Side-channel vulnerability in libgcrypt - the Marvin Attack
Hubert Kario
hkario at redhat.com
Fri Mar 15 15:06:51 CET 2024
On Friday, 15 March 2024 13:37:16 CET, Stephan Verbücheln via Gcrypt-devel
wrote:
> Hello
>
> Thank you for your work and sharing your results!
>
> How about the use case of interactively authenticating to a server
> which is not controlled by oneself and therefore not fully trusted?
> Since the authentication is interactive, the timing could matter.
>
> For example, I am using my PGP key for SSH public-key authentication to
> github.com and alike.
Authentication uses signing, not decryption.
While there are also timing attacks on signing operations (see Kocher 1996
as the first example of those), that's not what I have been testing or
tried to
exploit.
While presence of timing attacks in decryption is a red flag, it's not a
guarantee that timing attacks in signing are exploitable. Or vice versa.
An implementation vulnerable to Bleichenbacher may be completely immune to
Kocher-like attacks and an implementation vulnerable to Kocher can be
completely immune to Bleichenbacher like attacks.
(though do note that Kocher allows for private key extraction, so if a
Kocher
like attack is possible, decryption of captured ciphertexts is also
possible)
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
More information about the Gcrypt-devel
mailing list