Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance Side Channel resistance of TPM2 RSA Decryption Wrapper #4429

Merged
merged 1 commit into from
Nov 8, 2024
Merged

Enhance Side Channel resistance of TPM2 RSA Decryption Wrapper #4429

merged 1 commit into from
Nov 8, 2024

Conversation

atreiber94
Copy link
Collaborator

The TPM2 Wrapper of RSA decryption had a bug with incompatible types while setting valid_mask.

During the fix up we noticed that the rest of the function did not run in constant time and may present an oracle on padding failures. Thanks to @phwork for finding this.

This PR enhances the wrapper's side channel resistance in that regard.

Unfortunately, the ESAPI call already introduces some side channel leaks by allocating the result buffer only if the decryption succeeds. This is by specification (Section 14.3.1), as the call to the underlying RSA decryption function returns an error code if unpadding fails.

@randombit opinions are welcome, we are not sure how big of an issue this is and if our enhancement makes much sense.

@atreiber94 @reneme
Enhance Side Channel resistance of TPM2 RSA Decryption Wrapper
1d082c7 
Unfortunately, the ESAPI call already introduces some
side channel leaks by allocating the result buffer only
if the decryption succeeds.

Co-Authored-By: René Meusel <[email protected]>
@coveralls
Copy link

Coverage Status

coverage: 91.07% (-0.006%) from 91.076%
when pulling 1d082c7 on Rohde-Schwarz:fix/tpm2_rsa_sca
into 679ca89 on randombit:master.

randombit
randombit approved these changes Nov 7, 2024
View reviewed changes
Copy link
Owner

@randombit randombit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How unfortunate!

I don’t see this as that big an issue but it’s probably best if we at least do not introduce any additional signal beyond what is intrinsic to the TPM2 API itself, so I do think the change makes sense.

@atreiber94 atreiber94 merged commit d35b793 into randombit:master Nov 8, 2024
38 checks passed
@atreiber94 atreiber94 deleted the fix/tpm2_rsa_sca branch November 8, 2024 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randombit randombit randombit approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@atreiber94 @coveralls @randombit