[Cryptography] Side channel attack on OpenSSL ECDSA on iOS and Android

Perry E. Metzger perry at piermont.com
Wed Mar 2 14:19:23 EST 2016


[My comment -- not clear if this has real practical implications but
it shows yet again how hard it is to do this stuff right. --Perry]

Cryptology ePrint Archive: Report 2016/230

ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical
Side Channels

Daniel Genkin and Lev Pachmanov and Itamar Pipman and Eran Tromer and
Yuval Yarom

Abstract: We show that elliptic-curve cryptography implementations on
mobile devices are vulnerable to electromagnetic and power
side-channel attacks. We demonstrate full extraction of ECDSA secret
signing keys from OpenSSL and CoreBitcoin running on iOS devices, and
partial key leakage from OpenSSL running on Android and from iOS's
CommonCrypto. These non-intrusive attacks use a simple magnetic probe
placed in proximity to the device, or a power probe on the phone's
USB cable. They use a bandwidth of merely a few hundred kHz, and can
be performed cheaply using an audio card and an improvised magnetic
probe.

https://eprint.iacr.org/2016/230

-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list