[Cryptography] Side channel attack on OpenSSL ECDSA on iOS and Android

John Gilmore gnu at toad.com
Fri Mar 4 15:34:50 EST 2016


Rich Salz wrote:
> What one of our main crypto expert actually told the paper authors
> was this: Hardware side-channel attacks are not in OpenSSL's threat
> model. We won't be issuing a CVE for this, but we are always looking
> into hardening our implementations. In fact, the next OpenSSL
> release (1.1.0) will already contain new constant-time
> implementations of P-256, the most important curve for TLS, for
> ARMv4 as well as ARMv8:

Thanks, Rich, for providing more context than the paper authors did.

I also note that a very recent update to Ubuntu's OpenSSL package
provided more constant-time modexp implementations:

    * SECURITY UPDATE: side channel attack on modular exponentiation
    - debian/patches/CVE-2016-0702.patch: use constant-time calculations in
      crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
      crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
    - CVE-2016-0702

      (also for rsaz-x86_64.pl and rsaz-avx2.pl, on some Ubuntu versions.)

  https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.35
  https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.18
  https://launchpad.net/ubuntu/+source/openssl/1.0.2d-0ubuntu1.4
  https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu1

These were pushed out as a security update in the last few days.

	John


More information about the cryptography mailing list