Slashdot Mirror
Researchers Find Way To Zap RSA Algorithm
alphadogg writes "Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose-built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours – all without leaving a trace. The researchers in their paper outline how they made the attack (PDF) on a SPARC system running Linux."
...whether interrogating a human or a computer, apparently it is a simple matter of voltage.
The only thing the article "ads" to the summary posted here is a pretty splash screen, which in my case tried to sell me SQL Server.
Just means it's time to break out the megabit keys!
The Institute of Incomplete Research has determined that 9 of out 10
Machines where software can alter the CPU voltages and clock speeds for "overclocking" purposes may be especially vulnerable to this attack. "Advanced power management" may also offer an attack vector.
Also worry about Intel's Nehalem architecture, where there's a small CPU dedicated to power, clock, and thermal management. Access to that allows detailed control over power.
...electronic torture?
We can just declare this method in violation of the computer's rights and solve the problem easily!
In what kind of scenario would you have access to the PSU of the server you attacked? Private key servers should not be directly accessible after all.
Gee, does anyone run Linux on Sparc in production, or know anyone who knows anyone who does or did? Heh.
Yeah I know these distros exist and work well. It's just an odd choice of platform, IMHO.
Damping absorbs vibrations. Dampening is caused by moisture.
Rather than apply electrical current to a key holder, wouldn't it be easier and cheaper to apply a $5 wrench?
No, reasearchers find side-channel attack on SPARC CPU (which requires elevated access, anyway).
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
hackers these days are seriously sick, not long ago one guy dissolved chips and listened in on instructions right on die
now this, just take a look at that paper
sure the principle is simple, create condition that causes errors and incidentally more of the bits you have guessed the less errors you have etc etc etc
but seriously people who figure these things out and make them work... i question their sanity, brilliant but you have to be a mad scientist to achieve these things
Isn't this how the lastest guy who claimed to hack the PS3 did it also? Copycats! :)
In what kind of scenario would you have access to the PSU of the server you attacked?
E.g. Hosted data center
Probably much more threatening(though, frankly, that pleases me) to DRMed embedded systems and similar gear that is supposed to be "secure" vs. its immediate environment; but is also in the hands of the public in huge quantities.
Yeah, if I can break into your datacenter and clamp some crazy widget onto the (presumably multiple) lines supplying your server's PSUs, a clever voltage attack is not the biggest of your problems.
If, on the other hand, you can guess the private crypto keys out of a DRMed PMP just by clipping a 15 dollar device from some shady mod-chip vendor to the recharging port and waiting a few days, heads will roll. There are a lot of devices these days that are designed to keep keys secret from the owners of the hardware. Particularly for common ones, voltage attack devices might well become fairly common advanced hobbyist and/or grey market items...
This attack is relevant when you are trying to extract the private key of something like a TPM, in order to defeat the DRM protections it is trying to provide, or decrypt the drive whose key it is holding.
DRM, smart-cards, cable/tv access boxes, media players, stolen laptops, etc
Probably not e-commerce servers exactly, but you never know depending on the physical security of your datacenter. And with DRM, of course, the purpose is to lock you out of equipment to which you have physical access.
"I assumed blithely that there were no elves out there in the darkness"
This is just a fault injection attack. People have been doing similar things to block ciphers for years, it is not a mathematical weakness, just a side channel attack, and an active one at that. Cool that they did it against RSA, but not really headline news...
Palm trees and 8
If someone has physical access to your machine, then you have already lost.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
...except for the empty bags of cheese puffs, Rockstar cans, and several bottles of "lemon gatorade", no one would suspect that they had been there.
Yeah my first thought was ATM's =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Rubber hose.
To the back of the thigh.
10 seconds.
100 pesos.
While this poses interesting opportunities for handheld and consumer devices, I wouldn't fret over your corporate servers or internal machines, since most of them have restricted access and this requires power manipulation for the power going into the box (after UPS's).
For devices and consumer electronics however, well, that's a different story.
Of course, if a bug in a UPS allows for manipulation of its output power, that wouldn't be good...
Sadly, most DRM-crippled hardware isn't going to have the private keys inside. For example, the PS3 and Wii will only have the public keys in the hardware so that they can check signatures on code. The private keys will be on hardware somewhere inside Sony and Nintendo, and presumably carefully guarded from unauthorized access.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Back years ago I read a book where the good/Bad guys got a suitcase sized AI to break down and confess by cycling its power to the point where it couldn't take it any more.
