mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 09:27:59 +00:00
d8fda3b6da
Now that I've removed side-channel leakage from both prime candidate
generation (via mp_unsafe_mod_integer) and Miller-Rabin, the
probabilistic prime generation system in this code base is now able to
get through testsc without it detecting any source of cache or timing
side channels. So you should be able to generate an RSA key (in which
the primes themselves must be secret) in a more hostile environment
than you could previously be confident of.
This is a bit counterintuitive, because _obviously_ random prime
generation takes a variable amount of time, because it has to keep
retrying until an attempt succeeds! But that's OK as long as the
attempts are completely independent, because then any timing or cache
information leaked by a _failed_ attempt will only tell an attacker
about the numbers used in the failed attempt, and those numbers have
been thrown away, so it doesn't matter who knows them. It's only
important that the _successful_ attempt, from generating the random
candidate through to completing its verification as (probably) prime,
should be side-channel clean, because that's the attempt whose data is
actually going to be turned into a private key that needs to be kept
secret.
(In particular, this means you have to avoid the old-fashioned
strategy of generating successive prime candidates by incrementing a
starting value until you find something not divisible by any small
prime, because the number of iterations of that method would be a
timing leak. Happily, we stopped doing that last year, in commit
|
||
|---|---|---|
| .. | ||
| utils | ||
| agent-client.c | ||
| agent-socket.c | ||
| askpass.c | ||
| cliloop.c | ||
| CMakeLists.txt | ||
| columns.c | ||
| columns.h | ||
| config-gtk.c | ||
| config-unix.c | ||
| console.c | ||
| dialog.c | ||
| fd-socket.c | ||
| gss.c | ||
| gtk-common.c | ||
| gtkcompat.h | ||
| gtkmisc.h | ||
| keygen-noise.c | ||
| local-proxy.c | ||
| main-gtk-application.c | ||
| main-gtk-simple.c | ||
| network.c | ||
| no-gtk.c | ||
| noise.c | ||
| osxlaunch.c | ||
| pageant.c | ||
| peerinfo.c | ||
| platform.h | ||
| plink.c | ||
| printing.c | ||
| procnet.c | ||
| psocks.c | ||
| psusan.c | ||
| pterm-config-xpm.c | ||
| pterm-xpm.c | ||
| pterm.bundle | ||
| pterm.c | ||
| pterm.plist | ||
| pty.c | ||
| putty-config-xpm.c | ||
| putty-xpm.c | ||
| putty.bundle | ||
| putty.c | ||
| putty.plist | ||
| serial.c | ||
| sftp.c | ||
| sftpserver.c | ||
| sharing.c | ||
| storage.c | ||
| unicode.c | ||
| unifont.c | ||
| unifont.h | ||
| uppity.c | ||
| uxsel.c | ||
| window.c | ||
| x11.c | ||
| x11misc.h | ||