mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-23 10:29:58 +01:00
93a96e3c0c
* cipher/random.c (randomize_mpi): New. * g10/gpgv.c (randomize_mpi): New stub. * cipher/rsa.c (USE_BLINDING): Define macro. (secret): Implement blinding. -- GPG 1.x has never used any protection against timing attacks on the RSA secret operation. The rationale for this has been that there was no way to mount a remote timing attack on GnuPG. With the turning up of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this assumption no longer holds true and thus we need to do do something about it. Blinding seems to be a suitable mitigation to the threat of key extraction. It does not help against distinguishing used keys, though. Note that GPG 2.x uses Libgcrypt which does blinding by default. The performance penalty is negligible: Modifying the core pubkey_sign or pubkey_decrypt function to run 100 times in a loop, the entire execution times for signing or decrypting a small message using a 4K RSA key on a Thinkpad X220 are Without blinding: 5.2s (8.9s) With blinding: 5.6s (9.3s) The numbers in parentheses give the values without the recently implemented k-ary exponentiation code. Thus for the next release the user will actually experience faster signing and decryption. A drawback of blinding is that we need random numbers even for decryption (albeit at low quality). Signed-off-by: Werner Koch <wk@gnupg.org> CVE-id: CVE-2013-4576
43 lines
1.4 KiB
C
43 lines
1.4 KiB
C
/* random.h - random functions
|
|
* Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
|
|
*
|
|
* This file is part of GnuPG.
|
|
*
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
#ifndef G10_RANDOM_H
|
|
#define G10_RANDOM_H
|
|
|
|
#include "types.h"
|
|
|
|
/*-- random.c --*/
|
|
void random_dump_stats(void);
|
|
void secure_randoxmalloc(void);
|
|
void set_random_seed_file(const char *);
|
|
void update_random_seed_file(void);
|
|
int quick_random_gen( int onoff );
|
|
int random_is_faked(void);
|
|
void random_disable_locking (void);
|
|
void randomize_buffer( byte *buffer, size_t length, int level );
|
|
void randomize_mpi (MPI mpi, size_t nbits, int level);
|
|
byte *get_random_bits( size_t nbits, int level, int secure );
|
|
void fast_random_poll( void );
|
|
|
|
/*-- rndw32.c --*/
|
|
#ifdef USE_STATIC_RNDW32
|
|
void rndw32_set_dll_name( const char *name );
|
|
#endif
|
|
|
|
#endif /*G10_RANDOM_H*/
|