Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate RSA side channel from Usenix Security #1222

Closed
randombit opened this issue Sep 25, 2017 · 6 comments
Closed

Investigate RSA side channel from Usenix Security #1222

randombit opened this issue Sep 25, 2017 · 6 comments

Comments

@randombit
Copy link
Owner

Looking through papers from this years Usenix Security I come across an interesting one on identifying cache-based timing channels.

https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai

Hm I wonder what bugs they found... from the abstract "Moreover, we have successfully discovered previously unknown issues in two widely used cryptosystems, OpenSSL and Botan." well then!

They analyze 1.10.3 but the paper mentions "we notice that this vulnerability affects
several other versions of Botan, including 1.10.12, 1.10.11, and 1.11.33." (and so presumably 2.x also).

Haven't read the paper carefully enough to understand the issue yet but hopefully this can be addressed in time for 2.3

FTR I never received any contact about this ... shrug

@randombit
Copy link
Owner Author

randombit commented Sep 26, 2017

Assigned CVE-2017-14737

@vpereira
Copy link

will this issue be backported to branch 1.10?

thank you

@randombit
Copy link
Owner Author

Yes I plan to backport the patch and release 1.10.17 at the same time as 2.3.0

@randombit
Copy link
Owner Author

Fixed in trunk, releases coming on Monday

@kriskwiatkowski
Copy link
Collaborator

Any idea if they have released this CacheD tool ? I can't find it.

@randombit
Copy link
Owner Author

I emailed the authors on that topic, they replied that it was not public yet and they were considering their options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants