Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Way To Zap RSA Algorithm

Posted by timothy on from the vhat-here-in-ze-laboratory dept.

alphadogg writes "Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose-built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours – all without leaving a trace. The researchers in their paper outline how they made the attack (PDF) on a SPARC system running Linux."

3 of 173 comments (clear)

  1. Re:Changing the voltage supply req. HW access, rig by fuzzyfuzzyfungus · · Score: 5, Insightful

    Probably much more threatening(though, frankly, that pleases me) to DRMed embedded systems and similar gear that is supposed to be "secure" vs. its immediate environment; but is also in the hands of the public in huge quantities.

    Yeah, if I can break into your datacenter and clamp some crazy widget onto the (presumably multiple) lines supplying your server's PSUs, a clever voltage attack is not the biggest of your problems.

    If, on the other hand, you can guess the private crypto keys out of a DRMed PMP just by clipping a 15 dollar device from some shady mod-chip vendor to the recharging port and waiting a few days, heads will roll. There are a lot of devices these days that are designed to keep keys secret from the owners of the hardware. Particularly for common ones, voltage attack devices might well become fairly common advanced hobbyist and/or grey market items...

  2. Physical Access by KevMar · · Score: 5, Insightful

    If someone has physical access to your machine, then you have already lost.

    --
    Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
  3. Re:Changing the voltage supply req. HW access, rig by daniel+de+graaf · · Score: 5, Insightful

    Depends on what the DRM is trying to protect. Music players, video players for downloadable content, and basically anything where the content isn't tied to a physical object like a game disc will need a private key of some kind to encrypt the data on their volatile storage. While most of this will probably be done using symmetric encryption, you still need some way for the server that hands out the content to prove that it is a real device and not an emulated device, and that's normally done with a locally stored private key.