Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Researchers Find Way To Zap RSA Algorithm

timothy posted more than 4 years ago | from the vhat-here-in-ze-laboratory dept.

Encryption 173

alphadogg writes "Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose-built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours – all without leaving a trace. The researchers in their paper outline how they made the attack (PDF) on a SPARC system running Linux."

Sorry! There are no comments related to the filter you selected.

Good. (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31361856)

n/t

Like lead pipe cryptanalysis... (5, Funny)

Anonymous Coward | more than 4 years ago | (#31361876)

...whether interrogating a human or a computer, apparently it is a simple matter of voltage.

Faster, Better, Cheaper way (0)

Anonymous Coward | more than 4 years ago | (#31362124)

Rubber hose.

To the back of the thigh.

10 seconds.

100 pesos.

Re:Faster, Better, Cheaper way (2, Insightful)

OzPeter (195038) | more than 4 years ago | (#31362522)

Rubber hose.

To the back of the thigh.

10 seconds.

100 pesos.

Since when did slashvertisments start to include BDSM offers?

Re:Like lead pipe cryptanalysis... (1)

Jurily (900488) | more than 4 years ago | (#31362526)

You, sir, win this thread. Congratulations.

Obligitory XKCD. (2, Funny)

toastar (573882) | more than 4 years ago | (#31363230)

Just use Social Engineering [xkcd.com]

Re:Like lead pipe cryptanalysis... (0)

Anonymous Coward | more than 4 years ago | (#31364246)

liquid cooling used to waterboard your cpu

Article == Summary (4, Informative)

fishwallop (792972) | more than 4 years ago | (#31361882)

The only thing the article "ads" to the summary posted here is a pretty splash screen, which in my case tried to sell me SQL Server.

Re:Article == Summary (3, Informative)

Sir_Lewk (967686) | more than 4 years ago | (#31361940)

A first poster that actually RTFA? What the hell is slashdot coming to?!?

He's right though, skip TFA and just read the linked PDF if you want more details.

Re:Article == Summary (1, Funny)

Anonymous Coward | more than 4 years ago | (#31362146)

Nah, he was actually the second poster. I was going to be the first poster, but my computer's voltage supply started to fluctuate as I was trying to post, causing me problems. Have no fear, as this would-be-first-poster indeed did not RTFA.

Re:Article == Summary (2, Informative)

wizardforce (1005805) | more than 4 years ago | (#31362248)

There are two articles, one is mostly worthless. The other is a PDF which is actually much more informative. The attack focuses on the implementation of RSA in OpenSSL and uses a cluster of processors to carry out the attack. All in all TFA notes that about a year of computing time is actually required to extract the key. The voltage manipulation causes faults which are used to extract the key after quite some time.

Re:Article == Summary (1)

poetmatt (793785) | more than 4 years ago | (#31362336)

and the only thing it lacks is that all of this is basically impossible under FIPS 140-2 on level 4 products. [wikipedia.org] Notice how it talks about voltage sensitivity. Meanwhile FIPS 140-3 is on it's way, and from level 4 on involves this.

I myself don't know how widespread using level 1-3 devices is, however.

Re:Article == Summary (0)

Anonymous Coward | more than 4 years ago | (#31362994)

which in my case tried to sell me SQL Server.

That's funny. Mine tried to sell me male enhancement products.

Re:Article == Summary (1)

Brian Gordon (987471) | more than 4 years ago | (#31364512)

When the summary is taken straight from the article, it's a good idea to at least link to them..

Oh well... (1)

judolphin (1158895) | more than 4 years ago | (#31361894)

Just means it's time to break out the megabit keys!

"overclocking" machines vulnerable (4, Informative)

Animats (122034) | more than 4 years ago | (#31361898)

Machines where software can alter the CPU voltages and clock speeds for "overclocking" purposes may be especially vulnerable to this attack. "Advanced power management" may also offer an attack vector.

Also worry about Intel's Nehalem architecture, where there's a small CPU dedicated to power, clock, and thermal management. Access to that allows detailed control over power.

Re:"overclocking" machines vulnerable (3, Insightful)

pegr (46683) | more than 4 years ago | (#31362608)

"the researchers say that by varying electric current to a secured computer"...

Um, if they have physical access to the computer (in order to monkey with the power), why would it be considered secure?

