[Full-Disclosure] Timing attack against RSA private keys.
To: email@example.com From: firstname.lastname@example.org Date: Sat, 15 Mar 2003 18:57:13 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Vulnerability Note VU#997481 [DRAFT]
***** NOT FOR PUBLIC DISTRIBUTION *****
VU#997481 - Cryptographic libraries and applications do not adequately defend against timing attacks
Cryptographic libraries and applications do not provide adequate
defense against timing attacks on RSA private keys. Such attacks
have been shown to be practical remotely using widely-available
David Brumley and Dan Boneh, researchers at Stanford University, have
written a paper that demonstrates practical attacks that can be used
to extract private keys from vulnerable RSA decryption applications.
Using statistical techniques and carefully measuring the amount of
time required to complete an RSA decryption operation on known
cyphertext, an attacker can recover one of the factors (q) of the RSA
key. With the public key and the factor q, the attacker can compute
the private key.
Similar types of timing attacks are discussed in CERT Advisory
CA-1998-07, a paper by Daniel Bleichenbacher et al., and a paper by
The paper documents a set of experiments using widely-available
hardware to attack a simplified model of an SSL/TLS-enabled web
server. The researchers were able to extract a 1024-bit RSA private
key from the model RSA decryption server in approximately two hours.
The attack requires ~350,000 samples, which to a web server may
appear as network connections and failed attempts to set up SSL/TLS
sessions. The experiments were conducted on a high-speed, closed
network that does not accurately reflect the network conditions found
on the Internet. The attacks could, however, be feasible on a
network with a low variance in latency such as a LAN,
corporate/campus network, or Internet2/Abilene. The attacks could
also be feasible against production SSL-enabled web servers. The
paper also notes that inter-process attacks against Virtual Machines
(VM) running on the same physical computer could yield RSA secrets
held by a trusted VM, violating the TCPA/Palladium security model.
The paper discusses a defense called "RSA blinding" that introduces
an additional random component to the decryption process and makes
timing information unusable to attackers. It appears that many
cryptographic libraries and applications that may use those libraries
either do not implement RSA blinding or do not make use of it when it
is available in the underlying libraries. RSA blinding does incur a
moderate performance penalty. Although the OpenSSL library does
implement RSA blinding, many applications that use OpenSSL, including
Apache mod_ssl, do not use this feature, and are therefore vulnerable
to timing attacks.
A remote attacker could derive private RSA keys. It is important to
note that the attacks described in this paper appear to be practical
under certain conditions. In the case of remote attacks against
SSL/TLS-enabled web servers, variance in network latency must be
sufficiently low (> 1ms), and the load on the server must be
accounted for by the attacker. A server may be vulnerable during a
period of low activity. In the case of local inter-process attacks
against a VM, or, all the necessary conditions exist. Any
applications that perform RSA private key operations (decryption,
signing) may be vulnerable: SSL/TLS-enabled network services, IPsec,
Secure Shell (SSH), and smart cards are some examples of such
Upgrade or Patch
Upgrade or apply a patch as specified by your vendor. The preferred
defense is to use RSA blinding, however other methods such as
quantizing can be used to reduce or eliminate the information
disclosed by timing. These defenses do incur performance penalties -
2-10% in the case of RSA blinding. In order to use RSA blinding to
defend against these types of timing attacks, it is necessary for the
underlying cryptographic library to support RSA blinding and for the
application to make use of it.
Use larger RSA keys
At the present (February 2003), the attacks are practical against
1024-bit RSA keys.
Monitor RSA decryption applications
Monitor RSA key exchange applications for signs of attack. In the
case of an attack against SSL/TLS web applications, logs may show a
relatively high number of network connections and failed attempts to
establish SSL/TLS sessions.
In the case of sensitive web applications, require clients to use
strong authentication (X.509 client certificates). While this will
not prevent attacks, it will limit and identify the possible sources
This vulnerability is documented in a research paper written by David
Brumley and Dan Boneh of Stanford University.
This document was written by Art Manion.
***** NOT FOR PUBLIC DISTRIBUTION *****
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
Full-Disclosure - We believe in it.