[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-hotspot-compiler-dev
Subject:    Protection of RSA from timing and cache-flushing attacks [Was: RFR(L): 8069539: RSA acceleration]
From:       Andrew Haley <aph () redhat ! com>
Date:       2015-05-26 9:29:20
Message-ID: 55643CF0.8090100 () redhat ! com
[Download RAW message or body]

On 05/11/2015 04:37 PM, Florian Weimer wrote:
> On 05/08/2015 07:19 PM, Andrew Haley wrote:
> 
>>> Do we want to add side-channel protection as part of this effort
>>> (against timing attacks and cache-flushing attacks)?
>>
>> I wouldn't have thought so.  It might make sense to add an optional
>> path without key-dependent branches, but not as a part of this effort:
>> the goals are completely orthogonal.
> 
> I'm not well-versed in this kind of side-channel protection for RSA
> implementations, but my impression that algorithm changes are needed to
> mitigate the impact of data-dependent memory fetches (see fixed-width
> modular exponentiation).  But maybe the necessary changes materialize at
> a higher level, beyond the operation which you proposed to intrinsify.

By the way: there is quite a bit of code in
sun/security/rsa/RSACore.java to protect against timing attacks.  In
particular, the patch for "8031346: Enhance RSA key handling" looks
quite thorough and there is also extra care taken to make padding
operations execute in constant time.

Andrew.
[prev in list] [next in list] [prev in thread] [next in thread]