ietf-openpgp
[Top] [All Lists]

Re: Be careful with that axe, Eugene

2004-03-16 13:34:24

At 9:11 AM -0800 3/16/04, Jon Callas wrote:
I put in this note in -11 in security considerations about PKCS1
padding:

It might be good to also warn about timing attacks.  Here is a possible
paragraph (one sentence added):

      * PKCS1 has been found to be vulnerable to attacks in which a
        system reports that errors in padding differently from errors in
        decryption becomes a random oracle that can leak the private key
        in mere millions of queries. Implementations must be aware of
        this attack and prevent it from happening. The simplest solution
        is report a single error code for all variants of decryption
        errors so as not to leak information to an attacker.  It may
        be necessary to make the timing of responses the same for all
        cases as well.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz        | "There's nothing so clear as a | Periwinkle
(408)356-8506      | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble     | Los Gatos, CA 95032



<Prev in Thread] Current Thread [Next in Thread>