On Wed, Sep 2, 2015 at 4:05 PM, Florian Weimer fweimer@redhat.com wrote:
I strongly suggest to implement RSA-CRT hardening, by checking that RSA signature have not been miscomputed accidentally: https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf We did not see any key leaks which could be attributed to Nettle, but I think the added verification is still a reasonable precaution.
Unfortunately for most of the functions available in nettle this counter-measure cannot be implemented without changing the API. Said that, there is rsa_pkcs1_sign_tr() which is supposed to be the side-channel resistant version of rsa_pkcs1_sign() and can have this additional check with no changes. I attach a small patch which verifies the output of this signing function.
Niels, what about the rest of the functions? They can protect from neither timing nor fault attacks. I also attach the patch which marks them as such in the manual.
regards, Nikos