Making the rounds, complete w/ sensationalized headline: https://www.theregister.co.uk/2018/06/22/intel_tlbleed_key_data_leak/ … Short version: libgcrypt doesn't follow best practices to avoid side channel leak of keys. Crypto that does (BoringSSL, OpenSSL, BearSSL, maybe others) shouldn't be impacted. Use them, update often.
I'd guess that OpenSSL 1.0.1 or earlier is probably the most common open-source crypto library and (1) it doesn't implement Ed25519, (2) It's ECC implementation leaves a lot to be desired for the curves it does implement, especially on non-x86-64. BoringSSL was fixed 9 weeks ago.
-
-
But again, if broken, you wouldn't need TLBleed. The thing really hurt here are approaches to mitigating side channels other than data-invariant coding such as the ones discussed in the paper, and those seem somewhat rarely deployed outside of libgcrypt.
-
AFAICT the paper isn't available publicly yet so I can't refer to it. NSS and OpenSSL are both using non-data-invariant mitigations even in their master branches today, except in special cases like x25519/Ed25519 and some optimzed x86-64 or 64-bit-only P-256 implementations.
-
@agl__ to comment about non-data-invariant side channel mitigation still being relied on in OpenSSL. If that's the case (for either of these libs) we should definitely work on fixing it. -
BTW, if you are interested in these things then you should check out copy_to_prebuf/copy_from_prebuf in these libs (and *ring* too) which attempt to thread the needle.
End of conversation
New conversation -
-
-
(BoringSSL always did Ed25519 the way it does now; I'm referring to the implementation of other curves.) Anyway, I don't mean to take away anything from OpenSSL or BoringSSL here but rather I'm just pointing out that it's far from clear that the problem is limited to libgcrypt.
-
(see other tweet - to the extent that is the case in both BoringSSL and OpenSSL, TLBleed doesn't seem to make it much worse than existing side-channel attacks)
-
Well, that's less exciting then. I was hoping (having not read the paper that's not available yet) that it would be a more easily-exploitable side channel than the existing side channel attacks.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.