Re:"overclocking" machines vulnerable (4, Insightful)

Ignorant Aardvark (632408) | more than 4 years ago | (#31362730)

Um, if they have physical access to the computer (in order to monkey with the power), why would it be considered secure?

This vulnerability is dangerous in the case when the same key is being used in many devices. Cracking one means you've cracked them all. This is a fairly common situation in consumer devices. See the HD-DVD player keys, or the TI graphing calculator signing keys.

Re:"overclocking" machines vulnerable (1)

ImprovOmega (744717) | more than 4 years ago | (#31363284)

If your signing key is on the same device that you're signing stuff for then you're doing it wrong.

Re:"overclocking" machines vulnerable (1)

khellendros1984 (792761) | more than 4 years ago | (#31364296)

RSA is an asymmetric encryption algorithm. If you have access to the public key, you can factor it (the hard part), and calculate the signing key based on that.

In these schemes, encryption and signing use the same mathematical operation. For signing, the signer encrypts the message with their own private key, so only their public key can decrypt the message. For encryption, the message is encrypted with the public key of the intended recipient, so that only the recipient's private key can be used to retrieve the message. There is sufficient information in the public key to generate the private key (and it relies on multiplying together two large prime numbers). If the public key can be factored, then you have the two primes from the private key, and you can derive the private key. This is inherent to this encryption system, and it's why it's so important that you use large keys.

Re:"overclocking" machines vulnerable (1)

gringer (252588) | more than 4 years ago | (#31362948)

if they have physical access to the computer (in order to monkey with the power), why would it be considered secure?

You've got me stumped. Perhaps you should ask the companies who make these media players, smartphones, and other devices that use RSA. While you're at it, could you please also ask the same question to the companies who distribute digital files for use on these devices?

Re:"overclocking" machines vulnerable (5, Informative)

pz (113803) | more than 4 years ago | (#31363124)

"the researchers say that by varying electric current to a secured computer"...

Um, if they have physical access to the computer (in order to monkey with the power), why would it be considered secure?

The faults described by the paper are so ... what's the word ... specialized that it challenges believability. Not only does the attacker have to have physical access -- and likely pretty good physical access -- they have to know precisely when the encryption algorithms are being performed so that the faults can be induced then and only then otherwise the operation of the computer will be compromised. Furthermore, the faults must be induced at a reasonable, but not too great, rate, and at randomly varying times in the computation, so as to explore the full error space and have insight into the keys. And the computations have to be repeated MANY times over in order to extract enough information. So, not only do attackers have to know exactly, to the microsecond, when the system under attack is computing the RSA algorithm, they also have to be able to vary the voltage to the CPU. Their physical proof of concept, as much as it is described in the paper, is contrived. Their assertion that the technique does not require physical access is wholly unsupported. Color me skeptical. Anyone with this level of access is going to be able to do more than trigger faults.

The paper asserts that the probes can be done without leaving any trace. I don't know about the authors, but the voltages on my computers are monitored by software and excursions logged so that I can know if/when there are problems. Since the RSA-breaking technique requires substantial exploration of the response to voltage tweaks, it is likely to be detected by a decent monitoring program.

Finally, the PDF does not carry any publication information suggesting strongly that it describes work that is not peer-reviewed. It is shoddy science to bypass peer review and release to the general public.

No they are not (1)

Chemisor (97276) | more than 4 years ago | (#31364008)

When you overclock, you always have to check system stability at each level you try. Most people run some CPU stress program and see if it crashes or gives the wrong results. If you get any faults, your CPU can't handle the overclock and you have to try a lower frequency. As long as you apply this procedure properly, you won't have any faults. You most certainly won't get any predictable amount of faults. Now, the researchers could do it because they only ran OpenSSL on their hardware. If you tried that on a normal machine, you'd just get a kernel panic (the kernel needs the CPU to work correctly too, you know). Any other software will also have trouble and cause data corruption. Considering that the attack requires you to repeatedly encrypt/sign/verify stuff with your private key during it, the attackers don't have a chance to not get noticed.

