[Full-Disclosure] Timing attack against RSA private keys.

From: hack4life@hushmail.com
Date: 03/16/03

  • Next message: hack4life@hushmail.com: "[Full-Disclosure] Vulnerabilities in the Kerberos version 4 protocol" 
    To: full-disclosure@lists.netsys.com
From: hack4life@hushmail.com
Date: Sat, 15 Mar 2003 18:57:13 -0800

    -----BEGIN PGP SIGNED MESSAGE-----

    ======================================================================

    Vulnerability Note VU#997481 [DRAFT]

    ======================================================================

                  ***** NOT FOR PUBLIC DISTRIBUTION *****

    VU#997481 - Cryptographic libraries and applications do not adequately defend against timing attacks

    OVERVIEW

    Cryptographic libraries and applications do not provide adequate
    defense against timing attacks on RSA private keys. Such attacks
    have been shown to be practical remotely using widely-available
    hardware.

    DESCRIPTION

    David Brumley and Dan Boneh, researchers at Stanford University, have
    written a paper that demonstrates practical attacks that can be used
    to extract private keys from vulnerable RSA decryption applications.
    Using statistical techniques and carefully measuring the amount of
    time required to complete an RSA decryption operation on known
    cyphertext, an attacker can recover one of the factors (q) of the RSA
    key. With the public key and the factor q, the attacker can compute
    the private key.

    Similar types of timing attacks are discussed in CERT Advisory
    CA-1998-07, a paper by Daniel Bleichenbacher et al., and a paper by
    Paul Kocher.

    The paper documents a set of experiments using widely-available
    hardware to attack a simplified model of an SSL/TLS-enabled web
    server. The researchers were able to extract a 1024-bit RSA private
    key from the model RSA decryption server in approximately two hours.
    The attack requires ~350,000 samples, which to a web server may
    appear as network connections and failed attempts to set up SSL/TLS
    sessions. The experiments were conducted on a high-speed, closed
    network that does not accurately reflect the network conditions found
    on the Internet. The attacks could, however, be feasible on a
    network with a low variance in latency such as a LAN,
    corporate/campus network, or Internet2/Abilene. The attacks could
    also be feasible against production SSL-enabled web servers. The
    paper also notes that inter-process attacks against Virtual Machines
    (VM) running on the same physical computer could yield RSA secrets
    held by a trusted VM, violating the TCPA/Palladium security model.

    The paper discusses a defense called "RSA blinding" that introduces
    an additional random component to the decryption process and makes
    timing information unusable to attackers. It appears that many
    cryptographic libraries and applications that may use those libraries
    either do not implement RSA blinding or do not make use of it when it
    is available in the underlying libraries. RSA blinding does incur a
    moderate performance penalty. Although the OpenSSL library does
    implement RSA blinding, many applications that use OpenSSL, including
    Apache mod_ssl, do not use this feature, and are therefore vulnerable
    to timing attacks.

    IMPACT

    A remote attacker could derive private RSA keys. It is important to
    note that the attacks described in this paper appear to be practical
    under certain conditions. In the case of remote attacks against
    SSL/TLS-enabled web servers, variance in network latency must be
    sufficiently low (> 1ms), and the load on the server must be
    accounted for by the attacker. A server may be vulnerable during a
    period of low activity. In the case of local inter-process attacks
    against a VM, or, all the necessary conditions exist. Any
    applications that perform RSA private key operations (decryption,
    signing) may be vulnerable: SSL/TLS-enabled network services, IPsec,
    Secure Shell (SSH), and smart cards are some examples of such
    applications.

    SOLUTION

    Upgrade or Patch

    Upgrade or apply a patch as specified by your vendor. The preferred
    defense is to use RSA blinding, however other methods such as
    quantizing can be used to reduce or eliminate the information
    disclosed by timing. These defenses do incur performance penalties -
    2-10% in the case of RSA blinding. In order to use RSA blinding to
    defend against these types of timing attacks, it is necessary for the
    underlying cryptographic library to support RSA blinding and for the
    application to make use of it.

    Use larger RSA keys

    At the present (February 2003), the attacks are practical against
    1024-bit RSA keys.

    Monitor RSA decryption applications

    Monitor RSA key exchange applications for signs of attack. In the
    case of an attack against SSL/TLS web applications, logs may show a
    relatively high number of network connections and failed attempts to
    establish SSL/TLS sessions.

    Authenticate clients

    In the case of sensitive web applications, require clients to use
    strong authentication (X.509 client certificates). While this will
    not prevent attacks, it will limit and identify the possible sources
    of attacks.

    REFERENCES

    http://ietf.org/rfc/rfc2246.txt

    CREDIT

    This vulnerability is documented in a research paper written by David
    Brumley and Dan Boneh of Stanford University.

    This document was written by Art Manion.

                  ***** NOT FOR PUBLIC DISTRIBUTION *****

    ======================================================================

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify

    wl4EARECAB4FAj50WGUXHGhhY2s0bGlmZUBodXNobWFpbC5jb20ACgkQgSjHzuae7+p0
    bACfbnfawyUT4OfDlbXKNYQhQdWsZqYAniqUM4F1Eo/bkQ6pU6vktTMM8FSr
    =Apm5
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: hack4life@hushmail.com: "[Full-Disclosure] Vulnerabilities in the Kerberos version 4 protocol"

    Relevant Pages

    • [UNIX] Timing Attack on OpenSSL (OpenSSL Private Key Disclosure)
      ... Researchers have discovered a timing attack on RSA keys, ... unless RSA blinding has been turned on ... extract private keys from vulnerable RSA decryption applications. ... Similar types of timing attacks are discussed in CERT Advisory CA-1998-07, ...
      (Securiteam)
    • Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance
      ... No one actually knows how RSA are carrying out their database attacks yet, ... carry out world wide attacks on hundreds of fake login targets, ...
      (Full-Disclosure)
    • Re: [Full-disclosure] n3td3v group calls on RSA to clarify their stance
      ... about the exact technical setup of the attacks that the RSA are carrying out ... against fake logins and their databases. ... need to define the RSA as using a bot network to send their fake raw data to ...
      (Full-Disclosure)
    • Re: Rabin vs. RSA/ElGamal
      ... There are also attacks against raw ... RSA if you use any other choice of e. ... This confusion is, sadly, widespread, no doubt partly due to the ... You are confused if you think that the exponentiation RSA uses takes ...
      (sci.crypt)
    • Re: DNS Rebinding Prevention for the Weak Host Model Attacks
      ... to ensure we minimally affect legitimate applications. ... Craig Heffner's version of the DNS Rebinding attack, ... Previous attacks would normally have the Victims ... Placing these protections, along with the current DNS Rebinding ...
      (comp.protocols.dns.bind)