[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] Fault attacks on RSA in libgcrypt
|
From: |
Jeff Burdges |
|
Subject: |
Re: [Taler] Fault attacks on RSA in libgcrypt |
|
Date: |
Fri, 02 Sep 2016 05:27:59 +0200 |
On Fri, 2016-09-02 at 09:34 +0900, NIIBE Yutaka wrote:
> So, I think that the idea of this attack itself is valid and we have
> no way to solve it by software, in general (while we could find a way
> to mitigate somehow for a given scenario).
As I said before, I now think the patch I submitted up thread is
useless. And we should instead look towards approaches resembling :
http://dl.acm.org/citation.cfm?doid=1873548.1873556
In this new article, there is considerably more randomization throughout
the signing algorithm. Indeed, one could imagine extending it to two
layers of randomization, so that the actual key only exists briefly when
loaded from disk before being randomized for the session, and each
decryption operation gets its own randomization as well.
There are good odds that a more throughly randomized approach like this
can be justified purely for added protection against timing attacks,
while my now retracted patch is obviously useless for that. The paper
does not make such a case though.
Anyone here who understands the existing protections against timing
attacks want to glance over this new article?
Jeff
signature.asc
Description: This is a digitally signed message part