A side-channel attack on GnuPG

By Jake Edge
February 17, 2016

Using equipment that is reminiscent of the Van Eck phreaking scene in Cryptonomicon, some security researchers have shown that keys can be extracted from a laptop in the next room. It is a passive attack that exploits a side channel in the GNU Privacy Guard (GnuPG) implementation of the Elliptic Curve Diffie-Hellman (ECDH) key-exchange protocol. The problem has been fixed in Libgcrypt, but the possibility of similar weaknesses in other algorithms or implementations makes this kind of attack worthy of some study by those working in cryptography.

The paper [PDF] that describes the technique was authored by Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, who are researchers at Tel Aviv University. There are pictures of the equipment used in the paper, as well as on a web page with some FAQs on the technique. The current setup costs around $3000 for the equipment needed to intercept the electromagnetic (EM) signals from a computer on the other side of a wall, but it is believed that much less expensive (and more portable) equipment could be developed.

The basic idea is to measure the EM output of the laptop as it decrypts chosen ciphertext. GnuPG is used by tools like the Enigmail plugin for Mozilla Thunderbird, so email can be used as a way to cause the laptop to do the decryption. Enigmail will automatically pass encrypted email to GnuPG for decryption, which means that email sent will result in decryption that can be captured in the next room. Multiple emails were sent to improve the reliability of the key extraction. So, by sending emails encrypted with a victim's public key, an attacker (or government agency) in the next room can recover most of the victim's private key—thus decrypt any other encrypted email that has been intercepted.

In Libgcrypt 1.6.3 and earlier, the decryption algorithm does an optimization that allows the key to be recovered. Large integers (such as keys) are represented in non-adjacent form (NAF) in order to reduce the number of non-zero digits (each of which requires additional arithmetic operations) from roughly one-half to one-third. Numbers in that form are strings of 1, 0, and -1 values.

By observing the operations performed on the ciphertext, the researchers were easily able to distinguish the 0 "bits" in the key, but there was still a problem determining whether the non-zero values were 1 or -1. That's where choosing the ciphertext comes into play. By using specific points on the elliptic curve in the ciphertext, the researchers could reliably distinguish between the sequence of operations done for a 1 value versus those done for a -1 value.

The net result is described in the paper:

Applying our attack and signal processing techniques to a target laptop (Lenovo 3000 N200) located in the adjacent room, we have successfully extracted the secret scalar of a randomly generated ECDH NISTP-521 key except its first 5 NAF digits and with an error of two digits. For the attack we have used traces collected by measuring the target's EM leakage during 66 decryption operations, each lasting about 0.05 sec. This yields a total measurement time of about 3.3 sec.

While the entire key is not necessarily extracted, the search space has been reduced enormously. Presumably, brute-force techniques can determine the missing digits and any errors in short order.

In order to avoid this side-channel leak, Libgcrypt 1.6.5 was released. It always does the same set of operations for each digit, regardless of its value. The researchers worked with the GnuPG developers to ensure that the change resisted the attack. The new algorithm is slower, but won't be subverted with this technique. Other tools use Libgcrypt, too, of course, so the update is important. The big unknown is whether other implementations of ECDH are vulnerable—and what other side channels (in other cryptographic algorithms) are out there waiting to be found.

Cryptographic algorithms are hard to get right even before considering problems like side channels. While these kinds of attacks are not particularly new, they do represent a threat to users, particularly from targeted, nation-state-level attackers. Though, as noted in the FAQ, this kind of attack is unlikely to be used except against the most security conscious:

Most adversaries would not go through the trouble of using such techniques, given the sorry state of security vulnerabilities at the software level (after all, a thief will not bother climbing through a window if the front door is left unlocked). Thus, our work is most pertinent to systems that are carefully protected against software attacks, but — as we show — may be wide open to inexpensive physical attacks.

For those who are taking more precautions than most, however, these techniques have to be a little worrisome. It is not terribly hard to imagine some agency setting up shop in the next hotel room over and monitoring the activity of the laptop next door, then sending these targeted emails and collecting the data needed. The best defense may well be to ensure that decryption only takes place under the direction of the user—and in a secure location.

