[magicalhippo]

RSA digital signatures can reveal a signer’s secret key if a computational or hardware fault occurs during signing with an unprotected implementation using the Chinese Remainder Theorem and a deterministic padding scheme like PKCS#1 v1.5. [...] In this context, a passive adversary can quietly monitor legitimate connections without risking detection until they observe a faulty signature that exposes the private key. The attacker can then actively and undetectably impersonate the compromised host to intercept sensitive data.

And they say crypto is hard, sheesh...

Seriously though, almost every time I hear about some new (to me) attack, I get amazed at the ingenuity of people.

[nonrandomstring]

> using the Chinese Remainder Theorem

Damn those Chinese hackers again!

[wuiheerfoj]

Those Chinese hackers from the 3rd century AD no less ;)

[GTP]

Crypto is hard, and part of the hardness is implementing it correctly.

[timschmidt]

I think GP's point is that one vulnerable hardware or software implementation in the entire network of implementations being passively observed by the attacker can reveal the private keys. So it's not just your implementations which must be perfect, but all your neighbors, and all theirs too.

[magicalhippo]

I read it as "only" the signing machine needs faulty hardware. Still, bit errors occur, even with ECC, and this allows for a passive hence very unobtrusive attack.

[magicalhippo]

Yea I forgot the sarcasm tag there.

My point was exactly that, it's bloody hard. Not only implementing it correctly, but all the non-obvious ways it can go wrong that'spartially out of your control due to non-ideal hardware (in the mathematical sense). Timing attacks, cache leaks, speculation leaks, this...