[Cryptography] Side channel attack on OpenSSL ECDSA on iOS and Android
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Mar 3 20:13:45 EST 2016
Perry E. Metzger <perry at piermont.com> writes:
>For example, as was mentioned in that posting in this thread, the OpenSSL
>people are indeed releasing code for several platforms that should be more
>resistant to side channel attacks.
You still really need to address it in hardware to do it properly though. The
risk with a software quick-fix is that any change in the architecture will
negate it or even make it worse, and then you get the false-sense-of-security
rathole where you get to argue endlessly over whether you really should be
advertising it as fixed when what you really mean is "probably mitigated for
this particular stepping of this exact CPU" (with a later side-order of "that
the vendor stopped making three years ago").
Peter.
More information about the cryptography
mailing list