Factoring RSA Keys With TLS Perfect Forward Secrecy

[Florian Weimer <fweimer () redhat com>]

It turns out that Lenstra's 1996 side-channel attack on the RSA-CRT
optimization still works against some TLS servers:

<https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/>
<https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf>

Fortunately, none of the key leaks were attributed to publicly available
free software.  OpenSSL upstream and NSS already have RSA-CRT hardening.
 OpenJDK was updated in April 2015, as CVE-2015-0478.

libgcrypt upstream received the hardening very recently:

<http://lists.gnupg.org/pipermail/gcrypt-devel/2015-September/003553.html>

For Go, I opened an issue: <https://github.com/golang/go/issues/12453>

Nettle would also benefit from RSA-CRT hardening.  I started a
discussion here:

<http://thread.gmane.org/gmane.comp.encryption.nettle.bugs/1359>

I don't think CVE assignments are needed (although the OpenJDK hardening
received one).

-- 
Florian Weimer / Red Hat Product Security