Next, the researchers did not actually run it on a real computer. If you RTFA, you'll find out that they implemented a copy of a Sparc processor on an FPGA and ran OpenSSL on that. You can't just vary the input voltage at the PSU, since the PSU will regulate it to the correct output for the CPU. If you drop the voltage below what the PSU can handle (~85V), it will shut down. You might succeed if you changed the voltage at the motherboard, but the board really ought to detect that. Also, Intel chips, like Nehalem, actually have voltage converters on the chip which change 12V and 5V inputs to the 1.5V or so that the CPU needs. So your Core i7 system is quite safe against this attack. (Yes, it overclocks. See above)

Finally, there's the obvious problem of physically attacking the computer while you're using it. The attackers would need to constantly control and monitor whatever hardware doohickey they installed on your motherboard, as well as needing a working login to be able to time how long it takes you to run the algorithm each time. It is much easier to just install a hardware keylogger and get the passphrase.

Could this be considered... (4, Funny)

ravenspear (756059) | more than 4 years ago | (#31361908)

...electronic torture?

We can just declare this method in violation of the computer's rights and solve the problem easily!

Re:Could this be considered... (0)

Anonymous Coward | more than 4 years ago | (#31361946)

LAME

Re:Could this be considered... (2, Funny)

bluesatin (1350681) | more than 4 years ago | (#31363168)

This isn't much use for LAME as it's open source, you can just grab any information you want off SourceForge.

Re:Could this be considered... (0)

Anonymous Coward | more than 4 years ago | (#31363178)

oggenc forever!

Re:Could this be considered... (5, Funny)

Bakkster (1529253) | more than 4 years ago | (#31362480)

...electronic torture?

Wattage-boarding

Changing the voltage supply req. HW access, right? (4, Insightful)

anss123 (985305) | more than 4 years ago | (#31361910)

In what kind of scenario would you have access to the PSU of the server you attacked? Private key servers should not be directly accessible after all.

Re:Changing the voltage supply req. HW access, rig (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31362008)

In what kind of scenario would you have access to the PSU of the server you attacked?

E.g. Hosted data center

Re:Changing the voltage supply req. HW access, rig (2, Insightful)

interval1066 (668936) | more than 4 years ago | (#31362440)

Kinda reminds me of the TrueCrypt attack that made a splash a couple of years ago in which the attacker can compromise an encrypted partition by obtaining possession of the host hardware right after a power-down, getting inside the chassis and spraying down the RAM DIMMS with an inverted can of air so as to cool them down to slow the entropy of the down-powered chips; the attacker then has to create and analyze the leftover ram images with his own hardware and pull the encryption key out of that mess. As the Mythbusters would say: plausible? Yes. Practical? not really. I guess if you think you're in possession of some pretty valuable data you'll go to lengths.

Re:Changing the voltage supply req. HW access, rig (1)

ircmaxell (1117387) | more than 4 years ago | (#31362478)

Not quite. The voltage that was varied was the 1.5v CPU voltage. This is regulated on the motherboard (The PSU on the computer supplies +3.3v, +5v, -12v and +12v). So to execute this attack, you'd either need access through the bios to the CPU voltage control, or to physically tamper with the voltage regulator module present on server motherboards (Destop motherboards typically have this integrated instead of socket fit making it a lot harder to tamper with). Since both contain voltage regulators, simply under-voltaging the PSU likely won't work (since reducing the voltage is likely to make the whole system less stable, not just the CPU). Either way, not something that's trivial to do without physical access to the machine while it's off or a root level exploit to the machine, which would make this attack pointless... Sure, they COULD tamper with the voltage regulator, but you DO have alarms on your cases, right (ESP in situations where the box is held off site)?

Re:Changing the voltage supply req. HW access, rig (1)

Andy Dodd (701) | more than 4 years ago | (#31362548)

Also, this is an attack against software running on the host CPU (OpenSSL in the paper) - most likely, 95%+ of OpenSSL implementations on datacenter servers are storing the key on the hard drive, not in a TPM.

Re:Changing the voltage supply req. HW access, rig (1)

ircmaxell (1117387) | more than 4 years ago | (#31362622)

Well, it doesn't matter where the key is stored. The key must be read in order to be processed. So at some point in time the appropriate parts of the key must be in the CPU (since it needs to do math against the bits of the key to produce the signature), hence why the attack vector exists...

