-
-
[求助]请求翻译一段文字,谢谢!
-
发表于: 2009-7-2 09:30
-
全文在Preventing RSA cache timing attacks
其中这一段不知道怎么翻译才好,看的还不是很明白,主要讲解如何防御的。
To address these attacks for OpenSSL, Matthew Wood (Intel) submitted a patch that first appeared in version 0.9.7h. The key change is to the modular exponentiation function in openssl/crypto/bn/bn_exp.c.
This patch stripes the pre-computed m2…x values across cache lines instead of storing them sequentially in the array. That is, the first byte of m2 would be at address 0, the first byte of m3 at 1, etc. A memory dump of this region with w = 3 would look like this:
0: m2[0], m3[0], … m7[0]
64: m2[1], m3[1], … m7[1]
128: m2[2], m3[2], … m7[2]
Thus, the access pattern for reading any pre-computed value is exactly the same as any other: 256 sequential cache line reads. This is a clever way of removing the timing leak. I think it is commendable that Intel spent the time developing this code and contributing it to OpenSSL, especially after the widespread criticism that surrounded this problem was directed primarily at them.
There are two problems regarding this approach. The first is the limitation that it can’t fix problems with AES cache timing (see also this detailed analysis of Bernstein’s work and this proposed cache architecture).
"The second may only affect certain hardware. The patch is configurable for machines with a 32 or 64-byte cache line size. The default is set to 64. If an older machine or a non-x86 CPU with a smaller cache line size runs the default compile of OpenSSL, it will still have a small leak if a large window is used (>= actual cache line size). For example, consider a machine with an 8-byte cache line size and a 12-bit window. OpenSSL would store m2…9[0] in the first cache line and m10…11[0] in the second, allowing an attacker to determine if a given set of exponent bits was less than 210 or not. This might be exploitable in certain situations."
其中这一段有谁能够帮忙翻译一下呢?
前面的内容介绍的是目前RSA算法存在基于cache计时攻击的漏洞,这一漏洞是由于RSA模幂运算中采用滑动窗口算法产生的,因为滑动窗口算法中涉及到一个查表操作。这样攻击者就可以依据查表操作时,由一个间谍进程监视访问cache发生命中和实效产生的时间差异来推算出RSA的密钥片段。我不清楚的这一段内容主要是:介绍一些防御的措施。不清楚这个表的内容表示的是什么意思?
希望E文号的朋友帮个忙。
0: m2[0], m3[0], … m7[0]
64: m2[1], m3[1], … m7[1]
128: m2[2], m3[2], … m7[2]
其中这一段不知道怎么翻译才好,看的还不是很明白,主要讲解如何防御的。
To address these attacks for OpenSSL, Matthew Wood (Intel) submitted a patch that first appeared in version 0.9.7h. The key change is to the modular exponentiation function in openssl/crypto/bn/bn_exp.c.
This patch stripes the pre-computed m2…x values across cache lines instead of storing them sequentially in the array. That is, the first byte of m2 would be at address 0, the first byte of m3 at 1, etc. A memory dump of this region with w = 3 would look like this:
0: m2[0], m3[0], … m7[0]
64: m2[1], m3[1], … m7[1]
128: m2[2], m3[2], … m7[2]
Thus, the access pattern for reading any pre-computed value is exactly the same as any other: 256 sequential cache line reads. This is a clever way of removing the timing leak. I think it is commendable that Intel spent the time developing this code and contributing it to OpenSSL, especially after the widespread criticism that surrounded this problem was directed primarily at them.
There are two problems regarding this approach. The first is the limitation that it can’t fix problems with AES cache timing (see also this detailed analysis of Bernstein’s work and this proposed cache architecture).
"The second may only affect certain hardware. The patch is configurable for machines with a 32 or 64-byte cache line size. The default is set to 64. If an older machine or a non-x86 CPU with a smaller cache line size runs the default compile of OpenSSL, it will still have a small leak if a large window is used (>= actual cache line size). For example, consider a machine with an 8-byte cache line size and a 12-bit window. OpenSSL would store m2…9[0] in the first cache line and m10…11[0] in the second, allowing an attacker to determine if a given set of exponent bits was less than 210 or not. This might be exploitable in certain situations."
其中这一段有谁能够帮忙翻译一下呢?
前面的内容介绍的是目前RSA算法存在基于cache计时攻击的漏洞,这一漏洞是由于RSA模幂运算中采用滑动窗口算法产生的,因为滑动窗口算法中涉及到一个查表操作。这样攻击者就可以依据查表操作时,由一个间谍进程监视访问cache发生命中和实效产生的时间差异来推算出RSA的密钥片段。我不清楚的这一段内容主要是:介绍一些防御的措施。不清楚这个表的内容表示的是什么意思?
希望E文号的朋友帮个忙。0: m2[0], m3[0], … m7[0]
64: m2[1], m3[1], … m7[1]
128: m2[2], m3[2], … m7[2]
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
