Timing Attack against RSA OAEP Code

Daiki Ueno ueno at unixuser.org
Fri Jun 3 03:36:34 CEST 2011

Tom Ritter <tom at ritter.vg> writes:

> I'm not sure if libgcrypt has a policy of attempting to prevent timing
> attacks, but I noticed one in the new RSA OAEP code and developed a
> proof of concept.  On the latest revision of pubkey.c[1] line 1180 is
> an if statement that will exit decoding early if the high byte is
> non-zero.

Thanks for the analysis.  I should have read RFC3447 more carefully.

> The patch for this would be to do something similar to OpenSSL [5] -
> where the entire decoding process is run through regardless of the
> high-byte error, but a flag is set and the error returned at the end
> of the function.

I'm attaching a fix in this direction.  Also, probably oaep_decode
should never return "inspectable" error codes like GPG_ERR_TOO_SHORT on
non-fatal errors.

> Since this code is trunk and not a versioned release, I don't consider
> there any risk of releasing this information prior to informing the
> list - if you want to debate disclosure, please contact me personally.

Thanks for noticing this before the release.

Daiki Ueno
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Prevent-OAEP-timing-attack.patch
Type: text/x-patch
Size: 5046 bytes
Desc: not available
URL: </pipermail/attachments/20110603/193f2b68/attachment-0001.bin>

More information about the Gcrypt-devel mailing list