[Cryptography] Do timing attacks matter?
Jerry Leichter
leichter at lrw.com
Tue Sep 3 15:13:32 EDT 2024
We've been discussing this recently, and ... the following just appeared:
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
Summary: Yubikeys, and a bunch of other devices that use a commonly available chipset and library, are vulnerable to an attack because of a non-constant-time implementation of the Euclidean algorithm. The attack relies on physical possession of the device and makes it possible to clone it or (sometimes?) extract the internal private key. They've demonstrated that possession for half an hour is enough. The detailed report - at https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf - shows that their method of getting at the traces requires disassembling - hence effectively destroying - a Yubikey.
A practical real-world attack? Not quite, but rather close.
-- Jerry
More information about the cryptography
mailing list