IIUC, the original 2001 countermeasure for this is embedded in the modexp routin... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

tptacek on Nov 6, 2023 | parent | context | favorite | on: Passive SSH Key Compromise via Lattices [pdf]

IIUC, the original 2001 countermeasure for this is embedded in the modexp routine, and both OpenSSL (in rsa_ossl.c) and LibreSSL libcrypto (in rsa_eay.c) have substantially the same logic.

Look for the comment:

    /*
     * 'I' and 'vrfy' aren't congruent mod n. Don't leak
     * miscalculated CRT output, just do a raw (slower)
     * mod_exp and return that instead.
     */

fweimer on Nov 6, 2023 [–]

Note that in the OpenSSL case at least, this check is in the default engine/plugin, not in generic code. If you load a different plugin, you only get protection if the engine/plugin implements a similar check internally.

(I expect that LibreSSL removed the plugin framework, but I haven't checked.)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact