aboutsummaryrefslogtreecommitdiffstats
path: root/doc/manual/side_channels.rst
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-04-04 11:53:36 -0400
committerJack Lloyd <[email protected]>2018-04-04 11:53:36 -0400
commitc2d4eefafed4aad95f501fa932ab67699db2c5a5 (patch)
tree4e4a545dd92069447ea614447427808a44c56128 /doc/manual/side_channels.rst
parentdb65873a56c75373280c61417332a4d1c466a494 (diff)
Update side channel doc, and update RSA blinding test
It needs to account for bits taking from the blinding RNG for exponent blinding.
Diffstat (limited to 'doc/manual/side_channels.rst')
-rw-r--r--doc/manual/side_channels.rst6
1 files changed, 5 insertions, 1 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst
index 6d6bd74bb..cf5f26003 100644
--- a/doc/manual/side_channels.rst
+++ b/doc/manual/side_channels.rst
@@ -13,13 +13,17 @@ RSA
----------------------
Blinding is always used to protect private key operations (there is no way to
-turn it off). As an optimization, instead of choosing a new random mask and
+turn it off). Both base blinding and exponent blinding are used.
+
+For base blinding, as an optimization, instead of choosing a new random mask and
inverse with each decryption, both the mask and its inverse are simply squared
to choose the next blinding factor. This is much faster than computing a fresh
value each time, and the additional relation is thought to provide only minimal
useful information for an attacker. Every BOTAN_BLINDING_REINIT_INTERVAL
(default 32) operations, a new starting point is chosen.
+Exponent blinding uses new values for each signature.
+
RSA signing uses the CRT optimization, which is much faster but vulnerable to
trivial fault attacks [RsaFault] which can result in the key being entirely
compromised. To protect against this (or any other computational error which