[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-259-gc17f84b
Florian Weimer
fweimer at redhat.com
Wed Sep 2 15:46:58 CEST 2015
On 09/01/2015 07:35 AM, by Werner Koch wrote:
> commit c17f84bd02d7ee93845e92e20f6ddba814961588
> Author: Werner Koch <wk at gnupg.org>
> Date: Mon Aug 31 23:13:27 2015 +0200
>
> rsa: Add verify after sign to avoid Lenstra's CRT attack.
>
> * cipher/rsa.c (rsa_sign): Check the CRT.
> --
>
> Failures in the computation of the CRT (e.g. due faulty hardware) can
> lead to a leak of the private key. The standard precaution against
> this is to verify the signature after signing. GnuPG does this itself
> and even has an option to disable this. However, the low performance
> impact of this extra precaution suggest that it should always be done
> and Libgcrypt is the right place here. For decryption is not done
> because the application will detect the failure due to garbled
> plaintext and in any case no key derived material will be send to the
> user.
Some background information on this change is available here:
<https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/>
<https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf>
We computed quite a few RSA signatures on x86_64, i386, ppc64, ppc64le,
and s390x, but could not observe any key leaks, so we consider this
change merely hardening as far as libgcrypt is concerned.
--
Florian Weimer / Red Hat Product Security
More information about the Gcrypt-devel
mailing list