Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/23/2012
07:50 PM
50%
50%

Using Chip Malfunction To Leak Private Keys

Black Hat researcher shows attackers could manipulate Linux machines running Open SSL and RSA encryption to gain access to authentication encryption keys for spoofing

Many financial institutions and other security-conscious organizations rely on the RSA Algorithm in encrypted authentication applications to not only authenticate users are who they say they are, but also the other way around -- to assure users they are interacting with their vendor's website rather than a spoof. Fundamental to this encrypted method of assurance is that the RSA private key held by the secured organization always remain a secret. This week at Black Hat, a researcher from University of Michigan will show how small electrical malfunctions in server processor chips can make it possible for attackers to quietly glean the contents of an entire private key.

Click here for more of Dark Reading's Black Hat articles.

"We basically made the hardware temporarily fail and through that the system gives incorrect signed messages from which we can then extract a private key," says Valeria Bertacco, associate professor of electrical engineering and computer science at University of Michigan, summing up the work she's presenting on at Black Hat.

Bertacco says she and her team built on theoretical work done by researchers in Frankfurt who found that if a server encrypting the message with a private key executed a certain mistake, it would send to the client an incorrectly encrypted message that the client could use to extract a few bits of the private key.

At the time, those researchers believed such a small mistake and small leak would prove difficult to reproduce. But Bertacco and her team were able to reproduce those errors on Linux servers they built running an Open SSL library and RSA encryption.

"The way we do that is making the transistors in the machine that runs the server fail every now and then," she says, explaining that they did this through two different methods, by tinkering with the voltage fed to the chip and also by increasing the temperature at the chip socket.

"The technique we used the first time around was by lowering the power voltage on the system, so instead of operating at the correct voltage, it was operating a little bit of a lower voltage to get some mistakes sometimes," she says.

Not all the errors that the server produced were the errors the team was looking for. In fact, it had to collect 8,000 erroneous messages to get about 800 of the type they wanted.

"But those 800 were good enough to get us the entire 1024-bit private key," she says.

Many would argue that such a method poses a low risk to secured organizations because attackers wouldn't have control over a server's voltage. But Bertacco says the research has applicability on embedded devices that depend on encrypted authentication protocols.

"People who attack systems using this type of technique can definitely start attacking common machines that use embedded systems that use Linux and use authentication: DVD players, Playstations, even automobiles," she says.

Additionally, the second vulnerability that would create the right kind of errors could be exploited remotely. She reports that an overheated processor within a very specific temperature range created the same effect as lowering the voltage. This is a dangerous condition considering the number of overheated servers present in data centers around the world.

"That's one of the main problems in data centers. They're often overheated," she says. "I might not know which servers, but if I'm careful enough to look around I'll find some. So that's actually a situation where I can exploit a remote server for this type of attack."

When it comes to protecting against these types of attack, the theory is simple, she says. The server should conduct integrity checking of the message it sends to make sure that it isn't erroneous or at least be using some sort of blinding technique to protect from such a data leak.

"It's not that complicated but doing these things would require more computing resources and sometimes people are pretty sensitive to the response time of the server," she says.

At the moment, OpenSSL has no specific patch against her attack, Bertacco says, but if a user encrypts using its top-level function, RSA_private_decrypt, and the library is compiled with blinding enabled then they would be protected from this kind of attack as well as timing-based attacks. "However, if blinding is disabled, or if a user called directly the exponentiation function--RSA_eay_mod_exp--then the library provides no protection against the attack, even in its most recent version," she says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kkempskie
50%
50%
kkempskie,
User Rank: Apprentice
7/24/2012 | 8:26:14 PM
re: Using Chip Malfunction To Leak Private Keys


Please note- - this article unfortunately confuses the terms "RSA authentication" with the "RSA Algorithm". The research referenced in this article has nothing to do with RSA authentication or RSA SecurID tokens which are owned by RSA, The Security Division of EMC. The research outlined in this article is actually referring to the RSA Algorithm, one of
the most widely utilized public-private key pair algorithms for applications
such as encrypting and signing. RSA, The Security Division of EMC believes research like this is important
and serves an invaluable function in improving security, but ultimately our company has no control over how different security
developers and vendors implement the solutions that utilize the publicly
available RSA Algorithm.-

News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.