Re:Changing the voltage supply req. HW access, rig (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31362020)

Probably much more threatening(though, frankly, that pleases me) to DRMed embedded systems and similar gear that is supposed to be "secure" vs. its immediate environment; but is also in the hands of the public in huge quantities.

Yeah, if I can break into your datacenter and clamp some crazy widget onto the (presumably multiple) lines supplying your server's PSUs, a clever voltage attack is not the biggest of your problems.

If, on the other hand, you can guess the private crypto keys out of a DRMed PMP just by clipping a 15 dollar device from some shady mod-chip vendor to the recharging port and waiting a few days, heads will roll. There are a lot of devices these days that are designed to keep keys secret from the owners of the hardware. Particularly for common ones, voltage attack devices might well become fairly common advanced hobbyist and/or grey market items...

Re:Changing the voltage supply req. HW access, rig (1)

afidel (530433) | more than 4 years ago | (#31362118)

Yeah my first thought was ATM's =)

Re:Changing the voltage supply req. HW access, rig (3, Interesting)

metamatic (202216) | more than 4 years ago | (#31362188)

Sadly, most DRM-crippled hardware isn't going to have the private keys inside. For example, the PS3 and Wii will only have the public keys in the hardware so that they can check signatures on code. The private keys will be on hardware somewhere inside Sony and Nintendo, and presumably carefully guarded from unauthorized access.

Re:Changing the voltage supply req. HW access, rig (2, Interesting)

Andy Dodd (701) | more than 4 years ago | (#31362258)

A similar sidechannel attack might be usable to extract such information though.

Re:Changing the voltage supply req. HW access, rig (5, Insightful)

daniel de graaf (771021) | more than 4 years ago | (#31362304)

Depends on what the DRM is trying to protect. Music players, video players for downloadable content, and basically anything where the content isn't tied to a physical object like a game disc will need a private key of some kind to encrypt the data on their volatile storage. While most of this will probably be done using symmetric encryption, you still need some way for the server that hands out the content to prove that it is a real device and not an emulated device, and that's normally done with a locally stored private key.

Re:Changing the voltage supply req. HW access, rig (3, Interesting)

daniel de graaf (771021) | more than 4 years ago | (#31362024)

This attack is relevant when you are trying to extract the private key of something like a TPM, in order to defeat the DRM protections it is trying to provide, or decrypt the drive whose key it is holding.

Re:Changing the voltage supply req. HW access, rig (2, Interesting)

owlstead (636356) | more than 4 years ago | (#31364116)

TPM chips and certainly high end smart card chips are protected against this kind of attacks using the power source. You certainly cannot get a Common Criteria certification if you don't protect against these kind of side channel attacks. Of course, for consumer CPU's there' no CC certification or protection measures like these.

Re:Changing the voltage supply req. HW access, rig (3, Insightful)

benjamindees (441808) | more than 4 years ago | (#31362030)

DRM, smart-cards, cable/tv access boxes, media players, stolen laptops, etc

Probably not e-commerce servers exactly, but you never know depending on the physical security of your datacenter. And with DRM, of course, the purpose is to lock you out of equipment to which you have physical access.

Re:Changing the voltage supply req. HW access, rig (2, Insightful)

sjames (1099) | more than 4 years ago | (#31362256)

When the 'server' is a chip on a smart card and the 'PSU' is your POS terminal.

Re:Changing the voltage supply req. HW access, rig (1)

Hatta (162192) | more than 4 years ago | (#31362492)

When you're the government.

Re:Changing the voltage supply req. HW access, rig (2, Informative)

pclminion (145572) | more than 4 years ago | (#31362516)

In what kind of scenario would you have access to the PSU of the server you attacked?

I don't know, how about a world where you've arrested a political dissident and you want to obtain his/her private key, and he/she refuses to hand it over?

Linux on Sparc? (0, Offtopic)

newdsfornerds (899401) | more than 4 years ago | (#31361942)

Gee, does anyone run Linux on Sparc in production, or know anyone who knows anyone who does or did? Heh.
Yeah I know these distros exist and work well. It's just an odd choice of platform, IMHO.

