It's more straightforward to attack that your scenario: I have your public key, so I have some idea. I send you a GPG email, your email client will decrypt as it hits your inbox. Everything except the "physical touch" can be automated. And as iOS jailbreaks have shown, even though the attack vector is complex, once automated anyone can perform it easily.
IMHO, this is a major hole that can and should be plugged at the algorithmic level (eg ciphertext blinding) - that's the function of a crypto library. So applications using it don't worry about it. And the library shouldn't make assumptions about the App. I'm surprised Peter hasn't said anything in BCs RSA implementation. Regards Sid On Aug 29, 2014, at 5:33 AM, "Edward Ned Harvey (bouncycastle)" <bouncycas...@nedharvey.com> wrote: >> From: Edward Ned Harvey (bouncycastle) >> [mailto:bouncycas...@nedharvey.com] >> >> Yes I believe an observer of the ground signal could determine "I saw a >> power spike between X ms and Y ms, which probably means you did >> something cryptographic or doing some kind of compression or >> decompression, or graphics rendering," but no I don't believe even remotely, >> that they are extracting private keys out of that signal, nor what jpg you >> viewed, nor what file you zip'd up, or what video you converted from H.264 >> to Mpeg4. All of these would be the *content* of what you were processing >> at the time. > > Ok, I have to stand back now and admit that I was wrong (sorry 'bout that), > but that might or might not have any bearing on the relevance - having read > their work more completely now, I see they are not claiming to extract keys > from memory or from the CPU; they are doing chosen ciphertext attack, such > that bits in the ciphertext will cause CPU spikes upon decryption, at > predictable time intervals, when targeted bits of the key are set. By > performing this action thousands of times over and over, with chosen > ciphertext each time crafted to extract a specific bit of the key, they're > able to extract all the bits of the key. > > Is bouncy castle susceptible to this? Presumably. > > How relevant is it? Well, it's not terribly difficult to send somebody a > message and get them to decrypt garbage data once, or even a few times. But > getting them to repeatedly decrypt thousands of times, garbage data every > single time, a little more difficult. (Because chosen ciphertext will > invariably decrypt to garbage.) Yes this is relevant in situations where > some automated system will repeatedly try to decrypt garbage data without the > need for human interaction. It might have some real world applications such > as attacking a server, or even perhaps a laptop with email client using > S/MIME key. So the attack requires (a) physical proximity, and (b) an > automated system that consistently decrypts the attacker's injected garbage > data chosen ciphertext, and of course (c) knowledge of what algorithm the > target system is using for decryption. So yes it's important, but not > anywhere near the scale of heartbleed, etc. You can't just walk up to > somebody's computer, touch it and get their keys out of it.
