| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Mar 2016 08:18:12 +0000 From: Cristian Stoica <cristian.stoica@....com> To: Tadeusz Struk <tadeusz.struk@...el.com>, "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au> CC: "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "davem@...emloft.net" <davem@...emloft.net> Subject: Re: [PATCH 1/3] crypto: authenc - add TLS type encryption Hi Tadeusz, >> SSL/TLS is prone to this implementation issue and many user-space libraries got this wrong. It would be good to see >>some numbers to back-up the claim of timing differences as not being an issue for this one. >It is hard to get the implementation right when the protocol design is error prone. >Later we should run some tests on it and see how relevant will this be for a remote timing attack. Why later and who will do it? If it's only a proof of concept, then it's a bad idea. You are practically advertising a use-it-but-cross-your-fingers implementation. If you intend to submit another hardware driver which _is_ constant time, then it is even more a bad idea. The end-user doesn't know which driver is actually running and if it is resistant or not to timing attacks. Cristian S.
Powered by blists - more mailing lists