GF(2m) fields (see section 3.2 of the
paper). An attack on prime fields would be a new one altogether.
-d
More information about the openssh-unix-dev
mailing list