Security of OpenSSL ECDSA signatures

Aris Adamantiadis aris at 0xbadc0de.be
Tue May 24 18:15:10 EST 2011


Le 24/05/11 10:08, Damien Miller a écrit :
> 
> I guess if you wanted to dither (pun!) then you could do something like:
> 
> +       duration = (duration + (arc4random() & 1) ? 999 : 0) / 1000;
> 
> to make it random whether you round up or down, but I suspect that would
> increase the infomation leaked rather than decrease it.
> 

I think that shooting in the dark in order to block unknown timing
attacks is likely to worsen the problem rather to mitigate it. Wouldn't
be better to "simply" analyze the upstream algorithm and try to make it
O(1), whatever the situation ?
As said in the thread, putting timer loops will not stop side infoleaks
like cpu load, cache misses etc.

Aris


More information about the openssh-unix-dev mailing list