2025-10-08 –, Prague/ Technical Deep Dive & Innovation
Side-channel attacks are a common threat to cryptographic implementations. Unfortunately, most available tooling to combat this problem has limited usability, especially in black-box testing scenarios. In this talk I will talk about how by performing the testing using statistical best practices we were able to find multiple leaking implementations of cryptographic algorithms in OpenSSL. I'll also talk about how we're applying the lessons learned from testing RSA and ECDSA to testing post-quantum cryptography like ML-KEM.
In the talk I will talk about the statistical principles necessary to use the statistical tests correctly, what happens if those principles aren't followed with examples of Box Test, TVLA, and dudect failing because of that.
The presented approach is suitable to black-box testing, including with algorithms that use rejection sampling, is algorithm-agnostic and can even be used to perform testing remotely (over a network). Despite using statistical methods it allows not only showing presence of side-channels, but also can be used to show absence of a side-channel leakage.
The tool is a free and open-source software that we have been using internally for testing multiple different cryptographic implementations at Red Hat for a few years now.
Alicja is a quality engineer specialised in cryptography at Red Hat. She is the quality team lead responsible for handling core cryptographic packages in Red Hat Enterprise Linux: OpenSSL, Mozilla NSS, GnuTLS, OpenSSH, libreswan, and others. With over 15 years of experience in the cryptography area she has contributed to or co-authored multiple IETF RFCs and found multiple security vulnerabilities, most impactful one being the Marvin Attack.