Hi, we have an application that will make heavy use of RSA_private_decrypt() to decrypt passwords. Do we have to use RSA_blinding_on() to protect us from timing attacks? All I found is some older advisory that blinding is activated by default (http://www.mail-archive.com/openssl-users@openssl.org/msg30716.html), but the docs say nothing about that (http://www.openssl.org/docs/crypto/RSA_blinding_on.html).
And if we have to use RSA_blinding_on(), is it enough to activate it once at application? TIA&Regards Jakob ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
