At 9:11 AM -0800 3/16/04, Jon Callas wrote:
I put in this note in -11 in security considerations about PKCS1
padding:
It might be good to also warn about timing attacks. Here is a possible
paragraph (one sentence added):
* PKCS1 has been found to be vulnerable to attacks in which a
system reports that errors in padding differently from errors in
decryption becomes a random oracle that can leak the private key
in mere millions of queries. Implementations must be aware of
this attack and prevent it from happening. The simplest solution
is report a single error code for all variants of decryption
errors so as not to leak information to an attacker. It may
be necessary to make the timing of responses the same for all
cases as well.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | "There's nothing so clear as a | Periwinkle
(408)356-8506 | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032