* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.
--
Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.
Signed-off-by: Marcus Brinkmann <mb@g10code.com>
* cipher/rsa.c (rsa_sign): Verify after sign.
* g10/gpg.c (opts): Make --no-sig-create-check a NOP.
* g10/options.h (opt): Remove field "no_sig_create_check".
* g10/sign.c (do_sign): Do check only for DSA.
Signed-off-by: Werner Koch <wk@gnupg.org>
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--
mpi_normalize is in general not required because extra leading zeroes
do not harm the computation. However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis. This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.
CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <wk@gnupg.org>
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--
GPG 1.x has never used any protection against timing attacks on the
RSA secret operation. The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG. With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it. Blinding seems to be a suitable mitigation to the threat of
key extraction. It does not help against distinguishing used keys,
though.
Note that GPG 2.x uses Libgcrypt which does blinding by default.
The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are
Without blinding: 5.2s (8.9s)
With blinding: 5.6s (9.3s)
The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code. Thus for the next release the
user will actually experience faster signing and decryption. A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).
Signed-off-by: Werner Koch <wk@gnupg.org>
CVE-id: CVE-2013-4576
error. However the backupfile has been created successfully.
* rsa.c (rsa_generate): Return the dummy list of factors only if
the caller asked for it.
* card_util.c (generate_card_keys): ask whether backup should be
created.
(card_store_subkey): Factored some code out to ..
* keygen.c (save_unprotected_key_to_card): .. new function.
(gen_card_key_with_backup): New.
(generate_raw_key): New.
(generate_keypair): New arg BACKUP_ENCRYPTION_DIR. Changed all
callers.
(do_generate_keypair): Divert to gen_card_key_with_backup when
desired.
rijndael.c, rndunix.c, sha256.c, cast5.c, idea-stub.c, rmd160.c, rndw32.c,
sha512.c, md5.c, rmd160test.c, rsa.c, tiger.c: Edit all preprocessor
instructions to remove whitespace before the '#'. This is not required by
C89, but there are some compilers out there that don't like it.
