Protection of RSA from timing and cache-flushing attacks [Was: RFR(L): 8069539: RSA acceleration] (original) (raw)
Andrew Haley aph at redhat.com
Tue May 26 09:29:20 UTC 2015
- Previous message: JEP 119 / Implementation of javax.lang.model.util.Types
- Next message: RFR JDK-8028480: (zipfs) NoSuchFileException on creating a file in ZipFileSystem with CREATE and WRITE
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 05/11/2015 04:37 PM, Florian Weimer wrote:
On 05/08/2015 07:19 PM, Andrew Haley wrote:
Do we want to add side-channel protection as part of this effort (against timing attacks and cache-flushing attacks)? I wouldn't have thought so. It might make sense to add an optional path without key-dependent branches, but not as a part of this effort: the goals are completely orthogonal. I'm not well-versed in this kind of side-channel protection for RSA implementations, but my impression that algorithm changes are needed to mitigate the impact of data-dependent memory fetches (see fixed-width modular exponentiation). But maybe the necessary changes materialize at a higher level, beyond the operation which you proposed to intrinsify.
By the way: there is quite a bit of code in sun/security/rsa/RSACore.java to protect against timing attacks. In particular, the patch for "8031346: Enhance RSA key handling" looks quite thorough and there is also extra care taken to make padding operations execute in constant time.
Andrew.
- Previous message: JEP 119 / Implementation of javax.lang.model.util.Types
- Next message: RFR JDK-8028480: (zipfs) NoSuchFileException on creating a file in ZipFileSystem with CREATE and WRITE
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]