Kevin [ARCHIVE] on Nostr: 📅 Original date posted:2014-03-05 📝 Original message:On 3/5/2014 7:49 AM, Mike ...
📅 Original date posted:2014-03-05
📝 Original message:On 3/5/2014 7:49 AM, Mike Hearn wrote:
> A new practical technique has been published that can recover
> secp256k1 private keys after observing OpenSSL calculate as little as
> 200 signatures:
>
> http://eprint.iacr.org/2014/161.pdf
>
> This attack is based on the FLUSH+RELOAD technique published last
> year. It works by observing L3 CPU cache timings and forcing cache
> line flushes using the clflush opcode. As a result, it is applicable
> to any x86 environment where an attacker may be able to run on the
> same hardware i.e. virtualised hosting environments where keys are
> being reused.
>
> I am not currently aware of any efforts to make OpenSSL's secp256k1
> implementation completely side channel free in all aspects. Also,
> unfortunately many people have reimplemented ECDSA themselves and even
> if OpenSSL gets fixed, the custom implementations probably won't.
>
> So, IMHO this is a sign for hot wallet users to start walking (but not
> running) towards the exits of these shared cloud services: it doesn't
> feel safe to sign transactions on these platforms, so hot wallets
> should be managed by dedicated hardware. Of course other parts of the
> service, like the website, are less sensitive and can still run in the
> cloud. I doubt the researchers will release their code to do the side
> channel attack and it's rather complex to reimplement, so this gives
> some time for mitigation. Unfortunately the huge sums being held in
> some "bitbank" style hot wallets mean that attackers are well
> motivated to pull off even quite complex attacks.
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries. Built-in WAN optimization and the
> freedom to use Git, Perforce or both. Make the move to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
How can we patch this issue?
--
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140305/64ceb7da/attachment.html>
📝 Original message:On 3/5/2014 7:49 AM, Mike Hearn wrote:
> A new practical technique has been published that can recover
> secp256k1 private keys after observing OpenSSL calculate as little as
> 200 signatures:
>
> http://eprint.iacr.org/2014/161.pdf
>
> This attack is based on the FLUSH+RELOAD technique published last
> year. It works by observing L3 CPU cache timings and forcing cache
> line flushes using the clflush opcode. As a result, it is applicable
> to any x86 environment where an attacker may be able to run on the
> same hardware i.e. virtualised hosting environments where keys are
> being reused.
>
> I am not currently aware of any efforts to make OpenSSL's secp256k1
> implementation completely side channel free in all aspects. Also,
> unfortunately many people have reimplemented ECDSA themselves and even
> if OpenSSL gets fixed, the custom implementations probably won't.
>
> So, IMHO this is a sign for hot wallet users to start walking (but not
> running) towards the exits of these shared cloud services: it doesn't
> feel safe to sign transactions on these platforms, so hot wallets
> should be managed by dedicated hardware. Of course other parts of the
> service, like the website, are less sensitive and can still run in the
> cloud. I doubt the researchers will release their code to do the side
> channel attack and it's rather complex to reimplement, so this gives
> some time for mitigation. Unfortunately the huge sums being held in
> some "bitbank" style hot wallets mean that attackers are well
> motivated to pull off even quite complex attacks.
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries. Built-in WAN optimization and the
> freedom to use Git, Perforce or both. Make the move to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
How can we patch this issue?
--
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140305/64ceb7da/attachment.html>