Making the rounds, complete w/ sensationalized headline: https://www.theregister.co.uk/2018/06/22/intel_tlbleed_key_data_leak/ … Short version: libgcrypt doesn't follow best practices to avoid side channel leak of keys. Crypto that does (BoringSSL, OpenSSL, BearSSL, maybe others) shouldn't be impacted. Use them, update often.
-
-
Replying to @chandlerc1024
Cripes. I thought I'd gone for a minimal sensationalist headline ;) I think the story as a whole is balanced: it's non-trivial to exploit, Intel doesn't consider it major problem. As for BoringSSL etc, I'll defer to Ben's statement on the difficulties of mitigating TLBleedpic.twitter.com/H72c8PNLK9
1 reply 0 retweets 0 likes -
Replying to @diodesign
For cryptographic software, I strongly disagree. The most widely used libraries do the right thing here. Libgcrypt is the exception and regarded as such by everyone I know in the crypto community.
3 replies 0 retweets 1 like -
Replying to @chandlerc1024 @diodesign
I think it's a stretch to say the most widely used libraries do the right thing here unless you're talking specifically about Ed25519, which itself is actually hardly used. The emphasis on breaking crypto libs also seems like a red herring. Non-crypto apps usually don't even try.
1 reply 0 retweets 0 likes -
Replying to @BRIAN_____ @diodesign
Most widely used libraries *for cryptographic software*. Other software indeed often doesn't even try. But in that case, you don't need TLBleed at all - any side-channel attack will work fine.
1 reply 0 retweets 0 likes -
Replying to @chandlerc1024 @diodesign
I'd guess that OpenSSL 1.0.1 or earlier is probably the most common open-source crypto library and (1) it doesn't implement Ed25519, (2) It's ECC implementation leaves a lot to be desired for the curves it does implement, especially on non-x86-64. BoringSSL was fixed 9 weeks ago.
2 replies 0 retweets 0 likes -
(BoringSSL always did Ed25519 the way it does now; I'm referring to the implementation of other curves.) Anyway, I don't mean to take away anything from OpenSSL or BoringSSL here but rather I'm just pointing out that it's far from clear that the problem is limited to libgcrypt.
1 reply 0 retweets 0 likes -
Replying to @BRIAN_____ @diodesign
(see other tweet - to the extent that is the case in both BoringSSL and OpenSSL, TLBleed doesn't seem to make it much worse than existing side-channel attacks)
1 reply 0 retweets 0 likes
Well, that's less exciting then. I was hoping (having not read the paper that's not available yet) that it would be a more easily-exploitable side channel than the existing side channel attacks.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.