diff options
author | Jack Lloyd <[email protected]> | 2015-10-15 10:07:36 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2015-10-15 10:07:36 -0400 |
commit | 3181dfa7abfe7b623d8823e078f04a374775e978 (patch) | |
tree | 892045bf1538463ebd4b586f0414b44d2335e044 | |
parent | 83fe87cc13b4dd6285fbc15465c7bd39fdadb53d (diff) |
Periodically reinitialize the blinding sequence instead of always
deriving it by squaring the previous value.
-rw-r--r-- | doc/news.rst | 18 | ||||
-rw-r--r-- | src/build-data/buildh.in | 15 | ||||
-rw-r--r-- | src/lib/pubkey/blinding.cpp | 40 | ||||
-rw-r--r-- | src/lib/pubkey/blinding.h | 12 |
4 files changed, 66 insertions, 19 deletions
diff --git a/doc/news.rst b/doc/news.rst index e1ee423f8..cae2270bd 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -4,11 +4,21 @@ Release Notes Version 1.11.22, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* Public key operations can now be used with specified providers - by passing an additional parameter to the constructor of - the PK operation. +* Public key operations can now be used with specified providers by passing an + additional parameter to the constructor of the PK operation. -* OpenSSL RSA provider now supports signatures and verification. +* OpenSSL RSA provider now supports signature creation and verification. + +* The blinding code used for RSA, Diffie-Hellman, ElGamal and Rabin-Williams now + periodically reinitializes the sequence of blinding values instead of always + deriving the next value by squaring the previous ones. The reinitializion + interval can be controlled by + +* Add System_RNG type. Previously the global system RNG was only accessible via + `system_rng` which returned a reference to the object. However is at times + useful to have a unique_ptr<RandomNumberGenerator> which will be either the + system RNG or an AutoSeeded_RNG, depending on availability, which this + additional type allows. * The `configure.py` option `--no-autoload` is now also available under the more understandable name `--minimized-build`. diff --git a/src/build-data/buildh.in b/src/build-data/buildh.in index eaf4181b5..31069f0ae 100644 --- a/src/build-data/buildh.in +++ b/src/build-data/buildh.in @@ -71,9 +71,20 @@ * representation of an ECC point. Set to zero to diable this * side-channel countermeasure. */ -#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 64 +#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 80 -#define BOTAN_CURVE_GFP_USE_MONTGOMERY_LADDER 0 +/* +* Normally blinding is performed by choosing a random starting point (plus +* its inverse, of a form appropriate to the algorithm being blinded), and +* then choosing new blinding operands by successive squaring of both +* values. This is much faster than computing a new starting point but +* introduces some possible coorelation +* +* To avoid possible leakage problems in long-running processes, the blinder +* periodically reinitializes the sequence. This value specifies how often +* a new sequence should be started. +*/ +#define BOTAN_BLINDING_REINIT_INTERVAL 32 /* PK key consistency checking toggles */ #define BOTAN_PUBLIC_KEY_STRONG_CHECKS_ON_LOAD 1 diff --git a/src/lib/pubkey/blinding.cpp b/src/lib/pubkey/blinding.cpp index cd2b3d118..da9def797 100644 --- a/src/lib/pubkey/blinding.cpp +++ b/src/lib/pubkey/blinding.cpp @@ -1,6 +1,6 @@ /* * Blinding for public key operations -* (C) 1999-2010 Jack Lloyd +* (C) 1999-2010,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -16,24 +16,28 @@ namespace Botan { -// TODO: use Montgomery - Blinder::Blinder(const BigInt& modulus, - std::function<BigInt (const BigInt&)> fwd_func, - std::function<BigInt (const BigInt&)> inv_func) + std::function<BigInt (const BigInt&)> fwd, + std::function<BigInt (const BigInt&)> inv) : + m_fwd_fn(fwd), m_inv_fn(inv) { m_reducer = Modular_Reducer(modulus); + m_modulus_bits = modulus.bits(); #if defined(BOTAN_HAS_SYSTEM_RNG) - auto& rng = system_rng(); + m_rng.reset(new System_RNG); #else - AutoSeeded_RNG rng; + m_rng.reset(new AutoSeeded_RNG); #endif - const BigInt k(rng, modulus.bits() - 1); + const BigInt k = blinding_nonce(); + m_e = m_fwd_fn(k); + m_d = m_inv_fn(k); + } - m_e = fwd_func(k); - m_d = inv_func(k); +BigInt Blinder::blinding_nonce() const + { + return BigInt(*m_rng, m_modulus_bits - 1); } BigInt Blinder::blind(const BigInt& i) const @@ -41,8 +45,20 @@ BigInt Blinder::blind(const BigInt& i) const if(!m_reducer.initialized()) throw std::runtime_error("Blinder not initialized, cannot blind"); - m_e = m_reducer.square(m_e); - m_d = m_reducer.square(m_d); + ++m_counter; + + if(BOTAN_BLINDING_REINIT_INTERVAL > 0 && (m_counter % BOTAN_BLINDING_REINIT_INTERVAL == 0)) + { + const BigInt k = blinding_nonce(); + m_e = m_fwd_fn(k); + m_d = m_inv_fn(k); + } + else + { + m_e = m_reducer.square(m_e); + m_d = m_reducer.square(m_d); + } + return m_reducer.multiply(i, m_e); } diff --git a/src/lib/pubkey/blinding.h b/src/lib/pubkey/blinding.h index e57c7888e..2525276ca 100644 --- a/src/lib/pubkey/blinding.h +++ b/src/lib/pubkey/blinding.h @@ -1,6 +1,6 @@ /* * Blinding for public key operations -* (C) 1999-2010 Jack Lloyd +* (C) 1999-2010,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -14,6 +14,8 @@ namespace Botan { +class RandomNumberGenerator; + /** * Blinding Function Object */ @@ -33,8 +35,16 @@ class BOTAN_DLL Blinder std::function<BigInt (const BigInt&)> inv_func); private: + BigInt blinding_nonce() const; + Modular_Reducer m_reducer; + std::unique_ptr<RandomNumberGenerator> m_rng; + std::function<BigInt (const BigInt&)> m_fwd_fn; + std::function<BigInt (const BigInt&)> m_inv_fn; + size_t m_modulus_bits = 0; + mutable BigInt m_e, m_d; + mutable size_t m_counter = 0; }; } |