[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2293.81.207.0.53.1176410694.squirrel@secure.samage.net>
Date: Thu, 12 Apr 2007 22:44:54 +0200 (CEST)
From: "Indan Zupancic" <indan@....nu>
To: "Satyam Sharma" <satyam.sharma@...il.com>
Cc: "Tasos Parisinos" <t.parisinos@...ensis.com>,
"Bill Davidsen" <davidsen@....com>,
"Andi Kleen" <andi@...stfloor.org>, herbert@...dor.apana.org.au,
linux-kernel@...r.kernel.org, randy.dunlap@...cle.com
Subject: Re: [PATCH resend][CRYPTO]: RSA algorithm patch
On Thu, April 12, 2007 21:57, Satyam Sharma wrote:
> Of course, I'd rather code to the PKCS#1 RSA Cryptography Standard
> than an entry-level Wikipedia page :-) Timing attacks are particularly
> problematic on smart cards (too slow, and with predictable operation
> times, if not using constant-time crypto implementations) and not
> really worthwhile in practice on any other platform where there's
> enough noise around to make accurate timing difficult
Noise can be filtered out, and combined attacks can give enough information.
(E.g. throw in power usage or other measurements.) There are ways to add
noise to the timing, but still using those optimisations. The point was
that they add extra code and complexity.
(Personally I think RSA-like asymmetric encryption has so many, often
subtle problems, with complex, hard to get secure implementations, that
it's something I'd avoid using as much as possible. Unfortunately there's
not much alternative.)
> constant-time crypto implementations do take care of
> them, though I agree the GPG code too lacks that.
That's because for side-channel attacks you need physical access to the
hardware, something for most machines means security is breached anyway.
But when this code is going to be used to sign things by embedded devices
(with a local, secret key), it can be important.
For checking signatures the key is known and all this doesn't matter, but
we're talking about a common implementation. It are things to keep in mind.
>> Not if they go the other way round and strip everything except DSA functionality.
>> The question is, is an MPI library wanted, or do people just want RSA or DSA?
>
> I do agree that only those parts of an MPI lib that are really needed
> by any users must be included. But then we don't want to end up in a
> situation where we merge such a small MPI library that code and/or
> functionality are being sadly duplicated across users who want
> different asymmetric cryptosystems (note the 2 DLMs in mainline, for
> example). When we want to support both RSA and DSA, which require a
> diverse set of MPI operations and primitives, I don't see how we can
> still continue to retain the simplistic and "spartan" RSA-only MPI lib
> that this code provides.
We won't know until those users show themselves. Until then, we can only
speculate. Right now there is only user, with another one lurking in the
background.
Greetings,
Indan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists