Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
N
nettle
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Deploy
Releases
Container registry
Model registry
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Wim Lewis
nettle
Commits
81491991
Commit
81491991
authored
Nov 27, 2018
by
Niels Möller
Browse files
Options
Downloads
Patches
Plain Diff
Describe RSA improvements in NEWS.
parent
6487ef7e
No related branches found
No related tags found
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
NEWS
+42
-2
42 additions, 2 deletions
NEWS
with
42 additions
and
2 deletions
NEWS
+
42
−
2
View file @
81491991
NEWS for the Nettle 3.4.1 release
This is a bugfix release.
This release fixes a few bugs, and makes the RSA private key
operations side channel silent. The RSA improvements are
contributed by Simo Sorce and Red Hat, and includes one new
public function.
All functions handling RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of pkcs#1 padding.
Nettle's ECC functions were already side-channel silent, while
the DSA functions still aren't. There's also one caveat
regarding the improved RSA functions: due to small table
lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
lowest and highest few bits of the secret factors p and q may
leak. I'm not aware of any attacks on RSA where knowing a few
bits of the factors makes a significant difference. This leak
will likely be plugged in later GMP versions).
Changes in behavior:
* The old rsa_decrypt_tr may now clobber all of the provided
message buffer, independent of the actual message length. It
is side-channel silent, in that branches and memory accesses
don't depend on the validity or length of the message.
Side-channel leakage from the caller's use of length and
return value may still provide an oracle useable for a
Bleichenbacher-style chosen ciphertext attack. Which is why
the new function rsa_sec_decrypt, see below, is recommended.
New features:
* New function rsa_sec_decrypt. It differs from rsa_decrypt_tr
in that the length of the decrypted message is given a
priori, and pkcs#1 padding indicating a different length is
treated as an error. For applications that may be subject to
chosen ciphertext attacks, it is recommended to initialize
the message area with random data, call this function, and
ignore the return value. This applies in particular to
RSA-based key exchange in the TLS protocol.
Bug fixes:
...
...
@@ -138,7 +178,7 @@ NEWS for the Nettle 3.3 release
This release fixes a couple of bugs, and improves resistance
to side-channel attacks on RSA and DSA private key operations.
Changes in behav
o
ir:
Changes in behavi
o
r:
* Invalid private RSA keys, with an even modulo, are now
rejected by rsa_private_key_prepare. (Earlier versions
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
