[Ach] Is PFS broken?

Hanno Böck hanno at hboeck.de
Tue Jun 14 07:26:29 CEST 2016


On Mon, 13 Jun 2016 21:46:19 +0200
Manuel Kraus <ach at lsd.is> wrote:

> http://shorty.is/pfsvuln
> 
> We'll see...

This sounds pretty much like the attack from Lenstra against RSA CRT
optimizations.

Florian Weimer did some research against practically vulnerable
implementations last year:
https://access.redhat.com/blogs/766093/posts/1976703

While I'm certainly interested to learn more about these results one
should be clear what this is:
a) it requires an implementation which occassionally creates faulty
results (due to hw failures, software bugs etc.)
b) it can be entirely prevented by checking the result of a CRT
optimization (or by avoiding to use it in the first place).

And it has only to do with PFS in the sense that it affects RSA
signatures.



-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20160614/457a1519/attachment.sig>


More information about the Ach mailing list