User: Password:
|
|
Subscribe / Log in / New account

'Severe' OpenSSL vuln busts public key crypto (Register)

The Register has posted an article on a reported OpenSSL vulnerability that allows attackers to obtain a system's private key. Before hitting the panic button, though, it's worth seeing what's involved in carrying out this attack: "The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device's power supply as it was processing encrypted messages. In a little more than 100 hours, they fed the device enough 'transient faults' that they were able to assemble the entirety of its 1024-bit key." It could be a problem for keys hidden in embedded systems, but that is probably about the extent of it.
(Log in to post comments)

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 18:35 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

And, it sounds to me like it's really an attack on RSA, and they only happened to choose to attack OpenSSL's implementation of it for demonstration purposes... But, El Reg is spinning it as an OpenSSL-only bug of some kind...

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 19:09 UTC (Sat) by drag (subscriber, #31333) [Link]

It has to do with how random numbers are generated. It's quite possibly just OpenSSL that is
affected.

Probably more accurately they don't know how it would affect other crypto implementations.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 21:32 UTC (Sat) by luto (subscriber, #39314) [Link]

Huh? I don't think it has anything at all to do with random numbers. It's
arguably a bug in openssl's fault-attack mitigation code.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 22:03 UTC (Sat) by squidgit (subscriber, #42190) [Link]

+1

Yea if you read the paper the fault is in 2 parts. First is the transient fault attack on RSA
(theoretically any implementation of RSA). Second, the RSA implementation can guard against it by
validating the results of the exponentiation step, which OpenSSL doesn't.

So yea it's a weakness in RSA made useful by a bug/weakness/slackness in OpenSSL.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 18:52 UTC (Sat) by lkundrak (subscriber, #43452) [Link]

If I understand it correctly the attack can only be conducted if the attacker already has an access to the device.

In most scenarios I can imagine it seems more like a nice feature for devices plagued with DRM and such than like a security vulnerability :)

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 19:50 UTC (Sat) by flewellyn (subscriber, #5047) [Link]

So they used a side-channel attack on a machine to which they had physical access?

That's hardly a vulnerability in the software itself.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 20:32 UTC (Sat) by nix (subscriber, #2304) [Link]

Well, the software can be made robust against such things (OpenSSL has
been before, against similar classes of attacks if not this one). So, if
it isn't, this could be considered a vulnerability. It's not a terribly
important one in my eyes unless your smartcard chip runs OpenSSL...

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 7, 2010 17:14 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

It is very often the case that your choice of implementation method matters to the difficulty of the attack. If your product X and the competing product Y both have a side channel attack, but yours can be exploited by a graduate student with $1000 of equipment off eBay, and theirs requires a multi-million dollar laboratory, yours is the one the criminals are going to actually attack.

A classic example in the past was the use of conditionals. If you conditionally execute path A or path B of some code depending on a key bit, and the paths use different power, it's "easy" to measure. But if you always execute both code paths and discard the A or B result according to the bit then you waste some power, but you make your system a lot harder to attack.

This is ironic because these attacks are used against embedded hardware in security dongles, where saving power is really important, but unfortunately for the owner it's only of secondary importance compared to the system's security. I doubt OpenSSL scales down that far, but obviously some uses will be more exposed than others.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 19:52 UTC (Sat) by nix (subscriber, #2304) [Link]

I'm afraid I was thrown by the language of the Reg post. OpenSSL
has 'officials' and anonymous 'engineers' now? These are separate
categories? When did it get so bureaucratic?

(answer: it didn't, and the author of the post has no clue how free
software projects are run.)

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 22:19 UTC (Sat) by kunitz (subscriber, #3965) [Link]

It was known, that errors during the RSA signing operation (modular exponentation) could compromise the private exponent. The authors demonstrated now, that modifying the voltage of the CPU can provoke such errors. The software used for RSA signing was OpenSSL. The experimental setup consisted of a SPARC CPU implemented in a FPGA running Linux.

This issue could be mitigated if OpenSSL would verify the generated signature, before returning it to the user of the library. This would make the signature operation a little bit slower, but OpenSSL already doesn't implement the fastest possible exponentation algorithm, because a constant runtime prevents timing attacks.

