Sorry, but I have to clarify one thing in my below message: The major issue caused the latest OpenSSL upgrade was not due to the anything inside the RSA implementation, but was in (the CBC mode of) some specified symmetric encryption phase after SSL handshake.
Sorry if any confusion. -- Regards, Huang Le (Eric, Alibaba DevOps) Email: 4tarhl AT gmail.com, le.hl AT alibaba-inc.com On Wed, Feb 27, 2013 at 7:45 PM, Le Huang <[email protected]> wrote: > Thanks for your response, Rich. > > Yes, I'm aware of timing attack against RSA cryptography (e.g. the one > majorly responded for the latest upgrade), but this patch is simply a small > optimization for RSA testing code, which is only used in the testsuit of > OpenSSL, and has no any effect on the real usage of RSA in any case, so it > is not related to any attack. > > Thanks & Regards, > Huang Le (Eric, Alibaba DevOps) > Email: 4tarhl AT gmail.com, le.hl AT alibaba-inc.com > > On Wed, Feb 27, 2013 at 3:17 AM, Salz, Rich via RT <[email protected]> wrote: > >> You might want to read about timing attacks. >> >> -- >> Principal Security Engineer >> Akamai Technology >> Cambridge, MA >> >> > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
