Fault attacks on RSA in libgcrypt

NIIBE Yutaka gniibe at fsij.org
Fri Sep 2 02:34:21 CEST 2016


On 09/02/2016 06:19 AM, Jeff Burdges wrote:
> Appears someone just improved Rowhammer : 
> http://arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/

This is a bit different.  The attack doesn't get the private key of
RSA.  The attack changes a bit of public key of RSA and cheats the
verification process.  Newer gpgv of GnuPG has a tweak and the
particular attack scenario is not valid, now.

But, in a hardware condition we can flip a bit (rather arbitrary), it
would be possible to achieve some privilege escalation to get more
control of a system.

So, I think that the idea of this attack itself is valid and we have
no way to solve it by software, in general (while we could find a way
to mitigate somehow for a given scenario).

For the original discussion:

> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> Mehdi Tibouchi and Jean-Christophe Zapalowicz.
>  https://eprint.iacr.org/2014/252

I read it briefly.  IIUC, this is more related to smartcard and
"secure chip".

For general purpose computer, if such multi-factor fault attacks can
be applied (by rowhammer, or by laser, electric power), it would be
more easier for an attacker to achieve another privilege escalation to
get more control of a system (to get the private key easily).

That's my current opinion.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160902/f19ddc97/attachment.sig>

More information about the Gcrypt-devel mailing list