Timing Attack against RSA OAEP Code
ueno at unixuser.org
Fri Jun 3 03:36:34 CEST 2011
Tom Ritter <tom at ritter.vg> writes:
> I'm not sure if libgcrypt has a policy of attempting to prevent timing
> attacks, but I noticed one in the new RSA OAEP code and developed a
> proof of concept. On the latest revision of pubkey.c line 1180 is
> an if statement that will exit decoding early if the high byte is
Thanks for the analysis. I should have read RFC3447 more carefully.
> The patch for this would be to do something similar to OpenSSL  -
> where the entire decoding process is run through regardless of the
> high-byte error, but a flag is set and the error returned at the end
> of the function.
I'm attaching a fix in this direction. Also, probably oaep_decode
should never return "inspectable" error codes like GPG_ERR_TOO_SHORT on
> Since this code is trunk and not a versioned release, I don't consider
> there any risk of releasing this information prior to informing the
> list - if you want to debate disclosure, please contact me personally.
Thanks for noticing this before the release.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5046 bytes
Desc: not available
More information about the Gcrypt-devel