Security of OpenSSL ECDSA signatures
Dan Kaminsky
dan at doxpara.com
Tue May 24 13:43:02 EST 2011
On Mon, May 23, 2011 at 2:36 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 23 May 2011, Dan Kaminsky wrote:
>
> > > Unless a similar timing oracle is found for GF(p) fields then no
> > > OpenSSH-side workaround is required.
> > >
> > >
> > OpenSSL has had timing attacks against most of their production ciphers
> > (RSA, AES, etc). Has the author of the paper weighed in on whether he
> > thinks his attack will affect GF(p)?
>
> The Brumley and Tuveri attack is against a scalar multiplication
> algorithm that is specific to GF(2m) fields (see section 3.2 of the
> paper). An attack on prime fields would be a new one altogether.
>
> -d
>
I asked one of the timing attack guys if they were able to run their
nanosecond scale attacks against a device having a network interface
enforced jitter several orders of magnitude higher than what they were
looking for. Command looked something like:
tc qdisc change dev eth0 root netem delay 2ms 1ms
No reply.
I know in theory this shouldn't help, but if OpenSSH's ECDSA implementation
is in fact variable time, why not add a random usleep at 10-100x the worst
case scenario for at least average hardware?
More information about the openssh-unix-dev
mailing list