On 05/11/2015 04:37 PM, Florian Weimer wrote: > On 05/08/2015 07:19 PM, Andrew Haley wrote: > >>> Do we want to add side-channel protection as part of this effort >>> (against timing attacks and cache-flushing attacks)? >> >> I wouldn't have thought so. It might make sense to add an optional >> path without key-dependent branches, but not as a part of this effort: >> the goals are completely orthogonal. > > I'm not well-versed in this kind of side-channel protection for RSA > implementations, but my impression that algorithm changes are needed to > mitigate the impact of data-dependent memory fetches (see fixed-width > modular exponentiation). But maybe the necessary changes materialize at > a higher level, beyond the operation which you proposed to intrinsify.
By the way: there is quite a bit of code in sun/security/rsa/RSACore.java to protect against timing attacks. In particular, the patch for "8031346: Enhance RSA key handling" looks quite thorough and there is also extra care taken to make padding operations execute in constant time. Andrew.
