Cryptography Reference
In-Depth Information
must therefore be considered completely insecure (see also the following
section).
5.
Weaknesses in implementation
In addition to the weaknesses caused by the choice of parameters there
is a host of potential implementation problems that can adversely affect
the security of the RSA algorithm, as is the case with any encryption
procedure. Certainly, the greatest care must be taken with implementations
completely in software that are not protected from outside attack by
measures implemented in hardware. Reading from memory contents,
observation of bus activity or CPU states, can lead to the disclosure of secret
key information. At the minimum, all data in main memory that in any way
are correlated with the secret components of the RSA algorithm (or any
other cryptosystem) should be erased immediately after use with active
overwriting (for example, with the function
purge_l()
, which appears on
page 164).
The functions in the FLINT/C library are already equipped for this purpose.
In secure mode local variables and allocated memory are overwritten with
zeros before termination of the function and are thereby deleted. Here a
certain degree of care is necessary, since the optimization capabilities of the
compiler are so highly developed that a simple instruction at the end of a
function that can be seen to have no effect on the function's termination
might simply be ignored. And there is more: One must take into account
that calls to the function
memset()
in the C standard library are ignored if the
compiler cannot recognize any useful purpose in calling it.
The following example illustrates these effects. The function
f_l()
uses
two automatic variables:
CLINT key_l
and
USHORT secret
.Attheendofthe
function, whose contents are of no further interest here, memory should be
overwritten by assigning
0
to
secret
and, respectively, by a call to
memset()
in the case of
key_l
. The C code looks like this:
int
f_l (CLINT n_l)
{
CLINT key_l;
USHORT secret;
...
/* overwrite the variables */
secret = 0;
memset (key_l, 0, sizeof (key_l));
return 0;
}