The paper doesn't mention Jurjen Bos' wooping method to verify the big-integer operations as another method to address the issue.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 6, 2010 22:54 UTC (Sat) by horen (guest, #2514) [Link]

"...by injecting slight fluctuations"

Reminds me of "Close Encounters of the Third Kind", with the "quavers" and "semi-quavers" on the "dark side of the Moon".

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 7, 2010 0:26 UTC (Sun) by sandholm (guest, #48477) [Link]

Another case of a British rag playing the sensationalism card to drive up readership. What do you expect for a country that has an ongoing infatuation with Microsoft?

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 7, 2010 15:27 UTC (Sun) by Trelane (subscriber, #56877) [Link]

They *used* to be pretty anti-Microsoft. This has been very attenuated, sometime soon after the DoJ anti-trust trial iirc.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 8, 2010 9:56 UTC (Mon) by ctg (guest, #3459) [Link]

Oh dear me, you are grumpy. What happened this morning? Did you realise Windows 7 was your idea?

Dan Goodin, the article author, is American.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 8, 2010 14:02 UTC (Mon) by jonth (subscriber, #4008) [Link]

Steady on, old chap! Don't tar us all with that brush.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 7, 2010 1:23 UTC (Sun) by branden (guest, #7029) [Link]

If this turns out to be a meaningful vulnerability, I look forward to Ben
Laurie blaming the problem on distributors.

If only the UMich guys had contacted the prominently-documented
openssl-faults-observed-on-intel-clusters-and-fpga-based-sparc-implementations-team@openssl.org
list, none of this grief would have come to pass.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 7, 2010 10:02 UTC (Sun) by billywright (guest, #62919) [Link]

Typical graduate student work, showing how useless computer science has become in the real world, 2010. At least they're bored Americans though, and not Chinese Communists working for Nanjing Military University.

'Severe' OpenSSL vuln busts public key crypto (Register)

Posted Mar 7, 2010 11:13 UTC (Sun) by tzafrir (subscriber, #11501) [Link]

What makes you think that there aren't some "Chinese Communists working for Nanjing Military University" working on those things as well?

Attack upon whose assets ?

Posted Mar 8, 2010 15:29 UTC (Mon) by copsewood (subscriber, #199) [Link]

As an attack demonstrating the vulnerability of systems where the key is provided along with encrypted content to the normally-considered owner of the machine in order to protect content from use by that owner according to that owner's agenda, then anyone who is opposed to treacherous computing will likely welcome it.

It doesn't threaten ecommerce or secure communications between our friends Alice and Bob. It might be an attack of the kind which makes it even more difficult for Dave to impose a treacherous computing environment upon Alice which she can't crack, for the purpose of preventing Alice from sharing Dave's content with Bob once Alice has been provided with such content along with the key needed to decrypt and consume it.

It depends

Posted Mar 8, 2010 23:13 UTC (Mon) by tialaramex (subscriber, #21167) [Link]

There are other applications where the key is sealed away, from the legitimate owner somewhat by chance, but from everyone else quite intentionally.

Many "two factor" systems depend on sealing a cryptographic key inside a plastic blob and then assuming that the key can't be extracted from the blob. Take a modern (chip & PIN) bank card. Unlike a mag stripe card, you can't just clone these with $10 of gear off eBay. But what if you could? Clones wreck the second factor in your "two factor" system and instantly you're back to relying on some idiot's easily remembered four digit PIN to protect the entire contents of his bank account.

I don't want my TV deciding what I can or can't watch, but I also don't want a smart university student making extra money by cloning my credit card when I buy stuff from the store where she works part time.

It depends

Posted Mar 8, 2010 23:50 UTC (Mon) by anselm (subscriber, #2796) [Link]

You may want to take a look at Ross Anderson's http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ (Sorry I can't make the link clickable but Konqueror seems to be broken, too).

It depends

Posted Mar 9, 2010 12:16 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

I'm aware of that work (I forwarded it to our PR people back when it was published)

That paper is about a specific design flaw, which is orthogonal to the problem of cloning. The banks will sooner (if under government pressure) or later fix the problem Anderson found, what I'm showing is that for Chip and PIN to be an improvement even in _theory_ it has to resist cloning. Side channel key revealing attacks are the enemy there, not our friends as they are for untrustworthy computing.

And there are a lot of other two factor systems that are affected by cloning. Even World of Warcraft, which is just a video game, albeit a very sophisticated one, is now selling dongles to enable two factor auth.


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds