| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Apr 2007 22:44:54 +0200 (CEST) From: "Indan Zupancic" <indan@....nu> To: "Satyam Sharma" <satyam.sharma@...il.com> Cc: "Tasos Parisinos" <t.parisinos@...ensis.com>, "Bill Davidsen" <davidsen@....com>, "Andi Kleen" <andi@...stfloor.org>, herbert@...dor.apana.org.au, linux-kernel@...r.kernel.org, randy.dunlap@...cle.com Subject: Re: [PATCH resend][CRYPTO]: RSA algorithm patch On Thu, April 12, 2007 21:57, Satyam Sharma wrote: > Of course, I'd rather code to the PKCS#1 RSA Cryptography Standard > than an entry-level Wikipedia page :-) Timing attacks are particularly > problematic on smart cards (too slow, and with predictable operation > times, if not using constant-time crypto implementations) and not > really worthwhile in practice on any other platform where there's > enough noise around to make accurate timing difficult Noise can be filtered out, and combined attacks can give enough information. (E.g. throw in power usage or other measurements.) There are ways to add noise to the timing, but still using those optimisations. The point was that they add extra code and complexity. (Personally I think RSA-like asymmetric encryption has so many, often subtle problems, with complex, hard to get secure implementations, that it's something I'd avoid using as much as possible. Unfortunately there's not much alternative.) > constant-time crypto implementations do take care of > them, though I agree the GPG code too lacks that. That's because for side-channel attacks you need physical access to the hardware, something for most machines means security is breached anyway. But when this code is going to be used to sign things by embedded devices (with a local, secret key), it can be important. For checking signatures the key is known and all this doesn't matter, but we're talking about a common implementation. It are things to keep in mind. >> Not if they go the other way round and strip everything except DSA functionality. >> The question is, is an MPI library wanted, or do people just want RSA or DSA? > > I do agree that only those parts of an MPI lib that are really needed > by any users must be included. But then we don't want to end up in a > situation where we merge such a small MPI library that code and/or > functionality are being sadly duplicated across users who want > different asymmetric cryptosystems (note the 2 DLMs in mainline, for > example). When we want to support both RSA and DSA, which require a > diverse set of MPI operations and primitives, I don't see how we can > still continue to retain the simplistic and "spartan" RSA-only MPI lib > that this code provides. We won't know until those users show themselves. Until then, we can only speculate. Right now there is only user, with another one lurking in the background. Greetings, Indan - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists