John, that 'encoding' sounds very much like ciphertext blinding. This diploma thesis on RSA sidechannel attacks is 10 years old but survey's some solutions. (Link: https://www.cdc.informatik.tu-darmstadt.de/reports/reports/KP/Feng_Lue.diplo m.pdf)
I took a quick look at the BC C# source and it seems it is vulnerable, RSAEngine.cs => ProcessBlock => Lines 136, 139 However, BC C# *also* has an implementation that's somewhat secure to this sidechannel attack by blinding, RSABlindingEngine.cs => ProcessBlock but this implementation seems to be only called for special cases; it's not the default engine. To be honest, I'm not very familiar with the attack itself, so IMHO Peter (just based off GIT logs) ought to look into this, perhaps collaborating with the Authors on this. Regards, Sid -----Original Message----- From: John Anderjaska [mailto:john.anderja...@dsainc.com] Sent: Friday, August 29, 2014 10:37 AM To: Sid Shetye; Edward Ned Harvey (bouncycastle) Cc: dev-crypto-csharp@bouncycastle.org Subject: RE: [dev-crypto-csharp] Side channel vulnerabilities: Power consumption and ground potential attacks? Sid, Ned, I will think about it some more and consider your suggestion for ciphertext blinding. In any case I think you might find this snippet interesting: "To protect against the kinds of information leakage described above, we encode the computation in a way that prevents the powerful computing observer from gaining additional information about the computation. We show that, indeed, for certain classes of leakage, any computation can be so encoded: namely, we give a method for transforming arbitrary circuits into new circuits, which are still leaky but whose leakage is useless to the attacker (in the sense of offering no advantage over black-box access to the original circuit's functionality)." From: http://www.tau.ac.il/~tromer/papers/leakcirc.pdf Cheers .. John -----Original Message----- From: Sid Shetye [mailto:sid...@outlook.com] Sent: Friday, August 29, 2014 12:01 PM To: Edward Ned Harvey (bouncycastle) Cc: John Anderjaska; dev-crypto-csharp@bouncycastle.org Subject: Re: [dev-crypto-csharp] Side channel vulnerabilities: Power consumption and ground potential attacks? It's more straightforward to attack that your scenario: I have your public key, so I have some idea. I send you a GPG email, your email client will decrypt as it hits your inbox. Everything except the "physical touch" can be automated. And as iOS jailbreaks have shown, even though the attack vector is complex, once automated anyone can perform it easily. IMHO, this is a major hole that can and should be plugged at the algorithmic level (eg ciphertext blinding) - that's the function of a crypto library. So applications using it don't worry about it. And the library shouldn't make assumptions about the App. I'm surprised Peter hasn't said anything in BCs RSA implementation. Regards Sid On Aug 29, 2014, at 5:33 AM, "Edward Ned Harvey (bouncycastle)" <bouncycas...@nedharvey.com> wrote: >> From: Edward Ned Harvey (bouncycastle) >> [mailto:bouncycas...@nedharvey.com] >> >> Yes I believe an observer of the ground signal could determine "I saw >> a power spike between X ms and Y ms, which probably means you did >> something cryptographic or doing some kind of compression or >> decompression, or graphics rendering," but no I don't believe even >> remotely, that they are extracting private keys out of that signal, >> nor what jpg you viewed, nor what file you zip'd up, or what video >> you converted from H.264 to Mpeg4. All of these would be the >> *content* of what you were processing at the time. > > Ok, I have to stand back now and admit that I was wrong (sorry 'bout that), but that might or might not have any bearing on the relevance - having read their work more completely now, I see they are not claiming to extract keys from memory or from the CPU; they are doing chosen ciphertext attack, such that bits in the ciphertext will cause CPU spikes upon decryption, at predictable time intervals, when targeted bits of the key are set. By performing this action thousands of times over and over, with chosen ciphertext each time crafted to extract a specific bit of the key, they're able to extract all the bits of the key. > > Is bouncy castle susceptible to this? Presumably. > > How relevant is it? Well, it's not terribly difficult to send somebody a message and get them to decrypt garbage data once, or even a few times. But getting them to repeatedly decrypt thousands of times, garbage data every single time, a little more difficult. (Because chosen ciphertext will invariably decrypt to garbage.) Yes this is relevant in situations where some automated system will repeatedly try to decrypt garbage data without the need for human interaction. It might have some real world applications such as attacking a server, or even perhaps a laptop with email client using S/MIME key. So the attack requires (a) physical proximity, and (b) an automated system that consistently decrypts the attacker's injected garbage data chosen ciphertext, and of course (c) knowledge of what algorithm the target system is using for decryption. So yes it's important, but not anywhere near the scale of heartbleed, etc. You can't just walk up to somebody's computer, touch it and get their keys out of it.
