Extracting RSA-1024 Keys Possible With Side Channel Attack on Libgcrypt

University researchers in Australia, the Netherlands and the United States have demonstrated how a side-channel attack on Libgcrypt –  a cryptographic library developed as a module of GnuPG – could lead to extraction of RSA-1024 keys.

Although the same attack method has been shown successful in extracting RSA-2048 keys, it was only effective 13 percent of the time. Published as “Sliding right into disaster: Left-to-right sliding windows leak,” on the International Association for Cryptologic Research (IACR) website, the paper describes in full detail how the attack succeeded.

“In this paper we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt,” reads the paper. “Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion.”

Because Libgcrypt uses the sliding windows method for exponentiation that leads to leakage of exponent bits, the side-channel attack demonstrated that the left-to-right method for computing sliding-window expansion reveals far more information about the exponent than the right-to-left method. As a result of the research, Libgcrypt 1.7.8 was released addressing the issue that was also awarded a CVE (CVE-2017-7526).

“Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used,” reads the Libgcrypt announcement. “Allowing execute access to a box with private keys should be considered as a game over condition, anyway.  Thus in practice there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines this attack may be used by one VM to steal private keys from another VM.”

In light of this research, Debian and Ubuntu Linux distribution has also been updated to address the issue. Everyone using Libgcrypt is strongly encouraged to update the library to its latest version.

Leave a Reply

Your email address will not be published.