On 3/5/2014 7:49 AM, Mike Hearn wrote:
A new practical technique has been published that can recover
secp256k1 private keys after observing OpenSSL calculate as little as
200 signatures:
http://eprint.iacr.org/2014/161.pdf
This attack is based on the FLUSH+RELOAD technique published last
year. It works by observing L3 CPU cache timings and forcing cache
line flushes using the clflush opcode. As a result, it is applicable
to any x86 environment where an attacker may be able to run on the
same hardware i.e. virtualised hosting environments where keys are
being reused.
I am not currently aware of any efforts to make OpenSSL's secp256k1
implementation completely side channel free in all aspects. Also,
unfortunately many people have reimplemented ECDSA themselves and even
if OpenSSL gets fixed, the custom implementations probably won't.
So, IMHO this is a sign for hot wallet users to start walking (but not
running) towards the exits of these shared cloud services: it doesn't
feel safe to sign transactions on these platforms, so hot wallets
should be managed by dedicated hardware. Of course other parts of the
service, like the website, are less sensitive and can still run in the
cloud. I doubt the researchers will release their code to do the side
channel attack and it's rather complex to reimplement, so this gives
some time for mitigation. Unfortunately the huge sums being held in
some "bitbank" style hot wallets mean that attackers are well
motivated to pull off even quite complex attacks.
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
How can we patch this issue?
--
Kevin
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
