
Sliding right into disaster: Left-to-right sliding windows leak - dom0
https://eprint.iacr.org/2017/627
======
schoen
It might not be clear from the title without context that the setting for this
attack is a local cache-timing attack, which can work cross-VM on the same
physical hardware. So if you have an attacker running code on your physical
machine, but not necessarily in the same process, account, or VM, you would be
vulnerable to private key recovery.

Although the researchers describe mitigations that will dramatically reduce
the information leakage, this is further evidence that it's quite dangerous to
do software crypto on hardware that may be shared with an adversary.

~~~
ivanbakel
Is there a cheap alternative? I know there are a few vendors selling secure
hardware USBs (though how secure I don't know) for various uses, but are there
any SoCs to run arbitrary sensitive code without hardware sharing?

~~~
xyzzyz
Intel SGX provides good isolation, it is still vulnerable to some side channel
attacks, though it can be mitigated using a TSX hack.

Of course, SGX is not quite available yet on server class CPUs.

~~~
bleair
The details aren't completely spelled out here but SGX looks to be an
interesting extension of the idea of "virtual machine per block of code"
[https://software.intel.com/en-us/sgx](https://software.intel.com/en-us/sgx)

It appears a runtime per-site-per-use license is required though.

~~~
amluto
The latest SDM strongly suggests that some future CPU will change this. Also,
certain Linux x86 developers think that SGX support is vastly more likely to
be acceptable upstream if this changes :)

------
dom0
"We also provide strong evidence that the same attack works for RSA-2048 with
only moderately more computation."

This is the fix: [https://git.gnupg.org/cgi-
bin/gitweb.cgi?p=libgcrypt.git;a=c...](https://git.gnupg.org/cgi-
bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=8725c99ffa41778f382ca97233183bcd687bb0ce;hp=78130828e9a140a9de4dafadbc844dbb64cb709a)

~~~
watersb
Yes, I was installing it with Homebrew just yesterday. That was fast. Was this
code already in review?

------
19eightyfour
How can you compute modular exponentiation in a Time Safe way, regarding some
pseudocode or a link?

~~~
Retric
They give a partial answer aka right-to-left vs. left-to-right, but at the
high level.

Make sure you do fixed computation regardless of data involved. This involves
slowing things down and making sure the CPU/compiler does not optimize
anything so things become unbalanced.

~~~
19eightyfour
Okay, I saw that, but thanks for saying it. What does right to left mean
specifically? How would you compute it without a sliding window / or make it
fixed time?

~~~
dfox
Straightforward implementation involves taking exponent bits from the MSB on
and multiplicating by the base for 1 bits and then squaring the intermediate
result.

Straightforward way to make this constant time is to do the multiplication
always and discard the result for 0 bits.

Motivation of the sliding window algoritms is that they are faster and also
believed to be "more constant time" than the straightforward square and
multiply.

~~~
19eightyfour
Thanks.

------
JH-Lee
Can you provide an example and explanation of rule 2 on page 9? I understand
about Theorem 1.

------
paulproteus
Dear moderators: Can you adjust the title? I misunderstood it, as I think many
others will, as defeating all RSA-1024 by all GPG users done on any computer.
It's actually about people who share a computer with someone doing a GPG
decryption.

The paper's title is: "Sliding right into disaster: Left-to-right sliding
windows leak". Standard HN practice is to use the page's title as the post
title.

Alternative options that seem clear to me:

\- "Local-machine side channel attack defeats RSA-1024 decryption using GPG
(CVE-2017-7526)"

\- "Complete break of RSA-1024 in GPG (CVE-2017-7526) for local attackers"

\- "Sliding right into disaster: Left-to-right sliding window attack against
local-machine RSA-1024 in GPG (CVE-2017-7526)"

Thanks!

~~~
jenrzzz
I was an expecting an article about waterproofing differences between windows
that open to the left and those that open to the right. Forgot this was HN.

~~~
code_duck
My first thought was window managers... like, a flaw was found in some code
that does window sliding somehow.

~~~
gonmf
I thought this too!

