oss-sec mailing list archives
Factoring RSA Keys With TLS Perfect Forward Secrecy
From: Florian Weimer <fweimer () redhat com>
Date: Wed, 2 Sep 2015 16:08:43 +0200
It turns out that Lenstra's 1996 side-channel attack on the RSA-CRT optimization still works against some TLS servers: <https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/> <https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf> Fortunately, none of the key leaks were attributed to publicly available free software. OpenSSL upstream and NSS already have RSA-CRT hardening. OpenJDK was updated in April 2015, as CVE-2015-0478. libgcrypt upstream received the hardening very recently: <http://lists.gnupg.org/pipermail/gcrypt-devel/2015-September/003553.html> For Go, I opened an issue: <https://github.com/golang/go/issues/12453> Nettle would also benefit from RSA-CRT hardening. I started a discussion here: <http://thread.gmane.org/gmane.comp.encryption.nettle.bugs/1359> I don't think CVE assignments are needed (although the OpenJDK hardening received one). -- Florian Weimer / Red Hat Product Security
Current thread:
- Factoring RSA Keys With TLS Perfect Forward Secrecy Florian Weimer (Sep 02)