Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This was originally presented was in 2004, but since then has been refined in a number of ways. The detailed paper that includes the full key extraction attack was only released today, coinciding with the GnuPG security update that mitigates against the attack.


It took 9 years to fix GPG?


GnuPG 2.x wasn't vulnerable, just the old 1.x: http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/00033... "GnuPG 1.4.16 avoids this attack by employing RSA blinding during decryption. GnuPG 2.x and current Gpg4win versions make use of Libgcrypt which employs RSA blinding anyway and are thus not vulnerable."


RSA blinding seems to protect against timing attacks, how does RSA blinding protect against this acoustic attack?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: