Brumley & Boneh timing attack on OpenSSL
Marc Branchaud
marcnarc at rsasecurity.com
Tue Mar 25 12:53:46 EST 2003
Anton Stiglic wrote:
>>
>> - Should it do blinding for RSA signatures as well as RSA
>> decryption?
>
> If you are a client, and you manually control the signature
> generation (like you use PGP to sign email messages), I wouldn't
> implement blinding. But if you are a server (or a client that
> automatically responds to requests) that signs message for some
> reason, and you receive many requests, I would.
The way I understand the attack, you have to throw a million
specially-chosen guesses at the server, which it will blindly attempt to
decrypt and use. Basically, you're getting the server to decrypt chosen
ciphertext for you.
I don't see how the attack can apply to signatures, where the server
itself is formatting the data to be signed. Unless the server is just
directly signing (RSA-encrypting) arbitrary client-supplied data, but
that's a no-no anyway.
This is slightly more than theoretical, as OCSP servers do nothing but
emit signed responses. An OCSP client can only indirectly influence
some of the data that a server signs, and so it seems very difficult to
pull off the attack.
M.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list