Howdy Folks,I spoke at the OpenSSL Conference in Prague last week, where I stepped through the following demo I wrote
https://gitlab.com/platsec/boringssl-keyload-vuln This was on BoringSSL main HEAD. (At the time, at least.)Here "constant time" is in the cryptographic sense. Time to load a private key should not depend on bits of said key taking certain values, yet it does in BoringSSL's implementation. Constant-time crypto code seems to be important to BoringSSL / Google.
I'm providing this information (and PoC) to the community in the spirit of transparency.
Cheers, BBB -- Dr. Billy B. Brumley, D.Sc. (Tech.) Director of Research, ESL Global Cybersecurity Institute (GCI) Kevin O'Sullivan Endowed Professor, Department of Cybersecurity (CSEC) Director, Platform Security Laboratory (PLATSEC) Rochester Institute of Technology Cybersecurity Hall 70-1770 100 Lomb Memorial Drive Rochester, NY, 14623-5608, USA S/MIME public key: https://people.rit.edu/bbbics/[email protected] S/MIME public key: https://people.rit.edu/bbbics/[email protected] https://www.rit.edu/directory/bbbics-billy-brumley https://www.rit.edu/cybersecurity/
smime.p7s
Description: S/MIME Cryptographic Signature