Good to see reality starting to mimic fiction
BTW Can anyone tell me the title? About the only other main thing I remember about it was helicopter pilots being blinded by laser strikes.
I am Slashdot. Are you Slashdot as well?
When the 'server' is a chip on a smart card and the 'PSU' is your POS terminal.
A similar sidechannel attack might be usable to extract such information though.
retrorocket.o not found, launch anyway?
Depends on what the DRM is trying to protect. Music players, video players for downloadable content, and basically anything where the content isn't tied to a physical object like a game disc will need a private key of some kind to encrypt the data on their volatile storage. While most of this will probably be done using symmetric encryption, you still need some way for the server that hands out the content to prove that it is a real device and not an emulated device, and that's normally done with a locally stored private key.
It's an implementation on specific hardware that was broken. Not the first time, nor the last. If the *algorithm* would have been broken, now *that* would have been news!
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
Kinda reminds me of the TrueCrypt attack that made a splash a couple of years ago in which the attacker can compromise an encrypted partition by obtaining possession of the host hardware right after a power-down, getting inside the chassis and spraying down the RAM DIMMS with an inverted can of air so as to cool them down to slow the entropy of the down-powered chips; the attacker then has to create and analyze the leftover ram images with his own hardware and pull the encryption key out of that mess. As the Mythbusters would say: plausible? Yes. Practical? not really. I guess if you think you're in possession of some pretty valuable data you'll go to lengths.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Not quite. The voltage that was varied was the 1.5v CPU voltage. This is regulated on the motherboard (The PSU on the computer supplies +3.3v, +5v, -12v and +12v). So to execute this attack, you'd either need access through the bios to the CPU voltage control, or to physically tamper with the voltage regulator module present on server motherboards (Destop motherboards typically have this integrated instead of socket fit making it a lot harder to tamper with). Since both contain voltage regulators, simply under-voltaging the PSU likely won't work (since reducing the voltage is likely to make the whole system less stable, not just the CPU). Either way, not something that's trivial to do without physical access to the machine while it's off or a root level exploit to the machine, which would make this attack pointless... Sure, they COULD tamper with the voltage regulator, but you DO have alarms on your cases, right (ESP in situations where the box is held off site)?
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
When you're the government.
Give me Classic Slashdot or give me death!
In what kind of scenario would you have access to the PSU of the server you attacked?
I don't know, how about a world where you've arrested a political dissident and you want to obtain his/her private key, and he/she refuses to hand it over?
Also, this is an attack against software running on the host CPU (OpenSSL in the paper) - most likely, 95%+ of OpenSSL implementations on datacenter servers are storing the key on the hard drive, not in a TPM.
retrorocket.o not found, launch anyway?
Great, another 'if you have physical access to the key, you can get the key' methods.
Look, 'stressing' the computer for a hundred hours while screwing with the voltage is going to get you noticed if its a key important enough for to use this method to do it. I can go to your PC and steal the contents of the entire drive without leaving a trace, but you're probably going to notice when I move you out of my way so I can put in a boot cd and external drive to copy the data to.
Practical value: 0
Research value: 1
Geek Cred: 11
Priceless, or rather, worthless.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
that it seems possible to defend against these attacks with a software change, for example validating the result before sending it.
Nullius in verba
Well, it doesn't matter where the key is stored. The key must be read in order to be processed. So at some point in time the appropriate parts of the key must be in the CPU (since it needs to do math against the bits of the key to produce the signature), hence why the attack vector exists...
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
...for CPUs to multiply incorrectly when their voltage get pulsed? It seems like you could solve this problem with a good voltage regulator. Something that resets the CPU if the voltage falls/rises to a point that would cause calculation errors.
Just use Social Engineering
"– all without leaving a trace" ...except for the donut crumbs and empty coffee cups left at the workstation.
http://www.apc.com/
Seriously. If your server is a big enough target where to have it's keys taken using this technique is beneficial (a key signing server for example) then you need a bit more protection against somebody hanging outside on a pole playing with your electricity supply.
