diff options
author | Werner Koch <wk@gnupg.org> | 2016-06-03 15:42:53 +0200 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2016-06-08 18:18:19 +0200 |
commit | 1f769e3e8442bae2f1f73c656920bb2df70153c0 (patch) | |
tree | 78090723ae73f0e80dec6db7e6103c477b42621c /cipher/rsa.c | |
parent | 52cdfb1960808aaad48b5a501bbce0e3141c3961 (diff) | |
download | libgcrypt-1f769e3e8442bae2f1f73c656920bb2df70153c0.tar.gz |
rsa: Implement blinding also for signing.
* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--
Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'cipher/rsa.c')
-rw-r--r-- | cipher/rsa.c | 92 |
1 files changed, 48 insertions, 44 deletions
diff --git a/cipher/rsa.c b/cipher/rsa.c index cb3c464a..ce8e215b 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -1045,7 +1045,48 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) } } +static void +secret_blinded (gcry_mpi_t output, gcry_mpi_t input, + RSA_secret_key *sk, unsigned int nbits) +{ + gcry_mpi_t r; /* Random number needed for blinding. */ + gcry_mpi_t ri; /* Modular multiplicative inverse of r. */ + gcry_mpi_t bldata; /* Blinded data to decrypt. */ + + /* First, we need a random number r between 0 and n - 1, which is + * relatively prime to n (i.e. it is neither p nor q). The random + * number needs to be only unpredictable, thus we employ the + * gcry_create_nonce function by using GCRY_WEAK_RANDOM with + * gcry_mpi_randomize. */ + r = mpi_snew (nbits); + ri = mpi_snew (nbits); + bldata = mpi_snew (nbits); + + do + { + _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); + mpi_mod (r, r, sk->n); + } + while (!mpi_invm (ri, r, sk->n)); + + /* Do blinding. We calculate: y = (x * r^e) mod n, where r is the + * random number, e is the public exponent, x is the non-blinded + * input data and n is the RSA modulus. */ + mpi_powm (bldata, r, sk->e, sk->n); + mpi_mulm (bldata, bldata, input, sk->n); + /* Perform decryption. */ + secret (output, bldata, sk); + _gcry_mpi_release (bldata); + + /* Undo blinding. Here we calculate: y = (x * r^-1) mod n, where x + * is the blinded decrypted data, ri is the modular multiplicative + * inverse of r and n is the RSA modulus. */ + mpi_mulm (output, output, ri, sk->n); + + _gcry_mpi_release (r); + _gcry_mpi_release (ri); +} /********************************************* ************** interface ****************** @@ -1266,9 +1307,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) gcry_mpi_t data = NULL; RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL}; gcry_mpi_t plain = NULL; - gcry_mpi_t r = NULL; /* Random number needed for blinding. */ - gcry_mpi_t ri = NULL; /* Modular multiplicative inverse of r. */ - gcry_mpi_t bldata = NULL;/* Blinded data to decrypt. */ unsigned char *unpad = NULL; size_t unpadlen = 0; @@ -1321,44 +1359,10 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) /* We use blinding by default to mitigate timing attacks which can be practically mounted over the network as shown by Brumley and Boney in 2003. */ - if (!(ctx.flags & PUBKEY_FLAG_NO_BLINDING)) - { - /* First, we need a random number r between 0 and n - 1, which - is relatively prime to n (i.e. it is neither p nor q). The - random number needs to be only unpredictable, thus we employ - the gcry_create_nonce function by using GCRY_WEAK_RANDOM with - gcry_mpi_randomize. */ - r = mpi_snew (ctx.nbits); - ri = mpi_snew (ctx.nbits); - bldata = mpi_snew (ctx.nbits); - - do - { - _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM); - mpi_mod (r, r, sk.n); - } - while (!mpi_invm (ri, r, sk.n)); - - /* Do blinding. We calculate: y = (x * r^e) mod n, where r is - the random number, e is the public exponent, x is the - non-blinded data and n is the RSA modulus. */ - mpi_powm (bldata, r, sk.e, sk.n); - mpi_mulm (bldata, bldata, data, sk.n); - - /* Perform decryption. */ - secret (plain, bldata, &sk); - _gcry_mpi_release (bldata); bldata = NULL; - - /* Undo blinding. Here we calculate: y = (x * r^-1) mod n, - where x is the blinded decrypted data, ri is the modular - multiplicative inverse of r and n is the RSA modulus. */ - mpi_mulm (plain, plain, ri, sk.n); - - _gcry_mpi_release (r); r = NULL; - _gcry_mpi_release (ri); ri = NULL; - } - else + if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING)) secret (plain, data, &sk); + else + secret_blinded (plain, data, &sk, ctx.nbits); if (DBG_CIPHER) log_printmpi ("rsa_decrypt res", plain); @@ -1403,9 +1407,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) _gcry_mpi_release (sk.q); _gcry_mpi_release (sk.u); _gcry_mpi_release (data); - _gcry_mpi_release (r); - _gcry_mpi_release (ri); - _gcry_mpi_release (bldata); sexp_release (l1); _gcry_pk_util_free_encoding_ctx (&ctx); if (DBG_CIPHER) @@ -1461,7 +1462,10 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) /* Do RSA computation. */ sig = mpi_new (0); - secret (sig, data, &sk); + if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING)) + secret (sig, data, &sk); + else + secret_blinded (sig, data, &sk, ctx.nbits); if (DBG_CIPHER) log_printmpi ("rsa_sign res", sig); |