Re: GnuPG computation error checks

[Florian Weimer <fweimer () redhat com>]

On 07/10/2014 01:26 PM, Solar Designer wrote:
> There was a discussion in 2001 and patches by Florian Weimer to add
> extra checks into GnuPG's cipher/rsa.c: check_secret_key() and rsa_sign():

Wow, that was a long time ago.

> Given the improved RSA side-channel attack understanding and the
> countermeasures added to deal with CVE-2013-4242 and CVE-2013-4576
> (cache timing and acoustic side-channels) in GnuPG, are Florian's added
> checks still safe to have, or are they possibly vulnerable to
> side-channel leaks on their own?  check_secret_key() does perform a very
> basic sanity check on the secret key even without Florian's patch, and
> this might be a side-channel leak concern too, but Florian's checks are
> (purposefully) much more extended

The check_secret_key() could be problematic from a side-channel 
perspective, yes, particularly since mpi_gcd is unlikely to be hardened 
against such attacks.  It might be possible to come up with equivalent 
checks that are safer, but I'm not sure if that's worth the effort.

> and include a check in rsa_sign() as
> well (more susceptible since it involves dealing with changing and
> possibly attacker-chosen data rather than only with the secret key?)

rsa_sign only uses the public exponent (sk.e) and the signature 
(resarr[0]).  It does leak those bits, but I'm not sure if we consider 
side-channel attacks on RSA *verification* (recovering signatures, 
document hashes, or public keys—not private key material) as 
vulnerabilities.

I believe OpenSSL has a similar safety check, see RSA_eay_mod_exp() in 
crypto/rsa/rsa_eay.c.  There was some paper about it, but I think it 
involved deliberately faulty hardware, so it doesn't really count, IMHO.

--
Florian Weimer / Red Hat Product Security