Custom electronics and digital signage for your business: www.evcircuits.com
The concept is called Differential Power Analysis (DPA) or for people in the industry its also known as power cryptography and has been a staple of many attack vectors since the mid-90s (at least in open research), furthermore simple techniques such as adding salt or in other words randomly chosen bogus operations into the computation flow renders such attack vectors useless.
Nothing new here, slow news day, move along peoples.
Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
Extracting private keys from smart cards would be one application. That's a case where you have "physical access" to the key holder, but it's protected by physical security. The card will erase the key if you open the box, but it provides a digital signature service, which you can exploit via this method to extract the key without opening the case.
http://en.wikipedia.org/wiki/Power_analysis
http://en.wikipedia.org/wiki/Differential_fault_analysis
beware syntactic cavities
NO, they did not find a glitch in the algorithm, they happened to find an implementation which was amenable to their attack method.
All the chip makers have to do is take any one of several measures:
(1) Regulate the CPU voltage on-chip.
(2) or just detect that it's below spec and force a reset.
(3) or do the calculation two times, or in two different ways, or both, and reset if the results don't match.
(4) or add a few gates of carry-lookahead to the multiplier so it's not so speed-sensitive.
(5) or detect the tampering and send out the tamperer's IP address encrypted in the message.
This attack is pretty neat, but couldn't the vulnerability be closed by just doing FWE multiple times and voting, or otherwise checking the result?
It seems that the real problem here is that the attacker can create corrupt output data even though he does not know the actual workings of the processor in question. This seems easy enough to fix.
When you overclock, you always have to check system stability at each level you try. Most people run some CPU stress program and see if it crashes or gives the wrong results. If you get any faults, your CPU can't handle the overclock and you have to try a lower frequency. As long as you apply this procedure properly, you won't have any faults. You most certainly won't get any predictable amount of faults. Now, the researchers could do it because they only ran OpenSSL on their hardware. If you tried that on a normal machine, you'd just get a kernel panic (the kernel needs the CPU to work correctly too, you know). Any other software will also have trouble and cause data corruption. Considering that the attack requires you to repeatedly encrypt/sign/verify stuff with your private key during it, the attackers don't have a chance to not get noticed.
Next, the researchers did not actually run it on a real computer. If you RTFA, you'll find out that they implemented a copy of a Sparc processor on an FPGA and ran OpenSSL on that. You can't just vary the input voltage at the PSU, since the PSU will regulate it to the correct output for the CPU. If you drop the voltage below what the PSU can handle (~85V), it will shut down. You might succeed if you changed the voltage at the motherboard, but the board really ought to detect that. Also, Intel chips, like Nehalem, actually have voltage converters on the chip which change 12V and 5V inputs to the 1.5V or so that the CPU needs. So your Core i7 system is quite safe against this attack. (Yes, it overclocks. See above)
Finally, there's the obvious problem of physically attacking the computer while you're using it. The attackers would need to constantly control and monitor whatever hardware doohickey they installed on your motherboard, as well as needing a working login to be able to time how long it takes you to run the algorithm each time. It is much easier to just install a hardware keylogger and get the passphrase.
TPM chips and certainly high end smart card chips are protected against this kind of attacks using the power source. You certainly cannot get a Common Criteria certification if you don't protect against these kind of side channel attacks. Of course, for consumer CPU's there' no CC certification or protection measures like these.
FIPS 140-2 level 3 requires zeroing of the key upon tamoer detection, but not detection of voltage or temperature abnormalities (those are level 4). This attack would be interesting against such a device.
Socialism: a lie told by totalitarians and believed by fools.
You know, in a lot of computers the psu also feeds the harddrive that stores private keys...
I find it striking how much Figure 8 in the PDF, showing the location of single-bit faults, resembles the acoustic power spectrum of something behaving like a closed tube. I see clear odd numbered partials and weak even numbered partials, with a missing fundamental. I would not be surprised if this distribution turns out to be connected to the exact timing of the attacks. Sweeping the timing of the attacks may cause other bits to be affected.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
I smell Smart-Grid abuse in the near future.
"The amount of data required to perform monitoring and switching your appliances off without your consent is very small"
http://en.wikipedia.org/wiki/Smart_Grid
Oh god...
Blue-Ray Players
Which proves parents point, if the key is stored in drive, why go this length to fetch it since you simply can read it off the drive...
Actually, the approach in the paper is quite different that Differential Power Analysis (DPA) .
