oss-sec mailing list archives
Re: BoringSSL private key loading is not constant time
From: Peter Gutmann <pgut001 () cs auckland ac nz>
Date: Mon, 13 Oct 2025 23:12:07 +0000
Jeffrey Walton <noloader () gmail com> writes:
What does the attacker learn besides the key length? Isn't that mostly public information, like the TLS options used during cipher suite negotiation?
It's a proof-of-concept from a very entertaining talk at the OpenSSL conference, "Constant-Time BIGNUM Is Bollocks". The BoringSSL folks had claimed there were no timing side-channels in their code, this demonstrates a timing side-channel. Admittedly not a terribly useful one :-). Peter.
Current thread:
- BoringSSL private key loading is not constant time Billy Brumley (Oct 13)
- Re: BoringSSL private key loading is not constant time Jeffrey Walton (Oct 13)
- Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 13)
- Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
- Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 14)
- Re: BoringSSL private key loading is not constant time Demi Marie Obenour (Oct 14)
- Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
- Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
- Re: BoringSSL private key loading is not constant time David Benjamin (Oct 14)
- Re: BoringSSL private key loading is not constant time Hanno Böck (Oct 14)
- Re: BoringSSL private key loading is not constant time Alex Gaynor (Oct 14)
- Re: BoringSSL private key loading is not constant time Peter Gutmann (Oct 13)
- Re: BoringSSL private key loading is not constant time Billy Brumley (Oct 14)
- Re: BoringSSL private key loading is not constant time Jacob Bachmeyer (Oct 14)
- Re: BoringSSL private key loading is not constant time Jeffrey Walton (Oct 13)