Index entries for this article
Security	Encryption/Side-channel attack

A side-channel attack on GnuPG

Posted Feb 18, 2016 8:26 UTC (Thu) by johill (subscriber, #25196) [Link] (5 responses)

Using a key on a smartcard, yubikey or similar would, presumably, also help against this attack.

A side-channel attack on GnuPG

Posted Feb 18, 2016 9:03 UTC (Thu) by dd9jn (✭ supporter ✭, #4459) [Link]

Except that smartcards supporting ECC are not yet easily available. Maybe except for gniibe's gnuk token which supports Ed25519 and Curve25519.

A side-channel attack on GnuPG

Posted Feb 18, 2016 19:04 UTC (Thu) by smoogen (subscriber, #97) [Link]

Well I would just look at the em signal from the key instead. If you can figure out that you can just move the attack to something people didn't think about and much harder to patch. Of course the signal might be much harder to find in the noise of the world so the attack may require even more of a "put the computer in the middle of the room. Make sure the person can only reach it at the end of a chain..."

A side-channel attack on GnuPG

Posted Feb 19, 2016 7:49 UTC (Fri) by robbe (guest, #16131) [Link] (2 responses)

Yes. But, that’s just saying: using another implementation helps.

This implementation may or may not be affected by the same problem. Furthermore, smart cards usually run closed-source software, so you can’t even check without expensive equipment.

On the other hand, smart cards /should/ be proofed against this kind of side-channel, and the leakage on a teensy chip should be much less than on your CPU powerhouse.

Finally, if your smart card were affected by a bug: do you know where firmware updates are published? How often do you check? How often do you actually upgrade? For me the answers would be: no, never, never.

A side-channel attack on GnuPG

Posted Feb 19, 2016 9:32 UTC (Fri) by xnox (guest, #63320) [Link] (1 responses)

Yubikeys do ECC. They have non upgradable firmware. Their firmware is mostly open source as far as I can tell. When they were affected by a javacard CVE for the openpgp portion of the functionality they shipped free replacement keys. That CVE also was quite bad.

But it baffles me why individuals would ever choose that over RSA. ECC will be cracked first with quantum computing. Hence I am yet to use ECC.

A side-channel attack on GnuPG

Posted Feb 19, 2016 14:38 UTC (Fri) by Trou.fr (subscriber, #26289) [Link]

FIY one of the already existing algorithms for quantum computers is Shor's factoring algorithm, which would break your RSA key readily. Post quantum crypto is still in its infancy and no well studied scheme has been regarded as secure yet.

A side-channel attack on GnuPG

Posted Feb 18, 2016 18:27 UTC (Thu) by fandingo (guest, #67019) [Link] (5 responses)

> The basic idea is to measure the EM output of the laptop as it decrypts chosen ciphertext.

What type of radiation are we talking about and what's the source? Is this similar to a timing attack, except instead of time they're measuring EM?

I did find a little info the paper:

> During the decryption of the chosen ciphertext, we measure the EM leakage of the target laptop, focusing on a narrow frequency band (frequencies in the range 1.5–2 MHz). After suitable signal processing, a clean trace is produced which reveals information about the operands used in the elliptic curve operations. This information, in turn, is used in order to reveal the secret key.

> the best signal quality was obtained close to the CPU’s voltage regulator,

I don't understand what about decryption is causing the computer to emit a distinguishable signal.

A side-channel attack on GnuPG

Posted Feb 18, 2016 19:10 UTC (Thu) by smoogen (subscriber, #97) [Link] (2 responses)

I expect that the computer is always emitting a signal in various ranges. If however the computer is only doing one thing (encrypting things) that signal is just going to be that one thing. This is where some of these attacks aren't practical because you may have to be the only computer, the only thing you are doing is A and you have only used this particular memory chipset which echos a signal at N Mhz. Change any of those variables and the attack becomes harder. Or just cut out any speedups and make sure you do the same thing with null data that you do with full data. [I am not a cryptoanalysis but it seems that pretty much every big side channel attack is usually "Hey you know a lot of this data is X. we can speed it up by doing this when we see this pattern." Which is what coders like to do because they like to make things faster or more efficient.. but it seems that any time that occurs it opens a "hey look for when they are doing that and see what we can pull out of the system."