Has been done before (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31361948)

I am with Linus on this one
Linus is right
The man makes sense
He is absolutely correct on this one

xkcd already did it cheaper (3, Funny)

snarfies (115214) | more than 4 years ago | (#31361952)

Rather than apply electrical current to a key holder, wouldn't it be easier and cheaper to apply a $5 wrench? [xkcd.com]

Re:xkcd already did it cheaper (1)

wall0159 (881759) | more than 4 years ago | (#31362194)

If I only ever saw XKCD via /. I'd swear there were only about 10 cartoons!

Re:xkcd already did it cheaper (1)

andi75 (84413) | more than 4 years ago | (#31362330)

Maybe there's only about 10 *good* cartoons...

Re:xkcd already did it cheaper (1)

c++0xFF (1758032) | more than 4 years ago | (#31362538)

There's a relationship between slashdot and xkcd: there is a subset of his comics that touch heavily on what slashdot readers love and care about.

I wouldn't even necessarily say that those comics are very good (I'm not impressed with the posted comic #538, for example) -- but there's just enough humor and overlap that the same ones get posted repeatedly.

Re:xkcd already did it cheaper (0)

Anonymous Coward | more than 4 years ago | (#31362560)

If I only ever saw XKCD via /. I'd swear there were only about 10 cartoons!

Well, there were more, but someone *had* to create a Slashdot username "Robert'); DROP TABLE xkcd;--" [xkcd.com] .

  That, and the red spiders [xkcd.com] keep getting in the way.

Re:xkcd already did it cheaper (1)

BitZtream (692029) | more than 4 years ago | (#31362624)

Naw, as the alt text says, you won't find a $5 wrench anymore :/

Re:xkcd already did it cheaper (1)

Old Man Kensey (5209) | more than 4 years ago | (#31363226)

A free hunk of wood or metal found laying around outside is just as good for these purposes as a wrench of any type. Plus most people have a tire iron in their trunk, that's basically "free" since it costs you nothing to dig out and apply vigorously.

Re:xkcd already did it cheaper (1)

SQLGuru (980662) | more than 4 years ago | (#31363362)

It's all in where you look: http://www.harborfreight.com/cpi/ctaf/displayitem.taf?Itemnumber=39642 [harborfreight.com]

For the purposes expressed in the comic, the above wrench should be more than adequate. Granted it might not hold up long, but it'll get the job done. YMMV

wrong headline (4, Informative)

Lord Ender (156273) | more than 4 years ago | (#31361964)

Researchers Find Way To Zap RSA Algorithm

No, reasearchers find side-channel attack on SPARC CPU (which requires elevated access, anyway).

Re:wrong headline (4, Informative)

Andy Dodd (701) | more than 4 years ago | (#31362190)

To be more specific:

No one attacked the algorithm itself here. They attacked one specific implementation of the RSA algorithm.

Side channel attacks are nothing new. There are plenty of crytographic algorithms that have no known flaws which have had implementations broken via side channel attacks, due to flaws in the implementation, not the algorithm.

Re:wrong headline (4, Insightful)

osu-neko (2604) | more than 4 years ago | (#31362298)

...due to flaws in the implementation, not the algorithm.

The "flaw in implementation" in most cases being the relatively common "flaw" of being implemented in real-world hardware, where it has to consume power, utilize moving electrical current, obey the laws of physics, etc, rather than existing only on paper where such "flaws" can be avoided.

Re:wrong headline (2, Interesting)

c++0xFF (1758032) | more than 4 years ago | (#31362568)

"In theory there is no difference between theory and practice. But, in practice, there is."

(p.s. Who originally said this, anyway?)

Re:wrong headline (1)

OzPeter (195038) | more than 4 years ago | (#31362484)

There are plenty of crytographic algorithms that have no known flaws which have had implementations broken via side channel attacks, due to flaws in the implementation, not the algorithm.

While I agree with you, I just want to go a bit philosophical and suggest that the robustness of the physical system is just as important as the algorithm when determining how flawed or not something like a security system is. Which is basically a "weakest link" consideration.

Re:wrong headline (1)

Andy Dodd (701) | more than 4 years ago | (#31362584)

Right. Which is why there are guidelines for implementing crypto algorithms so as to avoid sidechannel attacks.

Occasionally someone finds a new sidechannel attack (such as one that relied on the Pentium 4's hyperthreading implementation), but most of the "basic" ones are well known and can be designed against. (See, for example, FIPS 140-2 level 4, which requires protection against glitching attacks such as this.)

