Security of OpenSSL ECDSA signatures

Dan Kaminsky dan at
Tue May 24 13:43:02 EST 2011

On Mon, May 23, 2011 at 2:36 PM, Damien Miller <djm at> wrote:

> On Mon, 23 May 2011, Dan Kaminsky wrote:
> > > Unless a similar timing oracle is found for GF(p) fields then no
> > > OpenSSH-side workaround is required.
> > >
> > >
> > OpenSSL has had timing attacks against most of their production ciphers
> > (RSA, AES, etc).  Has the author of the paper weighed in on whether he
> > thinks his attack will affect GF(p)?
> The Brumley and Tuveri attack is against a scalar multiplication
> algorithm that is specific to GF(2m) fields (see section 3.2 of the
> paper). An attack on prime fields would be a new one altogether.
> -d

I asked one of the timing attack guys if they were able to run their
nanosecond scale attacks against a device having a network interface
enforced jitter several orders of magnitude higher than what they were
looking for.  Command looked something like:

tc qdisc change dev eth0 root netem delay 2ms 1ms

No reply.

I know in theory this shouldn't help, but if OpenSSH's ECDSA implementation
is in fact variable time, why not add a random usleep at 10-100x the worst
case scenario for at least average hardware?

More information about the openssh-unix-dev mailing list