科技回声

5 条评论

IbJacked超过 11 年前

So, according to this paper, "GnuPG in its current form is not safe for a multi-user system or for any system that may run untrusted code."The attack is against the RSA implementation specifically. Is there a gpg asymmetric encryption that would be considered safe? If not, is there a reasonable gpg alternative?

评论 #6391828 未加载

评论 #6391699 未加载

评论 #6391885 未加载

daemon13超过 11 年前

So, practical questionI am on Ubuntu LTS 12.04 with GnuPG 1.4.11 (Linux version 3.2.0-32-virtual (buildd@batsu) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)).Q1. Do I need to fix this potential attack?Q2. Assuming this fix is not backported [now] - if I compile fresh gpg and swap the binary with the old gpg - will this fix it?

评论 #6392318 未加载

nn3超过 11 年前

The key part is the first line in the abstract"Flush+Reload is a cache side-channel attack that monitors access to data in shared pages"The OS does not allow arbitary programs to share pages with gpg. If you share pages with gpg you can already read the key directly, no need for any side channels.As far as I can tell the paper is completely pointless, a variant of this fallacy <a href="http://blogs.msdn.com/b/oldnewthing/archive/2009/01/21/9353310.aspx" rel="nofollow">http://blogs.msdn.com/b/oldnewthing/archive/2009/01/21/93533...</a>

评论 #6391728 未加载

评论 #6391754 未加载

sspiff超过 11 年前

Can someone knowledgeable about security tell me if there is anything about their claim (98% in one round) that is exaggerated or "best edge case only"?I wonder how these attacks would fare against NaCl[1] or Sodium[2], who were designed to be secure against side-channel attacks.[1]: <a href="http://nacl.cr.yp.to" rel="nofollow">http://nacl.cr.yp.to</a>[2]: <a href="http://labs.umbrella.com/2013/03/06/announcing-sodium-a-new-cryptographic-library" rel="nofollow">http://labs.umbrella.com/2013/03/06/announcing-sodium-a-new-...</a>

评论 #6392167 未加载

评论 #6394716 未加载

contingencies超过 11 年前

Gentoo bug @ <a href="https://bugs.gentoo.org/show_bug.cgi?id=478184" rel="nofollow">https://bugs.gentoo.org/show_bug.cgi?id=478184</a>

5 条评论

IbJacked超过 11 年前

评论 #6391828 未加载

评论 #6391699 未加载

评论 #6391885 未加载

daemon13超过 11 年前

评论 #6392318 未加载

nn3超过 11 年前

评论 #6391728 未加载

评论 #6391754 未加载

sspiff超过 11 年前

评论 #6392167 未加载

评论 #6394716 未加载

contingencies超过 11 年前

Gentoo bug @ <a href="https://bugs.gentoo.org/show_bug.cgi?id=478184" rel="nofollow">https://bugs.gentoo.org/show_bug.cgi?id=478184</a>

Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack [pdf]

5 条评论

Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack [pdf]

5 条评论