-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Side channels and padding oracle #9
Comments
Hi Jack, How would you fix the modular_pow implementation? I was thinking of something like this (or is there a way that does not make all calculations take the maximum time possible?):
Is there a better way to implement the modular reduction? I will give the other two issues a try. Thanks again, this helps a lot! |
What you propose for modular exponentiation mostly works. This technique is sometimes called "square-and-always-multiply". It hides the timing channel, but someone doing a cache based side channel can still detect exponent bits. The basic intuition is, an attacker uses an instruction like The only general fix to these is to avoid any conditional branches or memory lookups which depend on secret information. Two common ways to do this are a Montgomery ladder, or fixed window exponentiation using a const-time table lookup. Slide 18 of https://cryptojedi.org/peter/data/shmoocon-20150118.pdf has an example of such a table lookup.
Yes! Look into Montgomery reduction. There are many papers on making Montgomery reduction fast and constant-time. http://www.people.vcu.edu/~jwang3/CMSC691/j34monex.pdf starts with a good intro to the basic idea.
In general no, because if there is some circumstance where the calculations take less time than the maximum, then that provides a detectable side channel. The exception is when the information being used to is already public. For instance during RSA verification, there is no secret involved, so therefore no problem with using variable-time algorithms. |
Apologies if these are already known to you, but I didn't see anything in the docs or comments about this.
In (
SwiftTLS/SwiftTLS/Sources/TLS/math.swift
Line 15 in f5010aa
In ECDSA signature https://github.com/nsc/SwiftTLS/blob/master/SwiftTLS/Sources/Crypto/ECDSA.swift#L72 you must invert the k nonce modulo the group order during ECDSA signature. This is done using extended Euclidean algorithm (
SwiftTLS/SwiftTLS/Sources/TLS/math.swift
Line 73 in f5010aa
Decoding for PKCS1v1.5 ciphertexts exits early if the first bytes of padding are incorrect.
SwiftTLS/SwiftTLS/Sources/Crypto/RSA-PKCS1.swift
Line 100 in f5010aa
Similarly, when the PKCS1v1.5 ciphertext is decrypted, the server returns an error immediately
SwiftTLS/SwiftTLS/Sources/TLS/Protocol/TLS 1.2/TLS1_2.ServerProtocol.swift
Line 285 in f5010aa
HTH
The text was updated successfully, but these errors were encountered: