Parse RSA CRT parameters from PKCS1 private keys #91
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently they are ignored in the serialized key and then regenerated from P/Q/D. But that exposes key loading to a side channel attack on the modular inversion and GCD bignum functions when QP is computed. [And probably similar issues for DP/DQ during the division step but no attack there has been published yet.] Backport of ARMmbed/mbed-crypto#352
jack-fortanix
force-pushed
the
jack/parse-pkcs1-rsa-qp
branch
from
43d1579
to
a2caae2
Compare
|
@jethrogb ping |
|
bors r+ |
bors bot
added a commit
that referenced
this pull request
Mar 9, 2020
90: Fix ECDSA side channel r=jethrogb a=jack-fortanix Backport of ARMmbed/mbed-crypto@247c4d3 which addresses the attack described in https://eprint.iacr.org/2020/055.pdf 91: Parse RSA CRT parameters from PKCS1 private keys r=jethrogb a=jack-fortanix Currently they are ignored in the serialized key and then regenerated from P/Q/D. But that exposes key loading to a side channel attack on the modular inversion and GCD bignum functions when QP is computed. [And probably similar issues for DP/DQ during the division step but no attack there has been published yet.] Also this reduces computational overhead of loading RSA private keys from memory which will be nice for us in roche. Backport of ARMmbed/mbed-crypto#352 Co-authored-by: Jack Lloyd <[email protected]>
Build failed (retrying...) |
|
bors r- |
Canceled |
|
bors r+ |
Build succeeded |
mcr
pushed a commit
to mcr/rust-mbedtls
that referenced
this pull request
Aug 10, 2023
This PR corrects a variable name and type, and ensures we test the socks-proxy feature as part of the test matrix.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently they are ignored in the serialized key and then regenerated from P/Q/D. But that exposes key loading to a side channel attack on the modular inversion and GCD bignum functions when QP is computed. [And probably similar issues for DP/DQ during the division step but no attack there has been published yet.]
Also this reduces computational overhead of loading RSA private keys from memory which will be nice for us in roche.
Backport of ARMmbed/mbed-crypto#352