Re: SSH1 key recovery patch

[Markus Friedl <markus.friedl () INFORMATIK UNI-ERLANGEN DE>]

On Thu, Feb 22, 2001 at 11:49:45AM -0500, Dan Astoorian wrote:
> On Wed, 21 Feb 2001 15:37:45 EST, Markus Friedl writes:
> > OpenSSH checks whether the two calls to rsa_private_decrypt()
> > success and the resulting session keys has the correct size.
> >
> > Otherwise it just uses a 'random' session key. Now the attacker no
> > longer can tell whether the RSA operations failed and the
> > oracle is (almost) closed. [...]
>
> As much as I hate to point out possible problems without proposing
> solutions to them:
>
> Has anyone performed any sort of analysis as to whether there are any
> significant timing differences between the cases where the RSA
> operations succeeded and where they failed--whether due to differences
> in the amount of time taken by rsa_private_decrypt() (etc.) in the two
> cases, or the time taken to prepare the 'random' session key?

(1) the padding check is _after_ the expensive mod_exp-operation
    in rsa_private_decrypt(), so there is no significant timing
    difference in rsa_private_decrypt().

(2) the 'random' session key is generated by 'md5' operations and
    time (md5) << time (2*rsa_private_decrypt).

so, in this case, the timing difference is not an issue.

-markus