|
Home > Archive > Anonymous Servers > December 2006 > Hard-working chips may reveal encryption keys cite and link
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Hard-working chips may reveal encryption keys cite and link
|
|
| Anonymous via Panta Rhei 2006-12-02, 7:14 am |
| How serious is this threat?
http://www.newscientisttech.com/art...king-chips-may-
reveal-encryption-keys.html
Hard-working chips may reveal encryption keys
* 15:35 20 November 2006
* NewScientist.com news service
* Will Knight
Details of a possible weakness in the way modern microchips process
cryptographic information have been published by an international team of
researchers.
The flaw could let a hacker steal the cryptographic keys used to protect
sensitive communications and financial transactions, simply by monitoring
the amount of effort the microchip is expending, the researchers claim.
Jean-Pierre Seifert, who is affiliated with the university of Haifa,
Israel, and the university of Innsbruck, Austria, and colleagues posted
their findings online on Saturday.
The team say the problem is the result of a trick employed by modern
microchips to speed up information processing, called "branch prediction".
This involves second-guessing whether the logical flow of a computer
program will follow one branch or another, prior to its actual execution.
Spy software
Branch prediction lets a modern microprocessor perform the same type of
function again and again very rapidly. However, if a chip suddenly needs to
perform another type of operation, or makes a mistaken branch prediction,
the amount of work it has to perform, and the time required, will suddenly
increase.
Understanding this effect and monitoring these fluctuations over time can
reveal crucial details about encryption keys being processed, the
researchers say. Although similar techniques have been proposed in the
past, they have involved monitoring a chip for much longer periods.
The researcher claim to have used the attack method, dubbed "Simple Branch
Prediction Analysis", to work out a highly-security 512-bit encryption key
in just a few thousandths of a second. The key is of a type widely used to
secure both online financial transactions and email messages against
eavesdropping.
'Horrendously complicated'
The researchers suggest that a small piece of software, hidden on a target
computer, could pick up cryptographic keys covertly. "Security has been
sacrificed for the benefit of performance," Seifert told French newspaper
Le Monde.
Markus Kuhn, a cryptography researcher at the university of Cambridge, UK,
says programmers typically try to guard against so-called "timing attacks"
but notes that it can be difficult to foresee every potential problem.
"Modern processors are horrendously complicated and do a lot behind the
scenes," he told New Scientist.
Although Simple Branch Prediction Analysis requires spy software to be
installed on a target computer, Kuhn says this would be relatively simple
if the computer system is open to more than one user. "If it's a multi-user
machine, then it's quite a feasible threat," he says.
Seifert will present details of the attack at the RSA Security conference,
in February 2007.
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.eu.org
for abuse and hashcash info.
| |
|
| On 2 Dec 2006, Anonymous via Panta Rhei <anonymous@panta-rhei.eu.org>
wrote:
>How serious is this threat?
>
>http://www.newscientisttech.com/art...king-chips-may-
>reveal-encryption-keys.html
>Hard-working chips may reveal encryption keys
>
>Seifert will present details of the attack at the RSA Security conference,
>in February 2007.
I'm guessing we'll know in February 2007.
| |
| AZ Nomad 2006-12-03, 1:14 am |
| On 2 Dec 2006 08:12:08 -0000, Anonymous via Panta Rhei <anonymous@panta-rhei.eu.org> wrote:
>How serious is this threat?
>http://www.newscientisttech.com/art...king-chips-may-
>reveal-encryption-keys.html
>Hard-working chips may reveal encryption keys
> * 15:35 20 November 2006
> * NewScientist.com news service
> * Will Knight
>Details of a possible weakness in the way modern microchips process
>cryptographic information have been published by an international team of
>researchers.
>The flaw could let a hacker steal the cryptographic keys used to protect
The trick relies on having physical access to the computer being attacked.
A far simpler method would be to just read the directory where the keys are
stored. No need to muck around listening to CPU branches.
If you don't have physical security then you don't have any security at all.
| |
| Non scrivetemi 2006-12-03, 1:14 am |
| AZ Nomad wrote:
> On 2 Dec 2006 08:12:08 -0000, