mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-12 17:45:42 +00:00
Clarify that the Lucky 13 fix is quite general
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
c3f68378bc
commit
f530c8018b
|
@ -1,9 +1,11 @@
|
|||
Security
|
||||
* Fix a local timing side channel vulnerability in (D)TLS record decryption
|
||||
when using a CBC ciphersuites without the Encrypt-then-Mac extension. In
|
||||
those circumstances, a local attacker able to observe the state of the
|
||||
cache could use well-chosen functions to measure the exact computation
|
||||
time of the HMAC, and follow up with the usual range of Lucky 13 attacks,
|
||||
including plaintext recovery and key recovery. Found and reported by Tuba
|
||||
Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
|
||||
* In (D)TLS record decryption, when using a CBC ciphersuites without the
|
||||
Encrypt-then-Mac extension, use constant code flow memory access patterns
|
||||
to extract and check the MAC. This is an improvement to the existing
|
||||
countermeasure against Lucky 13 attacks. The previous countermeasure was
|
||||
effective against network-based attackers, but less so against local
|
||||
attackers. The new countermeasure defends against local attackers, even
|
||||
if they have access to fine-grained measurements. In particular, this
|
||||
fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
|
||||
Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
|
||||
(University of Florida) and Dave Tian (Purdue University).
|
||||
|
|
Loading…
Reference in a new issue