Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
N
nettle
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Dmitry Baryshkov
nettle
Commits
07f5ea16
Commit
07f5ea16
authored
Nov 28, 2018
by
Niels Möller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update NEWS file for 3.4.1.
Mention dependency on GMP-6, and RSA performance regression.
parent
1fe332ad
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
41 additions
and
23 deletions
+41
-23
NEWS
NEWS
+41
-23
No files found.
NEWS
View file @
07f5ea16
...
...
@@ -2,45 +2,47 @@ NEWS for the Nettle 3.4.1 release
This release fixes a few bugs, and makes the RSA private key
operations side channel silent. The RSA improvements are
contributed by Simo Sorce and Red Hat, and include
s
one new
public function.
contributed by Simo Sorce and Red Hat, and include one new
public function
, rsa_sec_decrypt, see below
.
All functions
handl
ing RSA private keys are now side-channel
All functions
us
ing RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of pkcs#1 padding.
of functions, and the processing of PKCS#1 padding needed for
RSA decryption.
Nettle's ECC functions were already side-channel silent, while
the DSA functions still aren't. There's also one caveat
regarding the improved RSA functions: due to small table
lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
lowest and highest few bits of the secret factors p and q may
leak. I'm not aware of any attacks on RSA where knowing a few
bits of the factors makes a significant difference. This leak
will likely be plugged in later GMP versions)
.
still leak. I'm not aware of any attacks on RSA where knowing
a few bits of the factors makes a significant difference. This
leak will likely be plugged in later GMP versions
.
Changes in behavior:
* The old rsa_decrypt_tr may now clobber all of the provided
message buffer, independent of the actual message length. It
is side-channel silent, in that branches and memory accesses
don't depend on the validity or length of the message.
Side-channel leakage from the caller's use of length and
return value may still provide an oracle useable for a
Bleichenbacher-style chosen ciphertext attack. Which is why
the new function rsa_sec_decrypt, see below, is recommended.
* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
all of the provided message buffer, independent of the
actual message length. They are side-channel silent, in that
branches and memory accesses don't depend on the validity or
length of the message. Side-channel leakage from the
caller's use of length and return value may still provide an
oracle useable for a Bleichenbacher-style chosen ciphertext
attack. Which is why the new function rsa_sec_decrypt is
recommended.
New features:
*
New function rsa_sec_decrypt. It differs from rsa_decrypt_tr
in that the length of the decrypted message is given a
priori, and pkcs#1 padding indicating a different length is
treated as an error. For applications that may be subject to
chosen ciphertext attacks, it is recommended to initialize
the message area with random data, call this function, and
ignore the return value. This applies in particular to
RSA-based key exchange in the TLS protocol.
*
A new function rsa_sec_decrypt. It differs from
rsa_decrypt_tr in that the length of the decrypted message
is given a priori, and PKCS#1 padding indicating a different
length is treated as an error. For applications that may be
subject to chosen ciphertext attacks, it is recommended to
initialize the message area with random data, call this
function, and ignore the return value. This applies in
particular to
RSA-based key exchange in the TLS protocol.
Bug fixes:
...
...
@@ -50,6 +52,22 @@ NEWS for the Nettle 3.4.1 release
* Fix link error on the pss-mgf1-test test, affecting builds
without public key support.
Performance regression:
* All RSA private key operations employing RSA blinding, i.e.,
rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
rsa_compute_root_tr, are significantly slower. This is
because (i) RSA blinding now use side-channel silent
operations, (ii) blinding includes a modular inversion, and
(iii) side-channel silent modular inversion, implemented as
mpn_sec_invert, is very expensive. A 60% slowdown for
2048-bit RSA keys have been measured.
Miscellaneous:
* Building the public key support of nettle now requires GMP
version 6.0 or later (unless --enable-mini-gmp is used).
The shared library names are libnettle.so.6.5 and
libhogweed.so.4.5, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
