F-Secure Information for VU#997481

Cryptographic libraries and applications do not adequately defend against timing attacks

Status

Not Affected

Vendor Statement

F-Secure SSH products are not vulnerable to RSA timing attack.

The recently appeared article, [1], presents a new timing attack on RSA operations. The attack tries to retrieve bits from the private key by statistically analyzing the timing information from RSA private key operations on chosen input texts.

As a prerequisite, the opponent/attacker must be able to selectively choose a large number of bits of the input data to the private key operation. The opponent needs to be able to choose a large number (of the order 10^5 - 10^6) of such input texts.

This means the attack as presented in [1] does not apply to situations where the private keys are used to generate digital signatures on the input data by hashing the input data first. If the owner of the private key hashes the input data, the opponent has lost the ability to choose bits in the input data to the private key operation.

In Secure Shell protocol, when authenticated with signatures, the input data that is hashed contains random input from the owner of the private key. The opponent does not have a possibility to influence the input value to the private key operation and the attack does not work.

[1] Remote Timing Attacks are Practical, by David Brumlay and Dan Boneh.
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.