DPA, as the "A" implies, analyzes the power drawn by a cryptographic algorithm, since each operation a CPU performs takes small differences in the amount of power, the resulting aggregate power draw from the CPU draws a picture about what the algorithm is doing. Using DPA analysis, it then becomes possible to infer information about the key, IF changes in the key bits cause changes in operations, and thus power demands. The primary means to protect again DPA is to make the power draw of a crypto core INDEPENDENT of the key bits, which is very challenging.
These blokes have done something quite different... By starving the CPU for energy (by dropping the voltage) they cause occasional operations in the crypto algorithm to fail, and a single bit failure in a multiply, according to the paper, reveals 4 bits in the private key. They use a kind of "what if" computation to reveal the 4 missing bits. It's a cool idea.
As for applicability, I'm a circuit geek, and there three easy ways to get a circuit to fail:
1) run will too little voltage (what the paper does)
2) overclock the system (mentioned in earlier comments)
3) overheat the system (since circuit delay rises with temperature)
Here would be in interesting study: I wonder if overheated servers sometimes cause failures in RSA authentication that inadvertently leaks 4-bits of the private key to the outside world. Normal SSL libraries would simply retry the authentication if they got a bogus reply, but a clever SSL library could do the "what if" computation and donate the 4-bit result to a central repository, logged under the epicly-failing website address.
In what kind of scenario would you have access to the PSU of the server you attacked? Private key servers should not be directly accessible after all.
Uh, like the scenario where you're a bank's IT admin and you're trying to steal PIN encrypting keys?
BTW, you should require direct access to load or change keys if you know what's good for you.
Hardware crypto devices already tackle these problems, this research is further justification for them.
Which proves parents point, if the key is stored in drive, why go this length to fetch it since you simply can read it off the drive...
HW crypto appliances (a glorified PC server booting off a CD with a black box PCI card) don't have harddrives.
A hand rolled software crypto server might not either, and probably isn't anal about input voltages unlike the expensive appliance.
The point is cheaping out on your crypto system has measurable risks.
If, on the other hand, you can guess the private crypto keys out of a DRMed PMP just by clipping a 15 dollar device from some shady mod-chip vendor to the recharging port and waiting a few days, heads will roll. There are a lot of devices these days that are designed to keep keys secret from the owners of the hardware. Particularly for common ones, voltage attack devices might well become fairly common advanced hobbyist and/or grey market items...
Worth noticing is that the 100 hours mentioned in TFS was on a 81-box cluster. They estimated it to be about a year on a 2.4GHz CPU. Of course, for the purposes of cracking DRM keys, it is not unreasonable to imagine a distributed network cooperating.
More interesting, in my opinion, was that it has 50% chance to guess the key in O(n * log n) time, and their example needed only 650 faulty messages (extrapolating from a 12% single-bit-error rate, it should work with a bit over 5000 total messages generated).
Good luck breaking into Sony/Nintendo and getting at the machines holding their private keys, though.
Again: this attack lets you extract leaked bits form the private keys - doesn't help in deriving private key from public key, which is what you'd want to break devices that verify code signing.
Coffee-driven development.
Replying to remove faulty moderation.
Ne mæg werig mod wyrde wiðstondan, ne se hreo hyge helpe gefremman.
What we need is a new class of specialized devices that acts as a firewall for power. Some new device that you put between the power outlet and you computer that automatically compensates for potentially malicious sags and surges in the voltage. To make things even safer, we can add some sort of specialized cache memory for power that stores enough packets of power to keep the computer going in case the malicious attacker cuts the power lines into the secure facility.
Does anyone want to invent such a device?
Supposed to be protected, anyway. Rumour has it that some of them are rather less robust against voltage-based attacks - especially transients - than they should be. Then there's interesting stuff like optical fault injection...
For sure, there is still a lot of things to do even regarding the age old voltage attacks. But general attacks that only use voltage regulation will certainly trigger counter measures.
Still doesn't matter, if the attacker has physical access to your server as this attack requires he can just load the key from your cd then.
By the way, ResoMail allows you secure hosting, which will prevent your keys being compromised if server is compromised.
ResoMail - the alternative secure e-mail system
And I think it's easy to combat this Truecrypt vulnerability (and I think it's not only the Truecrypt vulnerable) by wiping the memory before shutdown.
ResoMail - the alternative secure e-mail system