首页
社区
课程
招聘
[求助]请求翻译一段文字,谢谢!
发表于: 2009-7-2 09:30 3972

[求助]请求翻译一段文字,谢谢!

2009-7-2 09:30
3972
全文在Preventing RSA cache timing attacks
其中这一段不知道怎么翻译才好,看的还不是很明白,主要讲解如何防御的。

To address these attacks for OpenSSL, Matthew Wood (Intel) submitted a patch that first appeared in version 0.9.7h. The key change is to the modular exponentiation function in openssl/crypto/bn/bn_exp.c.

This patch stripes the pre-computed m2…x values across cache lines instead of storing them sequentially in the array. That is, the first byte of m2 would be at address 0, the first byte of m3 at 1, etc. A memory dump of this region with w = 3 would look like this:

0: m2[0], m3[0], … m7[0]
64: m2[1], m3[1], … m7[1]
128: m2[2], m3[2], … m7[2]

Thus, the access pattern for reading any pre-computed value is exactly the same as any other: 256 sequential cache line reads. This is a clever way of removing the timing leak. I think it is commendable that Intel spent the time developing this code and contributing it to OpenSSL, especially after the widespread criticism that surrounded this problem was directed primarily at them.

There are two problems regarding this approach. The first is the limitation that it can’t fix problems with AES cache timing (see also this detailed analysis of Bernstein’s work and this proposed cache architecture).

"The second may only affect certain hardware. The patch is configurable for machines with a 32 or 64-byte cache line size. The default is set to 64. If an older machine or a non-x86 CPU with a smaller cache line size runs the default compile of OpenSSL, it will still have a small leak if a large window is used (>= actual cache line size). For example, consider a machine with an 8-byte cache line size and a 12-bit window. OpenSSL would store m2…9[0] in the first cache line and m10…11[0] in the second, allowing an attacker to determine if a given set of exponent bits was less than 210 or not. This might be exploitable in certain situations."

其中这一段有谁能够帮忙翻译一下呢?
前面的内容介绍的是目前RSA算法存在基于cache计时攻击的漏洞,这一漏洞是由于RSA模幂运算中采用滑动窗口算法产生的,因为滑动窗口算法中涉及到一个查表操作。这样攻击者就可以依据查表操作时,由一个间谍进程监视访问cache发生命中和实效产生的时间差异来推算出RSA的密钥片段。我不清楚的这一段内容主要是:介绍一些防御的措施。不清楚这个表的内容表示的是什么意思?希望E文号的朋友帮个忙。
0: m2[0], m3[0], … m7[0]
64: m2[1], m3[1], … m7[1]
128: m2[2], m3[2], … m7[2]

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 234
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
为了解决这些袭击中OpenSSL ,马修伍德(英特尔)提交了补丁,首次出现在版本0.9.7h 。关键的变化是在模幂函数的openssl/crypto/bn/bn_exp.c.。

此修补程序的条先计算m... x值在缓存线而不是储存的顺序排列。也就是说,第一个字节的m将在地址0 ,第一个字节m2等内存转储本地区w= 3这个样子:

0: m2[0], m3[0], … m7[0]
64: m2[1], m3[1], … m7[1]
128: m2[2], m3[2], … m7[2]

因此,存取方式阅读任何预先计算的值是完全一样的任何其他: 256序贯缓存线内容。这是一个聪明的办法消除泄漏的时机。我认为这是值得赞扬的是,英特尔花费的时间开发此代码,并促进其OpenSSL的,特别是在广泛的批评,围绕这一问题主要针对他们。

有两个问题,就这一做法。首先是限制无法修复的问题与AES缓存时间(另见本详细分析,伯恩斯坦的工作和这一拟议Cache结构) 。

“第二个可能只影响某些硬件。修补程序的机器配置了32或64字节的高速缓存行的大小。默认设置为64 。如果是旧机器或者非x86的CPU与规模较小的缓存线运行默认编译的OpenSSL的,它仍然有一个小泄漏如果一个大窗口是用来( “ =实际缓存行的大小) 。举例来说,考虑机器的8字节缓存线的大小和一组12位的窗口。 OpenSSL的将存储m... 9 [ 0 ]在第一线和M10驱逐快取... 11 [ 0 ]第二,允许攻击者以确定是否给定指数位少于210或没有。这可能是利用在某些情况下。 “

PS:软件翻的,自己根据密码学更正了一下,最好找人检查一遍,软件有的错误我没仔细看,可能看不出
2009-7-16 20:10
0
雪    币: 21
活跃值: (26)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
大概意思,我觉得是采用乱序排列的思想。
2009-7-19 12:32
0
游客
登录 | 注册 方可回帖
返回
//