[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults
Florian Weimer
fw at deneb.enyo.de
Wed Sep 2 16:25:26 EDT 2015
* Peter Gutmann:
> Florian Weimer <fw at deneb.enyo.de> writes:
>
>>What about Dan Boneh, Richard A. DeMillo, Richard J. Lipton, =E2=80=9COn the
>>Importance of Checking Cryptographic Protocols for Faults=E2=80=9D (1997)?
>>It shows how to break RSA implementations common at that time with a random
>>fault occurring during signature computation.
>
> It's... not entirely useful, it uses a rather abstract model of
> faults that include things like register faults in which a value in
> a CPU register is corrupted, but many modern CPUs (Intel, ARM, etc)
> have ECC on internal storage and memory buses, and have had them for
> years, so that type of fault seems unlikely. That means that you're
> left with faults on external memory, from an off-list discussion
> with someone who's experimented with this it's a fairly remote
> possibility for affecting the crypto (alpha particles aren't
> predictable and guidable, and even if they were you'd have to hit
> exactly the right memory location at the right time to have an
> effect).
A while back, it occurred to me that deployment of forward secrecy in
TLS gives us a wide range of test cases, and implemented a crawler.
Today, we finally published the results:
<https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/>
<https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf>
The number of leaked private keys may seem fairly low (272), but so
was the crawler bandwidth. I'm sure you'd find additional affected
vendors if you conducated a lot more TLS handshakes. (Two of the
affected devices had really low leak rates.)
More information about the cryptography
mailing list