Side-channel vulnerability in libgcrypt - the Marvin Attack
Hubert Kario
hkario at redhat.com
Tue Mar 19 14:22:44 CET 2024
On Monday, 18 March 2024 13:41:42 CET, Clemens Lang wrote:
> Hi,
>
>> On 15. Mar 2024, at 07:42, NIIBE Yutaka <gniibe at fsij.org> wrote:
>>
>> My original question was... about quantitative evaluation and
>> possibility in real cases. In other words, my interest is: if there are
>> any existing applications/services/products/etc., and the degree of how
>> likely are these problems and how much effort/time is needed to recover
>> RSA private key, in such a possible scenario.
>
> Just to give you a rough ball park of some numbers:
>
> I looked at the same vulnerability in Apple’s CoreCrypto
> library. CVE-2024-23218 was assigned for that.
>
> When directly measuring the affected decrypt operation,
> decryption of a cipher text without using the private key just
> by making calls to the timing oracle needed about 24 hours. I
> didn’t bother attempting to optimize this, and didn’t
> parallelize it.
>
> Now, over the network, you’ll need more samples due to the
> noise. Hubert can probably guesstimate how many more samples,
> but let’s say you’d need 100 times of what you’d need locally.
> You can assume the attacker isn’t halfway around the world, but
> a few hops next to you in some Amazon or Google cloud
> datacenter.
For same-switch attack vs loopback attack it's a factor of 4.
For more remote connections there's too much variables to provide
a good estimate.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
More information about the Gcrypt-devel
mailing list