diff options
author | Niels Möller <nisse@lysator.liu.se> | 2018-11-28 22:42:56 +0100 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2018-11-28 22:42:56 +0100 |
commit | 07f5ea1613af360debad212e2086ee0bc9740553 (patch) | |
tree | 0716c11d7b3a0a022b9bce86c3cca3552ad04c22 /NEWS | |
parent | 1fe332ad8b92c6dc3c68d82f8f79f132726d9091 (diff) | |
download | nettle-07f5ea1613af360debad212e2086ee0bc9740553.tar.gz |
Update NEWS file for 3.4.1.nettle_3.4.1rc1
Mention dependency on GMP-6, and RSA performance regression.
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 64 |
1 files changed, 41 insertions, 23 deletions
@@ -2,45 +2,47 @@ NEWS for the Nettle 3.4.1 release This release fixes a few bugs, and makes the RSA private key operations side channel silent. The RSA improvements are - contributed by Simo Sorce and Red Hat, and includes one new - public function. + contributed by Simo Sorce and Red Hat, and include one new + public function, rsa_sec_decrypt, see below. - All functions handling RSA private keys are now side-channel + All functions using RSA private keys are now side-channel silent, meaning that they try hard to avoid any branches or memory accesses depending on secret data. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family - of functions, and the processing of pkcs#1 padding. + of functions, and the processing of PKCS#1 padding needed for + RSA decryption. Nettle's ECC functions were already side-channel silent, while the DSA functions still aren't. There's also one caveat regarding the improved RSA functions: due to small table lookups in relevant mpn_sec_* functions in GMP-6.1.2, the lowest and highest few bits of the secret factors p and q may - leak. I'm not aware of any attacks on RSA where knowing a few - bits of the factors makes a significant difference. This leak - will likely be plugged in later GMP versions). + still leak. I'm not aware of any attacks on RSA where knowing + a few bits of the factors makes a significant difference. This + leak will likely be plugged in later GMP versions. Changes in behavior: - * The old rsa_decrypt_tr may now clobber all of the provided - message buffer, independent of the actual message length. It - is side-channel silent, in that branches and memory accesses - don't depend on the validity or length of the message. - Side-channel leakage from the caller's use of length and - return value may still provide an oracle useable for a - Bleichenbacher-style chosen ciphertext attack. Which is why - the new function rsa_sec_decrypt, see below, is recommended. + * The functions rsa_decrypt and rsa_decrypt_tr may now clobber + all of the provided message buffer, independent of the + actual message length. They are side-channel silent, in that + branches and memory accesses don't depend on the validity or + length of the message. Side-channel leakage from the + caller's use of length and return value may still provide an + oracle useable for a Bleichenbacher-style chosen ciphertext + attack. Which is why the new function rsa_sec_decrypt is + recommended. New features: - * New function rsa_sec_decrypt. It differs from rsa_decrypt_tr - in that the length of the decrypted message is given a - priori, and pkcs#1 padding indicating a different length is - treated as an error. For applications that may be subject to - chosen ciphertext attacks, it is recommended to initialize - the message area with random data, call this function, and - ignore the return value. This applies in particular to - RSA-based key exchange in the TLS protocol. + * A new function rsa_sec_decrypt. It differs from + rsa_decrypt_tr in that the length of the decrypted message + is given a priori, and PKCS#1 padding indicating a different + length is treated as an error. For applications that may be + subject to chosen ciphertext attacks, it is recommended to + initialize the message area with random data, call this + function, and ignore the return value. This applies in + particular to RSA-based key exchange in the TLS protocol. Bug fixes: @@ -50,6 +52,22 @@ NEWS for the Nettle 3.4.1 release * Fix link error on the pss-mgf1-test test, affecting builds without public key support. + Performance regression: + + * All RSA private key operations employing RSA blinding, i.e., + rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and + rsa_compute_root_tr, are significantly slower. This is + because (i) RSA blinding now use side-channel silent + operations, (ii) blinding includes a modular inversion, and + (iii) side-channel silent modular inversion, implemented as + mpn_sec_invert, is very expensive. A 60% slowdown for + 2048-bit RSA keys have been measured. + + Miscellaneous: + + * Building the public key support of nettle now requires GMP + version 6.0 or later (unless --enable-mini-gmp is used). + The shared library names are libnettle.so.6.5 and libhogweed.so.4.5, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible |