Side-channel vulnerability in libgcrypt - the Marvin Attack

[Clemens Lang]

Hi,

> On 15. Mar 2024, at 07:42, NIIBE Yutaka <gniibe at fsij.org> wrote:
> 
> My original question was... about quantitative evaluation and
> possibility in real cases.  In other words, my interest is: if there are
> any existing applications/services/products/etc., and the degree of how
> likely are these problems and how much effort/time is needed to recover
> RSA private key, in such a possible scenario.

Just to give you a rough ball park of some numbers:

I looked at the same vulnerability in Apple’s CoreCrypto library. CVE-2024-23218 was assigned for that.

When directly measuring the affected decrypt operation, decryption of a cipher text without using the private key just by making calls to the timing oracle needed about 24 hours. I didn’t bother attempting to optimize this, and didn’t parallelize it.

Now, over the network, you’ll need more samples due to the noise. Hubert can probably guesstimate how many more samples, but let’s say you’d need 100 times of what you’d need locally. You can assume the attacker isn’t halfway around the world, but a few hops next to you in some Amazon or Google cloud datacenter.

That would still mean the attacker would need 100 days to decrypt a single cipher text. However, this entire attack can be run in parallel. You don’t need to always talk to the same server. If somebody were running a distributed service that does RSA decryption with an observable timing channel across 100 nodes, we’re back at 24 hours.

Sending this many requests might be detected as abuse, so an attacker would likely have to adequately reduce the number of queries to hide them in the noise.

Overall, definitely not something somebody would do for all captured cipher texts, but for a high-value target in some bigger cloud deployment, it certainly sounds a lot more doable.


-- 
Clemens Lang
RHEL Crypto Team
Red Hat