Re: 1024 bit RSA cracked?
On 17/03/2010 05:03, James Muir wrote: > ** I just had the following realization: I had assumed that the authors > were attacking an openssl *server* running on the fpga board, but > perhaps that is not so. They don't seem to make that specific claim. > They claim only to be attacking an "unmodi ed version of the OpenSSL > library". It is possible that they only created a toy RSA application > that generates signatures using the openssl library (i.e. by making > calls to specific openssl functions). This would explain why they don't > discuss message blinding -- because they didn't enable it in their toy > application! I suspect that's what they did. In that case, their > experimental results say very little about the susceptibility of an > openssl server to fault attacks. Wow... if I'm correct, then the > authors really need to be more clear about exactly what they did. What everyone said... Plus ... even with their fix, all they have to do is induce two errors in quick succession and OpenSSL will spit out the key whole. In any case, this all seems entirely pointless: in order to mount the attack, you have to have intimate access to the hardware. In other words, what they have demonstrated is that DRM doesn't work. Groundbreaking. Of course, the annoying fall-out is that there will be (already is) a knee-jerk clamour for us to "fix" OpenSSL. Well, I've got news: securing anything in the face of an unpredictable CPU seems well beyond the scope of the OpenSSL project - or any other crypto library I am aware of. I'm not even sure it's possible. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: 1024 bit RSA cracked?
On Wed, 10 Mar 2010 21:27:06 +0530, Udhay Shankar N wrote: > Anyone know more? > > http://news.techworld.com/security/3214360/rsa-1024-bit-private-key-encryption-cracked/ > > RSA 1024-bit private key encryption cracked > Researchers find weakness in security system > > By Network World Staff | Network World US > Published: 13:26 GMT, 05 March 10 > > Three University of Michigan computer scientists say they have found a > way to exploit a weakness in RSA security technology used to protect > everything from media players to smartphones and ecommerce servers. > > RSA authentication is susceptible, they say, to changes in the voltage > supply to a private key holder. The researchers Andrea Pellegrini, > Valeria Bertacco and Todd Austin - outline their findings in a paper > titled Fault-based attack of RSA authentication to be presented 10 > March at the Design, Automation and Test in Europe conference. > > "The RSA algorithm gives security under the assumption that as long as > the private key is private, you can't break in unless you guess it. > We've shown that that's not true," said Valeria Bertacco, an associate > professor in the Department of Electrical Engineering and Computer > Science, in a statement. > > The RSA algorithm was introduced in a 1978 paper outlining the > public-key cryptosystem. The annual RSA security conference is being > held this week in San Francisco. > > While guessing the 1,000-plus digits of binary code in a private key > would take unfathomable hours, the researchers say that by varying > electric current to a secured computer using an inexpensive > purpose-built device they were able to stress out the computer and > figure out the 1,024-bit private key in about 100 hours all without > leaving a trace. > > The researchers in their paper outline how they made the attack on a > SPARC system running Linux. They also say they have come up with a > solution, which involves a cryptographic technique called salting that > involves randomly juggling a private key's digits. > > The research is funded by the National Science Foundation and the > Gigascale Systems Research Center. Interesting, especially since I recently did a security assessment at a power company. From what I saw I suspect that one might be able to get to some of their servers in outlying areas that handle smart meters and apply techniques like this. Given that they were able to do 1024 in 100 hours, what might it take them to crack 2048 or 4096? Regards, Allen - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: 1024 bit RSA cracked?
>> "The RSA algorithm gives security under the assumption that as long as >> the private key is private, you can't break in unless you guess it. >> We've shown that that's not true," said Valeria Bertacco, an associate >> professor in the Department of Electrical Engineering and Computer >> Science, in a statement. > > They're not the first ones to show that! Side-channel attacks have been > around for a while now. It's not just the algorithms, but the machine > executing them and its physical characteristics that matter. I agree. I think the paper overstates its novelty and implications. It seems to be an experimental implementation of a fault attack presented by Boneh, DeMillo and Lipton (i.e. where it is assumed that single bit errors affect the private exponent). They target _some_ crypto application** that uses the openssl library running on an fpga board. Getting the attack to work in real life is no small feat, so they deserve props for that, but they make a few questionable claims -- e.g. they seem to state that the left-to-right fixed-window exponentiation algorithm was thought to be immune to fault attacks. In fact, adapting the BDL attack, which was presented against a right-to-left algorithm, to work against a left-to-right algorithm is straightforward, and so the susceptibility of the left-to-right FWE algorithm has been known for some time. What I find much more strange about the paper is that the authors make no mention of message blinding. I could be wrong, but message blinding would defeat their attack. By default, an openssl server utilizes message blinding in its private key operations, so there attack wouldn't apply... ** I just had the following realization: I had assumed that the authors were attacking an openssl *server* running on the fpga board, but perhaps that is not so. They don't seem to make that specific claim. They claim only to be attacking an "unmodified version of the OpenSSL library". It is possible that they only created a toy RSA application that generates signatures using the openssl library (i.e. by making calls to specific openssl functions). This would explain why they don't discuss message blinding -- because they didn't enable it in their toy application! I suspect that's what they did. In that case, their experimental results say very little about the susceptibility of an openssl server to fault attacks. Wow... if I'm correct, then the authors really need to be more clear about exactly what they did. -James signature.asc Description: OpenPGP digital signature
Re: 1024 bit RSA cracked?
On Wed, Mar 10, 2010 at 09:27:06PM +0530, Udhay Shankar N wrote: > Anyone know more? > > http://news.techworld.com/security/3214360/rsa-1024-bit-private-key-encryption-cracked/ My initial reaction from reading only the abstract and parts of the introduction is that the authors are talking about attacking hardware that implements RSA (say, a cell phone) by injecting faults into the system via the power supply of the device. This isn't really applicable to server hardware in a data center (where the power, presumably, will be conditioned and physical security will be provided, also presumably) but this attack is definitely applicable to portable devices -- laptops, mobiles, smartcards. > "The RSA algorithm gives security under the assumption that as long as > the private key is private, you can't break in unless you guess it. > We've shown that that's not true," said Valeria Bertacco, an associate > professor in the Department of Electrical Engineering and Computer > Science, in a statement. They're not the first ones to show that! Side-channel attacks have been around for a while now. It's not just the algorithms, but the machine executing them and its physical characteristics that matter. Nico -- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
