RE: [TLS] Issue #12: RSA/DSA/DH timing attacks
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [TLS] Issue #12: RSA/DSA/DH timing attacks
Eric Rescorla wrote:
>
> TLS 1.2 already requires some sort of defense against timing
> analysis on RSA. It is known that timing analysis is possible
> against DSA but I know of no published defense against it
> other than fixed-length computations. (As opposed to the
> blinding defense for RSA).
>
> In San Diego, I asked Tim of NIST knew of one but haven't
> heard back.
>
> I'd like to put this to bed. I suggest that unless someone comes
> up with a defense suggestion by Chicago we simply say that this
> is an issue with DSA implementations and suggest fixed-length
> computations as a possible defense. Comments?
Well, if there's no publicly-known defense (like there is for RSA),
then I don't see what else we can do (other than require some
countermeasure, and suggest fixed-length computations)...
Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
