Closed Bug 1166795 Opened 10 years ago Closed 10 years ago

Potential timing channel in RSA decryption

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.18
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 577498

People

(Reporter: ekr, Unassigned, NeedInfo)

Details

Attachments

(1 file)

timing.patch
10.04 KB, patch
Details | Diff | Splinter Review
Attached patch timing.patchSplinter Review
The RSA decryption code in ssl3con.c ( https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/ssl3con.c?from=ssl3_HandleRSAClientKeyExchange&case=true#9208) checks for errors in decryption and then if it fails generates a random PMS. If the generation of the random PMS takes significant time, this may create a timing channel which would provide an oracle for the attacker to determine whether a given EPMS is correctly PKCS#1 formatted. I've taken some preliminary measurements which produce inconsistent results. For instance, here's a run which shows a time difference: > v <- read.delim("valid-opt-times.out", sep=" ", header=FALSE) > b <- read.delim("bogus-opt-times.out", sep=" ", header=FALSE) > t.test(v$V3, b$V3) Welch Two Sample t-test data: v$V3 and b$V3 t = -7.5131, df = 9947.872, p-value = 6.272e-14 alternative hypothesis: true difference in means is not equal to 0 95 percent confidence interval: -78.87013 -46.23067 sample estimates: mean of x mean of y 4489.626 4552.177 And here's one which doesn't: > valid <- read.delim("submit-valid.dat", sep=" ", header=FALSE) > bogus <- read.delim("submit-bogus.dat", sep=" ", header=FALSE) > t.test(valid$V3, bogus$V3) Welch Two Sample t-test data: valid$V3 and bogus$V3 t = -0.2268, df = 3957.834, p-value = 0.8206 alternative hypothesis: true difference in means is not equal to 0 95 percent confidence interval: -23.71714 18.79914 sample estimates: mean of x mean of y 4399.038 4401.497 So, it may be that the signal doesn't exist or that it's compiler or system dependent.
Wan-Teh, I would like to get your advice here on how to handle the session hash patch. Martin suggested that I factor out the RSA handling code because it had gotten too complicated, but if I do that, I would like to change the order of operations. Does that patch need to include a change for the non-session hash code as well?
Flags: needinfo?(wtc)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: