On 2021-02-28 at 18:19:35, Paul Wouters wrote:
On Sun, 28 Feb 2021, brian m. carlson wrote:
Is that a concern for openpgp ? openpgp is not an interactive protocol
where there is a server-client with possible MITM observing time spent?
People definitely do use OpenPGP for interactive uses where constant
time operations are relevant. For example, when you create a commit by
editing a file on GitHub, that commit will be signed by GitHub's private
key, which is an online use. This is hardly the only case where people
sign online.
While this is online, there is no negotiation to monitor where you can
learn anything based on timing, as you don't get errors back to do
timing on?
True, but you can create arbitrary content to sign, so you can influence
the data used in the signature. If, for example, signing a message
where some hash bits have value A consistently takes more or less time
than a message where some bits have value B, then that could probably
be easily leveraged to learn something about the private key.
So I think this is a case where we'd see a timing oracle based on time
to complete versus a timing oracle based on success or failure.
I agree that these are not the typical uses of OpenPGP, but people
definitely do use it for online operations, and therefore, we need to
properly consider them when we secure the protocol.
Sure, although if Curve448 has passed CFRG review, and other IETF
protocols are using it as well, I would think the algorithm would
be safe to use? And that constant time implementations will happen?
Especially since those other protocols like TLS or IKE would be much
more sensitive to this?
I believe Curve448 is presently considered secure and is expected to be
so for as long as quantum computers are not a threat, which is why CFRG
standardized it. All implementations of Curve25519 and Curve448 that
I'm aware of are specifically designed to be constant time.
I agree that protocols which are always online like TLS are more likely
to be vulnerable to these attacks, but since most implementations of
OpenPGP are general purpose, it's hard to exclude them from online
usage.
--
brian m. carlson (he/him or they/them)
Houston, Texas, US
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp