Hertzbleed?
138 views
Skip to first unread message
Anssi Porttikivi
Jun 16, 2022, 3:52:09 AM6/16/22
to golang-nuts
I made a quick look at Go standard crypto. There are varying implementations of constant-time/power controls for side-channel timing & power attacks. Con someone comment on Hertzbleed attack vulnerability?
https://news.ycombinator.com/item?id=31743110
https://news.ycombinator.com/item?id=31743110
Ian Lance Taylor
Jun 16, 2022, 2:40:34 PM6/16/22
to Anssi Porttikivi, golang-nuts
On Thu, Jun 16, 2022 at 12:52 AM Anssi Porttikivi <portt...@gmail.com> wrote:
>
> I made a quick look at Go standard crypto. There are varying implementations of constant-time/power controls for side-channel timing & power attacks. Con someone comment on Hertzbleed attack vulnerability?
>
> https://news.ycombinator.com/item?id=31743110
I am not at all a crypto expert. But it seems to me that programs
>
> I made a quick look at Go standard crypto. There are varying implementations of constant-time/power controls for side-channel timing & power attacks. Con someone comment on Hertzbleed attack vulnerability?
>
> https://news.ycombinator.com/item?id=31743110
written in Go are going to be just as vulnerable to a Hertzbleed
attack as programs written in any other language. Go's crypto support
does use constant-time code where appropriate. The Hertzbleed attack
shows that under certain circumstances on certain CPUs that code will
not execute in constant time. Therefore the Go code is vulnerable to
the attack, as is code written in other languages. So Hertzbleed is
not a reason to either choose or abandon Go. Fortunately the attack
seems rather difficult to exploit in the real world. As far as I can
tell any actual fix is going to have to come from CPU manufacturers,
not from language developers.
Ian
Reply all
Reply to author
Forward
0 new messages