On Thu, Dec 19, 2013 at 11:46 AM, Niels Möller nisse@lysator.liu.se wrote:
It seems that some guys managed to "listen" gnupg private keys. While some parts of the attack are gnupg specific, similar attacks could apply in nettle as well (and I guess every implementation that does RSA decryption).
I have only had a very quick look at the paper.
I see on their mitigation section that "ciphertext normalization", i.e., c=c%n, avoids their key recovery attack,
Wouldn't it make more sense to simply reject ciphertexts with c >= n? And since this condition depends on no secret information, there's no harm in returning failure early in this case, right?
Yes. That would also avoid the complex patch (which should be now attached).
Or do they mean c >= q, where q is the secret factor? I think the right way for the CRT processing is to always zero pad c to the same size of n, and then reduce it mod p and mod q using a side-channel silent reduction algorithm. Not entirely trivial to do with the mpz interface, though.
My understanding was that c>=n.
On mitigation, it also sounds like RSA blinding (which you implemented a while ago) is effective. It ought to be effective against any attacks relying on *chosen* ciphertexts.
Indeed. I realized after that gnupg's code didn't use the blinding part (that attack worked on the old gnupg versions, something that isn't very apparent in the paper :)
However, checking for ciphertext validity prior to getting to the actual operation is a good thing to have. Not as serious as I initially thought though.
regards, Nikos