Re:wrong headline (1)

blair1q (305137) | more than 4 years ago | (#31363684)

And unless I RFA'd wrongly, they had to map the SPARC to an FPGA in VHDL so they could be sure their assumptions about multipliers being the critical path would remain correct.

Because if their glitching of the power supply is inducing bit-flip errors in anything other than the multiplier, they're probably going to crash the core, and they won't get the thousands of samples they need to reach 50% probability of pwning the private key in polynomial time.

I.e., it is vanishingly unlikely that you are going to be able to pull this off by putting a variac on your RSA-chipped Commodore 64.

some ppl are seriously sick (3, Interesting)

Anonymous Coward | more than 4 years ago | (#31361992)

hackers these days are seriously sick, not long ago one guy dissolved chips and listened in on instructions right on die
now this, just take a look at that paper

sure the principle is simple, create condition that causes errors and incidentally more of the bits you have guessed the less errors you have etc etc etc

but seriously people who figure these things out and make them work... i question their sanity, brilliant but you have to be a mad scientist to achieve these things

Re:some ppl are seriously sick (4, Insightful)

Just Some Guy (3352) | more than 4 years ago | (#31362062)

but seriously people who figure these things out and make them work... i question their sanity, brilliant but you have to be a mad scientist to achieve these things

You're in the wrong place, and your attitude sucks. Consider yourself lucky to live in a world with people who are this driven by their curiosity.

Re:some ppl are seriously sick (0, Informative)

Anonymous Coward | more than 4 years ago | (#31364054)

Your sarcasm meter is broken and your sense of humor sucks. The OP is essentially complimenting the dudes.

Re:some ppl are seriously sick (4, Insightful)

clone53421 (1310749) | more than 4 years ago | (#31362318)

This is moderated flamebait... I’m not sure why. I read the entire thing in a congratulatory tone.

I guess some people think being called “sick” is an insult...

Re:some ppl are seriously sick (0)

Anonymous Coward | more than 4 years ago | (#31362686)

And, some people also think "fail" is a verb.

Re:some ppl are seriously sick (0)

Anonymous Coward | more than 4 years ago | (#31362844)

Mod parent: +1 Down with the kids

Re:some ppl are seriously sick (1)

shutdown -p now (807394) | more than 4 years ago | (#31364336)

but seriously people who figure these things out and make them work... i question their sanity, brilliant but you have to be a mad scientist to achieve these things

I suggest you go look up the etymology of the word "geek".

PS3 (1)

zepo1a (958353) | more than 4 years ago | (#31362006)

Isn't this how the lastest guy who claimed to hack the PS3 did it also? Copycats! :)

!news (4, Informative)

betterunixthanunix (980855) | more than 4 years ago | (#31362056)

This is just a fault injection attack. People have been doing similar things to block ciphers for years, it is not a mathematical weakness, just a side channel attack, and an active one at that. Cool that they did it against RSA, but not really headline news...

Re:!news (1)

crunch_ca (972937) | more than 4 years ago | (#31362576)

In fact, even wikipedia [wikipedia.org] references power monitoring attacks. And, yes, that's been sitting in Wikipedia since before March 2008.
I agree, not really headline news.

Re:!news (1)

Ted Stoner (648616) | more than 4 years ago | (#31364396)

They were able to crack a 1024-bit key in 104 hours using 80 slave workers. They also say the cracking app should scale linearly with the number of workers. So 800 slaves would mean on the order of 10 hours. That is pretty scary. Newer commercial apps should be using at least 2048-bit keys. I am not sure how that affects the results.

Physical Access (5, Insightful)

KevMar (471257) | more than 4 years ago | (#31362068)

If someone has physical access to your machine, then you have already lost.

Re:Physical Access (1, Interesting)

IndustrialComplex (975015) | more than 4 years ago | (#31362284)

If someone has physical access to your machine, then you have already lost.

So everyone who ever uses colocation has lost?

Re:Physical Access (3, Informative)

Eric Smith (4379) | more than 4 years ago | (#31362322)

So everyone who ever uses colocation has lost?

Yes. Are you actually surprised?

Re:Physical Access (4, Insightful)

OzPeter (195038) | more than 4 years ago | (#31362362)

So everyone who ever uses colocation has lost?