A side-channel attack on GnuPG

Posted Feb 18, 2016 20:36 UTC (Thu) by apoelstra (subscriber, #75205) [Link] (1 responses)

>[I am not a cryptoanalysis but it seems that pretty much every big side channel attack is usually "Hey you know a lot of this data is X. we can speed it up by doing this when we see this pattern." Which is what coders like to do because they like to make things faster or more efficient.. but it seems that any time that occurs it opens a "hey look for when they are doing that and see what we can pull out of the system."

In crypto it's often not "hey, I can be clever by optimizing this special case", but rather special cases already existing in the mathematics. In elliptic curves this happens often, because elliptic curves fit most naturally into a projective space, where the only everywhere-defined rational functions are the constant ones. This means that any formula you come up with to add two points is going to have some case where it doesn't work. The textbook case of this results in three formulas:
1. Adding a point to "the point at infinity" gives you that point back. This is basically instant.
2. Adding two distinct non-infinite points requires one formula, which some number of field operations.
3. Adding two equal points (i.e. doubling) requires another, which takes slightly fewer field operations than the above.

Absent further trickery, you have to write separate code for each of these cases, since the total addition formula will thus be wrong. And they each take a different amount of time, giving rise to timing attacks.

So the problem here was not special-casing things; it was indeed caused by using a compact scalar representation that had a bunch of 0's in it, but this would also have been true had the programmers done the naive thing and just used normal binary numbers for their scalars. To avoid this attacks requires even more cleverness: (a) finding a representation that has no 0's in it, and (b) doing a scalar multiply with this representation in away that its pattern of doubling vs non-doubling is independent of the underlying secret data.

A side-channel attack on GnuPG

Posted Feb 19, 2016 9:37 UTC (Fri) by xnox (guest, #63320) [Link]

... And after all that tell compiler to not optimise this bit of code?! Cause I bet next gen compiler will optimise all that trickery out.

A side-channel attack on GnuPG

Posted Feb 19, 2016 15:12 UTC (Fri) by thoughtpolice (subscriber, #87455) [Link] (1 responses)

The core of the double-and-add algorithm for an Elliptic Curve algorithm tends to look something like:

for (i = 0 to <CONSTANT>, i++) {
if bit_is_set(i, scalar) {
Q = point_addition(P, Q)
}
point_double(P)
}

(you can look up the full algorithm, of course).

The "scalar" in this case is actually the private key you generate. You calculate secrets by doing scalar multiplication of a point vs your secret key scalar.

This algorithm admits a very obvious timing attack, namely, that the number of point additions and point doubles is dependent on the input pattern of an input scalar. The scalar 0x10000000 features 8 double operations but only 1 addition operation. 0x11111111 features 8 doubles and 8 additions. Any iteration of the loop where the i'th bit is set will clearly reveal whether that bit is set - either through measuring execution time, or electromagnetic emissions.

It is not clear if this attack in the paper works as well on other curves such as Curve25519 which use the montgomery ladder, which is a constant-time scalar multiplication algorithm, that always does the exact same number of point doubles/additions, regardless of the bit pattern of the input scalar. However, it's probably still possible to recover some information if you can distinguish a point addition from a point double in the core loop. Something like an Edwards curve with unified point addition/doubling and the montgomery ladder will probably make the attack far less effective.

A side-channel attack on GnuPG

Posted Feb 19, 2016 17:07 UTC (Fri) by gmaxwell (guest, #30048) [Link]

This attack isn't a question of curve choice-- the implementation could have used x25519 and still used NAF (and would have been faster than an implementation not using NAF).

The attack combines several EM leaks that are specific to the combination of NAF and field operations which are not constant-EM based on their inputs. E.g. they'd fed a public point whos value or negation has a small coordinate; and in doing so determine if for each position -P or P s being added.

EM sidechannels are incredibly hard to be secure against; since generic computing devices make no real promises about EM sidechannels even for operations which are otherwise constant-time. On top of a generic non-costant time field implementation all bets are off. The best you can likely do is expensive blinding operations.