[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2018-0737 OpenSSL: RSA key generation follows several non constant time code 
From:       Huzaifa Sidhpurwala <huzaifas () redhat ! com>
Date:       2018-04-25 5:53:14
Message-ID: 72b41311-ec4d-4336-eb84-931c88fae250 () redhat ! com
[Download RAW message or body]

On 04/24/2018 09:18 PM, Billy Brumley wrote:
>>> Look for our preprint on http://eprint.iacr.org/ soon -- working title
>>> is "One Shot, One Trace, One Key: Cache-Timing Attacks on RSA Key
>>> Generation". We'll update the list with the full URL once it's posted.
>>>
>>
>>
>> Can you post a link to the draft here please?
> 
> The preprint is now up: https://eprint.iacr.org/2018/367
> 
>> The attack vector is not clear, does the attacker need to be on the same
>> physical machine or is this a cross-vm attack?
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-0737
> 
> Your statement is pretty accurate. (Although I fail to see the
> difference between physical machine and cross-vm.)
> 
Physical machine implies, the attacker and victim is on the same host
(real computer or a vm). Cross-vm implies attacker and the victim can be
on two different virtual machines, running on the same hypervisor.

> BBB
> 


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team
[prev in list] [next in list] [prev in thread] [next in thread]