diff options
| author | Jack Lloyd <[email protected]> | 2018-04-04 11:53:36 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-04-04 11:53:36 -0400 |
| commit | c2d4eefafed4aad95f501fa932ab67699db2c5a5 (patch) | |
| tree | 4e4a545dd92069447ea614447427808a44c56128 | |
| parent | db65873a56c75373280c61417332a4d1c466a494 (diff) | |
Update side channel doc, and update RSA blinding test
It needs to account for bits taking from the blinding RNG for
exponent blinding.
| -rw-r--r-- | doc/manual/side_channels.rst | 6 | ||||
| -rw-r--r-- | src/tests/test_rsa.cpp | 13 |
2 files changed, 15 insertions, 4 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst index 6d6bd74bb..cf5f26003 100644 --- a/doc/manual/side_channels.rst +++ b/doc/manual/side_channels.rst @@ -13,13 +13,17 @@ RSA ---------------------- Blinding is always used to protect private key operations (there is no way to -turn it off). As an optimization, instead of choosing a new random mask and +turn it off). Both base blinding and exponent blinding are used. + +For base blinding, as an optimization, instead of choosing a new random mask and inverse with each decryption, both the mask and its inverse are simply squared to choose the next blinding factor. This is much faster than computing a fresh value each time, and the additional relation is thought to provide only minimal useful information for an attacker. Every BOTAN_BLINDING_REINIT_INTERVAL (default 32) operations, a new starting point is chosen. +Exponent blinding uses new values for each signature. + RSA signing uses the CRT optimization, which is much faster but vulnerable to trivial fault attacks [RsaFault] which can result in the key being entirely compromised. To protect against this (or any other computational error which diff --git a/src/tests/test_rsa.cpp b/src/tests/test_rsa.cpp index 652d5cafd..88c086812 100644 --- a/src/tests/test_rsa.cpp +++ b/src/tests/test_rsa.cpp @@ -288,9 +288,16 @@ class RSA_Blinding_Tests final : public Test Botan::PK_Encryptor_EME encryptor(rsa, Test::rng(), "Raw"); // don't try this at home - // test blinding reinit interval - // Seed Fixed_Output_RNG only with enough bytes for the initial blinder initialization - Botan_Tests::Fixed_Output_RNG fixed_rng(Botan::unlock(Test::rng().random_vec(rsa.get_n().bytes()))); + /* + Test blinding reinit interval + + Seed Fixed_Output_RNG only with enough bytes for the initial + blinder initialization plus the exponent blinding bits which + is 2*64 bits per operation. + */ + const size_t rng_bytes = rsa.get_n().bytes() + (2*8*BOTAN_BLINDING_REINIT_INTERVAL); + + Botan_Tests::Fixed_Output_RNG fixed_rng(Botan::unlock(Test::rng().random_vec(rng_bytes))); Botan::PK_Decryptor_EME decryptor(rsa, fixed_rng, "Raw", "base"); for(size_t i = 1; i <= BOTAN_BLINDING_REINIT_INTERVAL ; ++i) |