Follow Slashdot stories on Twitter


Forgot your password?

Submission + - OpenSSL Timing Attack Steals Private Keys (

Trailrunner7 writes: Remote timing attacks have been a problem for cryptosystems for more than 20 years. A new paper shows that such attacks are still practical and can be used to steal the private key of a TLS server running OpenSSL. The researchers, Billy Bob Brumley and Nicola Tuveri of Aalto University School of Science, focused their efforts on OpenSSL's implementation of the elliptic curve digital signature algorithm (ECDSA), and they were able to develop an attack that allowed them to steal the private key of an OpenSSL server.
In an interview, Brumley says that the attack is just a symptom of other problems. "Perhaps the scariest part is that the piece of code introducing the vulnerability has been in the library since roughly 2005. This shows that identifying timing attack vulnerabilities is a daunting task. This isn't the first timing attack vulnerability discovered in OpenSSL, and I can guarantee it won't be the last."

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

OpenSSL Timing Attack Steals Private Keys

Comments Filter:

Air is water with holes in it.