[Mono-bugs] [Bug 70171][Wis] Changed - Montgomery implementation inefficient and insecure
Thu, 16 Dec 2004 14:27:14 -0500 (EST)
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by email@example.com.
--- shadow/70171 2004-12-06 19:52:21.000000000 -0500
+++ shadow/70171.tmp.26231 2004-12-16 14:27:14.000000000 -0500
@@ -1,12 +1,12 @@
Product: Mono: Class Libraries
@@ -188,6 +188,20 @@
blinding is ON by default (Mono.Security 2.x API will have a property
to turn it off). RSACryptoServiceProvider (in mscorlib) has no way to
turn it off.
However this fix doesn't cover possible timing attacks on the
Diffie-Hellman implementation in Mono.Security.dll.
+------- Additional Comments From firstname.lastname@example.org 2004-12-16 14:27 -------
+After talking with Pieter,
+for problem #1
+* The fix (key blinding) render a timing attack ineffective;
+for problem #2
+* The code (translated to C) and platform (smartcard) used to attack
+the keys doesn't reflect Mono environments very well - so that
+particuliar attack code isn't applicable as is. Similar attacks (see
+papers) suggests that problems may occurs if someone can measure your
+private key calculations with tens of thousands to millions samples.
+Key blinding (1.0.4/1.1.3) fix this potential problem.