Security Policy
This is a draft document.
Authentication Policy
Mitigation of Other Attacks
The NSS cryptographic module is designed to mitigate the following attacks.
|
Other Attacks |
Mitigation Mechanism |
Specific Limitations |
|---|---|---|
| Timing attacks on RSA | RSA blinding
Timing attack on RSA was first demonstrated by Paul Kocher in 1996[1], who contributed the mitigation code to our module. Most recently Boneh and Brumley[2] showed that RSA blinding is an effective defense against timing attacks on RSA. |
None. |
| Cache-timing attacks on the modular exponentiation operation used in RSA and DSA | Cache invariant modular exponentiation
This is a variant of a modular exponentiation implementation that Colin Percival[3] showed to defend against cache-timing attacks. |
This mechanism requires intimate knowledge of the cache line sizes of the processor. The mechanism may be ineffective when the module is running on a processor whose cache line sizes are unknown. |
| Arithmetical errors in RSA signatures | Double-checking RSA signatures
Arithmetical errors in RSA signatures might leak the private key. Ferguson and Schneier[4] recommend that every RSA signature generation should verify the signature just generated. |
None. |
Results of FIPS 140-2 Level 2 Validation of NSS Cryptographic Module 3.11.5
| FIPS 140-2 Section |
Description |
Validation Level Obtained |
| 1.0 |
Cryptographic Module Specification |
2 |
| 2.0 |
Cryptographic Module Ports and Interfaces |
2 |
| 3.0 |
Roles, Services, and Authentication |
2 |
| 4.0 |
Finite State Model |
2 |
| 5.0 |
Physical Security |
2 |
| 6.0 |
Operational Enviroment |
2 |
| 7.0 |
Cryptographic Key Management |
2 |
| 8.0 |
EMI/EMC |
2 |
| 9.0 |
Self-Tests |
2 |
| 10.0 |
Design Assurance |
2 |
| 11.0 |
Mitigation of Other Attacks |
2 |
| C |
Cryptographic Module Security Policy |
2 |
Platform List
- Level 1
- Red Hat Enterprise Linux 4 x86
- Windows XP Service Pack 2
- 64-bit Solaris 10 AMD64
- HP-UX B.11.11 PA-RISC
- Mac OS X 10.4
- Level 2
- Red Hat Enterprise Linux 4 x86_86
- 64-bit Trusted Solaris 8 SPARC
References
[1] P. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems," CRYPTO '96, Lecture Notes In Computer Science, Vol. 1109, pp. 104-113, Springer-Verlag, 1996. (http://www.cryptography.com/timingattack/)
[2] D. Boneh and D. Brumley, "Remote Timing Attacks are Practical," http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html.
[3] C. Percival, "Cache Missing for Fun and Profit," http://www.daemonology.net/papers/htt.pdf.
[4] N. Ferguson and B. Schneier, Practical Cryptography, Sec. 16.1.4 "Checking RSA Signatures", p. 286, Wiley Publishing, Inc., 2003.