[Swan] FYI: Factoring private RSA keys research
paul at nohats.ca
Thu Sep 3 17:45:15 UTC 2015
Back in 1996, Arjen Lenstra described an attack against an optimization
(called the Chinese Remainder Theorem optimization, or RSA-CRT for
short). If a fault happened during the computation of a signature
(using the RSA-CRT optimization), an attacker might be able to recover
the private key from the signature (an “RSA-CRT key leak”).
While the paper focuses on TLS, this also applies to IKE.
For the technical details, see:
NSS is not vulnerable to this attack. Therefor libreswan is not
openswan, when compiled without NSS, is listed as vulnerable to this
attack. All RHEL/CentOS releases of openswan use NSS.
I'm not sure if they looked at strongswan, but it can use many crypto
libraries, so those who are using strongswan should look at the pdf
and see what crypto library they use with strongswan.
More information about the Swan