Protection of RSA from timing and cache-flushing attacks [Was: RFR(L): 8069539: RSA acceleration]
Andrew Haley
aph at redhat.com
Tue May 26 09:29:20 UTC 2015
On 05/11/2015 04:37 PM, Florian Weimer wrote:
> On 05/08/2015 07:19 PM, Andrew Haley wrote:
>
>>> Do we want to add side-channel protection as part of this effort
>>> (against timing attacks and cache-flushing attacks)?
>>
>> I wouldn't have thought so. It might make sense to add an optional
>> path without key-dependent branches, but not as a part of this effort:
>> the goals are completely orthogonal.
>
> I'm not well-versed in this kind of side-channel protection for RSA
> implementations, but my impression that algorithm changes are needed to
> mitigate the impact of data-dependent memory fetches (see fixed-width
> modular exponentiation). But maybe the necessary changes materialize at
> a higher level, beyond the operation which you proposed to intrinsify.
By the way: there is quite a bit of code in
sun/security/rsa/RSACore.java to protect against timing attacks. In
particular, the patch for "8031346: Enhance RSA key handling" looks
quite thorough and there is also extra care taken to make padding
operations execute in constant time.
Andrew.
More information about the core-libs-dev
mailing list