Re: gpg-rsa-key decryption with a mobile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/12/13 10:28, Mike Cardwell wrote: I have a V2 OpenPGP SmartCard. I'm wondering if this would be vulnerable to the attack in question? Also, what about the Crypto Stick? Presumably these generate the same sort of noise during signing/decryption that the CPU would, but there's nothing GnuPG can do in software to mask it? I'd be surprised if the smartcards don't employ RSA blinding because it is a standard technique. A smartcard is supposed to protect the key even if it falls into the wrong hands (up to a certain point). Analysis of the power usage of the card during decryption or signing can quickly leak a private key without blinding. Another common thing is that you can get info on the private key by glitching: momentarily sharply reduce the power supply voltage to make bits fall over in the processor. If the processor returns the result of the faulty computation to you, this can give insight on the private key. A simple technique to counter this is to do the public counterpart of the private computation at the end, and check if the result matches the original input. Only return data when they match, otherwise just indicate an error occured. By the way, usually the actual crypto computations are implemented as primitives in the smartcard, and the OpenPGP application just asks decrypt this for me. So all the masking techniques are part of the hardware and the OS, not the OpenPGP application (although checking the result for glitches can be done by the application). HTH, Peter. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-rsa-key decryption with a mobile
Werner == Werner Koch w...@gnupg.org writes: On Wed, 18 Dec 2013 18:31, sys...@ioioioio.eu said: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can Well that is what I posted a few hours ago to this list ;-). Since you are mentioned in this webpage, do you know by any chance whether gpgsm is vulnerable in a similar way? Uwe Brauer smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-rsa-key decryption with a mobile
On Thu, 19 Dec 2013 17:54, o...@mat.ucm.es said: Since you are mentioned in this webpage, do you know by any chance whether gpgsm is vulnerable in a similar way? gpgsm uses Libgcrypt and Libgcrypt employs RSA blinding for a long time now. Thus it is not vulnerable. The reason Libgcrypt has RSA blinding is that it is used by online protocols like TLS were it is easy to mount certain timing attacks in the LAN. With GnuPG these calls of network based attacks are not possible and thus we did not used blinding in GnuPG-1. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-rsa-key decryption with a mobile
On Wed, 18 Dec 2013 18:31, sys...@ioioioio.eu said: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can Well that is what I posted a few hours ago to this list ;-). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users