On Thu, Mar 17, 2011 at 10:35 AM, Niels Möller nisse@lysator.liu.se wrote:
Daniel Kahn Gillmor dkg@fifthhorseman.net writes:
My understanding is that RSA blinding is a countermeasure against timing attacks, and that it introduces a new dependency on some sort of RNG (though perhaps a weak one?) to parts of the process that wouldn't otherwise need it.
I confess I don't remember the details of why blinding is desirable. Does it improve hiding of the key, message, or both?
Actually RSA is has pretty much limited utility without blinding since retrieving the RSA private key from a web server has been shown practical since 2003 and attacks were known since 1996 (Kocher). gnutls implements blinding over nettle's functions. You might add a warning on the documentation of nettle's functions.
The papers discussion the attacks: * Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems by Kocher (1996) * Remote timing attacks are practical by Boneh and Brumley * Improving Brumley and Boneh Timing Attack on Unprotected SSL Implementations
regards, Nikos