|Main Archive Page > Month Archives > openssh-unix-dev archives|
On Mon, 23 May 2011, Aris Adamantiadis wrote:
> Dear OpenSSH devs,
> I came accross this paper yesterday. http://eprint.iacr.org/2011/232
> It states that they were able to recover ECDSA keys from TLS servers by
> using timing attacks agains OpenSSL's ECDSA implementation.
> Is that known to be exploitable by OpenSSH ? (In my understanding, it's
> easy to get a payload signed by ECDSA during the key exchange so my
> opinion is that it is). There's a patch for openssl in the paper, that
> remove the detectable optimization away. Would you consider blacklisting
> openssl versions that do not implement that workaround
This result concerns binary/GF(2m) fields only and not the prime fields
that OpenSSH uses in recent versions.
Unless a similar timing oracle is found for GF(p) fields then no
OpenSSH-side workaround is required.
openssh-unix-dev mailing list