[Swan] FYI: Factoring private RSA keys research

Paul Wouters paul at nohats.ca
Thu Sep 3 17:45:15 UTC 2015


 	Back in 1996, Arjen Lenstra described an attack against an optimization
 	(called the Chinese Remainder Theorem optimization, or RSA-CRT for
 	short). If a fault happened during the computation of a signature
 	(using the RSA-CRT optimization), an attacker might be able to recover
 	the private key from the signature (an “RSA-CRT key leak”).


While the paper focuses on TLS, this also applies to IKE.

For the technical details, see:


NSS is not vulnerable to this attack. Therefor libreswan is not

openswan, when compiled without NSS, is listed as vulnerable to this
attack.  All RHEL/CentOS releases of openswan use NSS.

I'm not sure if they looked at strongswan, but it can use many crypto
libraries, so those who are using strongswan should look at the pdf
and see what crypto library they use with strongswan.


More information about the Swan mailing list