I don't know of any list, but everything that deals with secrets has some constant-time portion. This applies to both long-lived and ephemeral secrets, and includes clients and servers. How practical an attack is depends on many factors, including the application itself, but I think we have ample evidence by now that constant-time should be a default baseline requirement for implementing any cryptographic primitive.
Usually and preferably, the constant-time portions are in the cryptographic primitives themselves, rather than TLS. But depending on how the implementation is structured, this can leak into TLS itself, particularly with flawed legacy modes. The legacy RSA key exchange uses a broken encryption mode and needs to avoid the Bleichenbacher attack, and the legacy CBC cipher suites use a broken MAC-then-encrypt construction and needs to avoid the Lucky 13 attack. This is among many reasons they were removed in TLS 1.3. David On Mon, May 17, 2021 at 7:57 PM Michael D'Errico <mike-l...@pobox.com> wrote: > Also, is it necessary for a TLS client to care about implementing > algorithms in constant time, or is this only of concern to servers? > > Thanks, > > Mike > > > > On 5/14/21 14:56, Michael D'Errico wrote: > > Hi, > > Is there a list somewhere stating which parts of TLS > require constant-time algorithms? > > Mike > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
