[Cryptography] Side channel attack on OpenSSL ECDSA on iOS and Android
Ray Dillinger
bear at sonic.net
Thu Mar 3 12:31:36 EST 2016
On 03/03/2016 12:54 AM, John Gilmore wrote:
> "hardware side-channel attacks are not in OpenSSL's threat model",
> so no updates are planned to OpenSSL to mitigate our attacks.
>
> Clue -> OpenSSL maintainers?
OpenSSL considers itself busy enough patching other holes, I
suppose. It still looks rather !clue of them though. And it's
starting to look !clue of other software maintainers who depend
on them.
> PS: I wonder if Apple's code-signing machine is protected from this
> attack. J. Edgar Hoover successor's next motion to a judge: "Defeat
> the terrorists by forcing Apple to put a simple wire loop near the
> machine Apple uses to sign its software."
Apple's iOS kernel IIRC is based on BSD sources, and BSD cut the
support for SSLv2 and export ciphers before this appeared. So I
would assume the answer is "no it isn't."
Even if it were, getting the key would not serve the FBI's
objective here. They don't give a rat's ass about what's actually
on the phone. What they are seeking is a precedent that says they
have the right to force a private company to decrypt things for
them by any means possible. Secondarily they are interested in
forcing Apple to bring into existence a software artifact that
would enable it to do so easily and instantly to other devices.
That would devalue Apple by undermining Apple's current
marketing position, but it's not clear whether that's intended
as a punishment and an important part of the FBI's goal. It
might be merely collateral damage. And pigs might fly.
Much of the precedent in cases so far has been based on an early
ruling that smartphone customers have "no expectation of privacy"
in the contents of their devices. I don't think the response of
consumers to marketing based on Apple's "we don't even have the
key" policy, and the fact that Apple is successfully distinguishing
itself as a premium brand based on customers' ability to keep
their data private, is consistent with that early ruling. I'm
no lawyer, but wouldn't it be sensible to revisit that ruling
in the light of current evidence?
Bear
"So come on over tonight, and we'll sit out on the swing
And watch the pigs fly by, flapping their brand new wings.
Just sit back and relax, and watch me eat my hat,
As the old oak tree sprouts dollar bills and looks you in the eye
And a big old bolt of lightning strikes me not just once but twice.
See the premier performance of Demons On Ice...."
--Brad Paisley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160303/a741e09e/attachment.sig>
More information about the cryptography
mailing list