On Thu, Mar 17, 2011 at 10:35 AM, Niels Möller <[email protected]> wrote: > Daniel Kahn Gillmor <[email protected]> writes: > >> My understanding is that RSA blinding is a countermeasure against timing >> attacks, and that it introduces a new dependency on some sort of RNG >> (though perhaps a weak one?) to parts of the process that wouldn't >> otherwise need it. > I confess I don't remember the details of why blinding is desirable. > Does it improve hiding of the key, message, or both?
Actually RSA is has pretty much limited utility without blinding since retrieving the RSA private key from a web server has been shown practical since 2003 and attacks were known since 1996 (Kocher). gnutls implements blinding over nettle's functions. You might add a warning on the documentation of nettle's functions. The papers discussion the attacks: * Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems by Kocher (1996) * Remote timing attacks are practical by Boneh and Brumley * Improving Brumley and Boneh Timing Attack on Unprotected SSL Implementations regards, Nikos _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
