[Cryptography] Skylake fails on Mersenne Prime 14942209 exponent

[Henry Baker]

At 08:51 AM 1/12/2016, John Levine wrote:
>In article <E1aIo04-0001LU-Pk at elasmtp-mealy.atl.sa.earthlink.net> you write:
>>FYI -- The fishy part of this story is the fact that Intel claims this bug can be fixed with a "BIOS
>>update".  If true, this is proof positive that the arithmetic unit of these Intel processors can be
>>hacked in essentially invisible ways by (van) Nessa.
>
>I wouldn't leap to conclusions.  More likely the BIOS update changes a
>timer or voltage setting to prevent a race condition that's causing
>the hang.  The last time I checked, field programmable microcode
>memory was a lot more expensive than normal microcode ROM and it's a
>stretch to believe that Intel secretly incuded some, just in case.

*Any* such fault can be used to extract information; the ability to
adjust timing delays can allow the leaking of the key bits.  See
"Torturing OpenSSL".  While this particular side-channel has since
been closed, other similar side-channels likely still remain.

https://www.youtube.com/watch?v=LIIEBiWMJpg

Black Hat USA 2012 - Torturing OpenSSL

Published on Oct 15, 2013

By: Valeria Bertacco

For any computing system to be secure, both hardware and software have to be trusted.

If the hardware layer in a secure system is compromised, not only it is possible to extract secret information about the software, but it is also extremely difficult for the software to detect that an attack is underway.

This talk will detail a complete end-to-end security attack to on a microprocessor system and will demonstrate how hardware vulnerabilities can be exploited to target systems that are software-secure.

Specifically, we present a side-channel attack to the RSA signature algorithm by *leveraging transient hardware faults* at the server.

Faults may be induced via voltage-supply variation, temperature variation, injection of single-event faults, etc.

When affected by faults, the server produces erroneous RSA signatures, which it returns to the client.

Once a sufficient number of erroneously signed messages is collected at the client end, we filter those that can leak private key information and we use them to extract the private key.

We developed an algorithm to extract the private RSA key from messages affected by single-bit faults in the multiplication during Fixed Window Exponentiation (FWE), that is, the standard exponentiation algorithm used in OpenSSL during RSA signing.

Our algorithm was inspired by a solution developed by Boneh, et al. for the Chinese Remainder Theorem (CRT) [D. Boneh, R. DeMillo, and R. Lipton.

On the importance of eliminating errors in cryptographic computations. Journal of Cryptology, Dec 2001], an algorithm particularly prone to attacks.

Depending of the window size used in the encryption algorithm, it is possible to extract 4-6 bits of the private key from an erroneously signed message.

Our attack is perpetrated using a FPGA platform implementing a SPARC-based microprocessor running unmodified Linux and the OpenSSL authentication library.

The server provides 1024-bits RSA authentication to a client we control via Ethernet connection.

Faults are injected by inducing variations in the supply voltage on the FPGA platform or by subjecting the server to high temperatures.

Our client collects a few thousands signed messages, which we transfer to an 80-machines computing pool to compute the private RSA key in less than 100 hours.

Note that our attack does not require access to the victim system's internal components, but simply proximity to it.

Moreover, it is conceivable that an attack leveraging solely high temperatures can be carried out on machines in a remote poorly-conditioned server room.

Finally, the attack does not leave any trail of the attack in the victim machine, and thus it cannot be detected.

The presentation includes a live demo of the attack on an FPGA platform implementing a SPARC system.

The system is powered via a voltage controller, used to induce variations in the supply voltage.

The server is simplified to use a 128-bits private key so that the attack can be perpetrated during the briefing.