Given that organized crime seems to be paying off minimum wage clerks to install card skimmers in gas pumps, wouldn't it be logical that minimum wage admins at co-lo facilities would also be vulnerable to the same vector - $$$$

Re:Physical Access (1)

snspdaarf (1314399) | more than 4 years ago | (#31363204)

Hell, even well-paid admins could be vulnerable. All kinds of things can result in a need for money. Insurance problem, spouse gets fired, simple greed....

Re:Physical Access (1)

lgftsa (617184) | more than 4 years ago | (#31362642)

Yep, they've made the decision that there's nothing on the server which they can't afford to lose. Or they're idiots.

They're placing all their trust in the security and vetting standards of their co-lo, from the admins and techs, to clerical staff, plant and maintenance, cleaners, safety inspectors, linoleum layers, electricians, the list goes on. That assumes, of course, that the co-lo has standards and follows them without exception. I don't have the time or resources to audit them.

Our server room is only accessible through the IT office and any non-IT visitor must be accompanied by an IT staff member when inside. All access is by RFID and is logged by the security system. Oh, not all IT staff have access to the server room in the first place. That's just basic security, and quite frankly I'm amazed that anyone would accept anything less.

On the other hand, my personal website, and that of a club's that I also maintain, is with a hosting company on a shares server. I look at this as an acceptable risk, since there's no data on the site which is not publicly accessible anyway. Membership details are NOT public information, and so are NOT kept there.

Re:Physical Access (1)

the_fat_kid (1094399) | more than 4 years ago | (#31362698)

in as few words as possible:

Yes.

If you co-anything you are giving up your security.
now I have not just one, but mutiple targets for the tried and true XKCD wench hack. http://xkcd.com/538/ [xkcd.com]
so, if security is the name of your game, you have already lost.
please try again...

Re:Physical Access (2, Interesting)

pushing-robot (1037830) | more than 4 years ago | (#31362314)

If someone has physical access to your machine, then you have already lost.

Quoted for truth.

If someone can gain access to your datacenter power systems remotely and change output voltages, your admins are idiots and you've got more problems than just a RSA vulnerability. And if someone already has physical access to your server thats performing the encryption in the first place, is it any surprise that they can bypass said encryption?

It's a nifty attack, but not terribly practical.

Re:Physical Access (0)

Anonymous Coward | more than 4 years ago | (#31362982)

For sure, this is just the mechanism by which the set-top-box suppliers lose (again) to the customer who naturally has the set-to-box in their possession.

"without leaving a trace..." (3, Funny)

starglider29a (719559) | more than 4 years ago | (#31362102)

...except for the empty bags of cheese puffs, Rockstar cans, and several bottles of "lemon gatorade", no one would suspect that they had been there.

Interesting for devices (0)

Anonymous Coward | more than 4 years ago | (#31362132)

While this poses interesting opportunities for handheld and consumer devices, I wouldn't fret over your corporate servers or internal machines, since most of them have restricted access and this requires power manipulation for the power going into the box (after UPS's).

For devices and consumer electronics however, well, that's a different story.

Of course, if a bug in a UPS allows for manipulation of its output power, that wouldn't be good...

Sci-Fi story (1)

OzPeter (195038) | more than 4 years ago | (#31362246)

Back years ago I read a book where the good/Bad guys got a suitcase sized AI to break down and confess by cycling its power to the point where it couldn't take it any more.

Good to see reality starting to mimic fiction

BTW Can anyone tell me the title? About the only other main thing I remember about it was helicopter pilots being blinded by laser strikes.

Re:Sci-Fi story (0)

Anonymous Coward | more than 4 years ago | (#31362342)

Herp derp, torture brings about accurate information.

Re:Sci-Fi story (1)

Baby Duck (176251) | more than 4 years ago | (#31364134)

Psychic Dictatorship in the U.S.A. talks about pilots being blinded by lasers when spying on Russian vessels. I don't remember anything about an AI in it, though.

Despite its sensational title, the book declares mind control to be bogus. However, that hasn't stopped people from trying -- and committing atrocites in the process.

It also discusses ambassadors and spies contracting rare blood diseases from being exposed to very low frequency radiation emitters in their offices over long periods of time. This is related to another Slashdot article today about the cellphone tower next to a NYC apartment.

