On Saturday 07 Jun 2014 13:34:18 Volker Braun wrote: > Afaik its only used in the openid module. And exploiting a timing attack > over network is most likely not possible.
they are practical at least over LAN: https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf > On Saturday, June 7, 2014 8:40:54 PM UTC+1, em2slyn wrote: > > Hi All: > > > > I am hosting a Sage server for our department and ever since upgrading to > > 6.X the following message displays every time Sage is launched. > > > > Executing twistd --pidfile="sage_notebook.sagenb/sagenb.pid" -ny > > "sage_notebook.sagenb/twistedconf.tac" > > /home/sageserver/sage-6.2/local/lib/python2.7/site-packages/Crypto/Util/nu > > mber.py:57: PowmInsecureWarning: Not using mpz_powm_sec. You should > > rebuild using libgmp >= 5 to avoid timing attack vulnerability. > > > > _warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to > > > > avoid timing attack vulnerability.", PowmInsecureWarning) > > . > > . > > . > > > > I've been tracking this down and noticed there are a number of posts on > > the web related to this warning although not specifically addressing Sage. > > Unfortunately, some sites have provided various workarounds but I cannot > > seem to find a resolution. > > > > I am currently hosting Sage 6.2 on Ubuntu Server 12.04 and tried an > > experimental build using Ubuntu 14.04. Initially, I installed GMP 6.0.0a > > from gmplib.org and rebuilding Python using the command *sage -f python* > > along with *SAGE_UPDATING=yes make*. The warning persisted. Then I did a > > complete build from source adding libgmp-dev to the standard pool of > > prerequisite packages. Still no luck. > > > > First of all, is this a problem with Sage or the OS I've selected to use? > > Is there a package that is missing that should be included in the build? > > Any input would be welcome. Thank you! > > > > Have a GREAT DAY!! > > > > Shaun
signature.asc
Description: This is a digitally signed message part.