Describe RSA improvements in NEWS.

81491991 · Niels Möller · 6487ef7e · 81491991
Commit 81491991 authored Nov 27, 2018 by Niels Möller
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 2 deletions

NEWS NEWS +42 -2

No files found.
--- a/NEWS
+++ b/NEWS
 NEWS for the Nettle 3.4.1 release

-	This is a bugfix release.
+	This release fixes a few bugs, and makes the RSA private key
+	operations side channel silent. The RSA improvements are
+	contributed by Simo Sorce and Red Hat, and includes one new
+	public function.
+
+	All functions handling RSA private keys are now side-channel
+	silent, meaning that they try hard to avoid any branches or
+	memory accesses depending on secret data. This applies both to
+	the bignum calculations, which now use GMP's mpn_sec_* family
+	of functions, and the processing of pkcs#1 padding.
+
+	Nettle's ECC functions were already side-channel silent, while
+	the DSA functions still aren't. There's also one caveat
+	regarding the improved RSA functions: due to small table
+	lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
+	lowest and highest few bits of the secret factors p and q may
+	leak. I'm not aware of any attacks on RSA where knowing a few
+	bits of the factors makes a significant difference. This leak
+	will likely be plugged in later GMP versions).
+
+	Changes in behavior:
+
+	* The old rsa_decrypt_tr may now clobber all of the provided
+	  message buffer, independent of the actual message length. It
+	  is side-channel silent, in that branches and memory accesses
+	  don't depend on the validity or length of the message.
+	  Side-channel leakage from the caller's use of length and
+	  return value may still provide an oracle useable for a
+	  Bleichenbacher-style chosen ciphertext attack. Which is why
+	  the new function rsa_sec_decrypt, see below, is recommended.
+
+	New features:
+
+	* New function rsa_sec_decrypt. It differs from rsa_decrypt_tr
+	  in that the length of the decrypted message is given a
+	  priori, and pkcs#1 padding indicating a different length is
+	  treated as an error. For applications that may be subject to
+	  chosen ciphertext attacks, it is recommended to initialize
+	  the message area with random data, call this function, and
+	  ignore the return value. This applies in particular to
+	  RSA-based key exchange in the TLS protocol.

 	Bug fixes:

@@ -138,7 +178,7 @@ NEWS for the Nettle 3.3 release
 	This release fixes a couple of bugs, and improves resistance
 	to side-channel attacks on RSA and DSA private key operations.

-	Changes in behavoir:
+	Changes in behavior:

 	* Invalid private RSA keys, with an even modulo, are now
 	  rejected by rsa_private_key_prepare. (Earlier versions