[Mono-bugs] [Bug 70171][Wis] Changed - Montgomery implementation inefficient and insecure

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Thu, 16 Dec 2004 14:27:14 -0500 (EST)

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by sebastien@ximian.com.


--- shadow/70171	2004-12-06 19:52:21.000000000 -0500
+++ shadow/70171.tmp.26231	2004-12-16 14:27:14.000000000 -0500
@@ -1,12 +1,12 @@
 Bug#: 70171
 Product: Mono: Class Libraries
 Version: unspecified
 OS: All
 OS Details: 
-Status: NEEDINFO   
+Status: CLOSED   
 Severity: Unknown
 Priority: Wishlist
 Component: Mono.Security
 AssignedTo: sebastien@ximian.com                            
 ReportedBy: pieter@mentalis.org               
@@ -188,6 +188,20 @@
 blinding is ON by default (Mono.Security 2.x API will have a property
 to turn it off). RSACryptoServiceProvider (in mscorlib) has no way to
 turn it off. 
 However this fix doesn't cover possible timing attacks on the
 Diffie-Hellman implementation in Mono.Security.dll.
+------- Additional Comments From sebastien@ximian.com  2004-12-16 14:27 -------
+After talking with Pieter,
+for problem #1
+* The fix (key blinding) render a timing attack ineffective;
+for problem #2
+* The code (translated to C) and platform (smartcard) used to attack
+the keys doesn't reflect Mono environments very well - so that
+particuliar attack code isn't applicable as is. Similar attacks (see
+papers) suggests that problems may occurs if someone can measure your
+private key calculations with tens of thousands to millions samples.
+Key blinding (1.0.4/1.1.3) fix this potential problem.