Re:Sci-Fi story (1)

OzPeter (195038) | more than 4 years ago | (#31364314)

Unfortunately thats definitely not the book I am thinking about. In the one I read there was a lot of AI stuff.

Implementation, not algorithm! (3, Insightful)

ronys (166557) | more than 4 years ago | (#31362350)

It's an implementation on specific hardware that was broken. Not the first time, nor the last. If the *algorithm* would have been broken, now *that* would have been news!

Damnit, I was hoping for something useful ... (2, Informative)

BitZtream (692029) | more than 4 years ago | (#31362582)

Great, another 'if you have physical access to the key, you can get the key' methods.

Look, 'stressing' the computer for a hundred hours while screwing with the voltage is going to get you noticed if its a key important enough for to use this method to do it. I can go to your PC and steal the contents of the entire drive without leaving a trace, but you're probably going to notice when I move you out of my way so I can put in a boot cd and external drive to copy the data to.

Practical value: 0
Research value: 1
Geek Cred: 11
Priceless, or rather, worthless.

Well, there is one significant use-case (1)

mbessey (304651) | more than 4 years ago | (#31363612)

Extracting private keys from smart cards would be one application. That's a case where you have "physical access" to the key holder, but it's protected by physical security. The card will erase the key if you open the box, but it provides a digital signature service, which you can exploit via this method to extract the key without opening the case.

good news (0, Offtopic)

bugs2squash (1132591) | more than 4 years ago | (#31362588)

that it seems possible to defend against these attacks with a software change, for example validating the result before sending it.

Is it common... (1)

sqrammi (535861) | more than 4 years ago | (#31362680)

...for CPUs to multiply incorrectly when their voltage get pulsed? It seems like you could solve this problem with a good voltage regulator. Something that resets the CPU if the voltage falls/rises to a point that would cause calculation errors.

100 hours? (0)

Anonymous Coward | more than 4 years ago | (#31363432)

"– all without leaving a trace" ...except for the donut crumbs and empty coffee cups left at the workstation.

Here's a patch for the vulnerability (1)

guruevi (827432) | more than 4 years ago | (#31363554)

http://www.apc.com/ [apc.com]

Seriously. If your server is a big enough target where to have it's keys taken using this technique is beneficial (a key signing server for example) then you need a bit more protection against somebody hanging outside on a pole playing with your electricity supply.

Nothing new or interesting here.. (1)

xquark (649804) | more than 4 years ago | (#31363596)

The concept is called Differential Power Analysis (DPA) or for people in the industry its also known as power cryptography and has been a staple of many attack vectors since the mid-90s (at least in open research), furthermore simple techniques such as adding salt or in other words randomly chosen bogus operations into the computation flow renders such attack vectors useless.

Nothing new here, slow news day, move along peoples.

   

Re:Nothing new or interesting here.. (1)

owlstead (636356) | more than 4 years ago | (#31364286)

Then they mention Linux, which has little to none-to do with it. Of course, you can only reach the add by clicking away a Microsoft add. It's amazing what kind of articles are displayed on Slashdot now and then. Even the comments are starting to deteriorate (not yours of course).

But you can be sure my home will stay void of Sparc processors after this fiasco :) The Niagra processors all have RSA in hardware so if the software uses that they are safe anyway. They probably chose a single CPU with easy RISC instructions on purpose anyway,

Not so fast (1)

Ancient_Hacker (751168) | more than 4 years ago | (#31363626)

NO, they did not find a glitch in the algorithm, they happened to find an implementation which was amenable to their attack method.

All the chip makers have to do is take any one of several measures:

(1) Regulate the CPU voltage on-chip.
(2) or just detect that it's below spec and force a reset.
(3) or do the calculation two times, or in two different ways, or both, and reset if the results don't match.
(4) or add a few gates of carry-lookahead to the multiplier so it's not so speed-sensitive.
(5) or detect the tampering and send out the tamperer's IP address encrypted in the message.

Nice but... (1)

GWRedDragon (1340961) | more than 4 years ago | (#31363946)

This attack is pretty neat, but couldn't the vulnerability be closed by just doing FWE multiple times and voting, or otherwise checking the result?

It seems that the real problem here is that the attacker can create corrupt output data even though he does not know the actual workings of the processor in question. This seems easy enough to fix.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?