[Cryptography] 1023 nails in the coffin of 1024 RSA...
James Cloos
cloos at jhcloos.com
Sun Oct 5 14:03:38 EDT 2014
>>>>> "i" == ianG <iang at iang.org> writes:
i> (some skepticism about whether this there is really a break in
i> OpenSSL, but the rumour mill will no doubt throw mud on the 1024
i> bit part as well...)
i> He claimed:
i> The bug originates in this lines of rsa_gen.c:
i> 117 bitsp=(bits+1)/2;
i> 118 bitsq=bits-bitsp;
i> the main problem being that the rounding of 1025 isn't downwards but
i> upwards, resulting in bitsp= 513 and bitsq=511, which, supposedly,
i> later on the code and due to compiler optimizations, causes the bug.
In order for that mis-rounding to occur, the compiler must mis-optimize
the code.
The /2 will get changed to >>1 (right shift). Because bits in an int
rather than an unsigned int, that will be an arithmetic right shift.
The +1 might get converted to an INCrement.
To round up, the optimizer would then need to swap the order of the
increment and the shift.
If the compiler is mis-optimizing that, it is not surprising that it
might also mis-optimize something else later on, resulting in an
exploitable bug.
But it would have to be specific to an architecture and compiler.
-JimC
--
James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
More information about the cryptography
mailing list