[Cryptography] Side channel attack on OpenSSL ECDSA on iOS and Android
John Gilmore
gnu at toad.com
Thu Mar 3 03:54:53 EST 2016
> https://eprint.iacr.org/2016/230
This is nice work, showing how you can extract the secret keys from
many ECDSA signing operations by putting a loop of wire next to the
phone or tablet doing the signing, running that into an audio port
on an attacking computer, and analyzing the resulting signal to
detect doublings and additions to extract secret key or nonce bits.
They can do the same from power fluctuations on the USB charger port.
(Paul Kocher turned the smartcard world upside down with a similar
power-analysis side channel attack back in the '90s; see reference
KJJR11 in the paper. Smartcard makers rushed to hire his company to
fix their products, which were previously all leaking their secrets.
He patented both the attack and many methods of defeating it; the
resulting royalty stream of perhaps a penny per smartcard chip (times
4 billion chips/year) has made his company very successful. Rambus,
another tech company that made its money licensing DRAM interface
patents, bought the company in 2011 for $342M. See:
https://en.wikipedia.org/wiki/Cryptography_Research and
http://www.microsemi.com/products/fpga-soc/security/dpa-patents )
The best part of the paper is how the authors notify all the software
projects before publication, most of which work to fix the
vulnerability by using constant-time algorithms. Except OpenSSL,
which says:
"hardware side-channel attacks are not in OpenSSL's threat model",
so no updates are planned to OpenSSL to mitigate our attacks.
Clue -> OpenSSL maintainers?
Or should that be Clue -> OpenSSL users: don't use OpenSSL if you want
your users' private keys to stay private. A student who's read this
paper might be sitting near you (or offering you a free charge).
John
PS: I wonder if Apple's code-signing machine is protected from this
attack. J. Edgar Hoover successor's next motion to a judge: "Defeat
the terrorists by forcing Apple to put a simple wire loop near the
machine Apple uses to sign its software."
More information about the cryptography
mailing list