[tptacek]

No, the alternatives are less complex, and easier to get right.

Further: the article you linked to describes the attack we are talking about right now on this thread, a fully remote fault attack that harvested keys off random SSH servers on the Internet, as "a completely theoretical hardware attack". (Narrator: it was not; further, this is that "completely theoretical" attack in its most difficult setting.)

[upofadown]

The attack I linked to discussed completely theoretical attacks. No examples were provided. The attack we are commenting on does provide an example.

In context it it obvious that I was addressing the contention that the paper I linked to had something to do with an implementation error.

[tptacek]

Yes, examples of the attack you dismissed. And you cited it as evidence on this thread about that attack. It's just very funny, is all.

[upofadown]

OK, thanks. I have updated the article to remove the term "theoretical" and have added an appropriate footnote that references the new work.

[tptacek]

This is still wrong! Leaving aside that hardware faults are themselves implementation pitfalls for RSA, the fundamental failure here is a software implementation flaw. You really need to understand these attacks before you supply guidance about them.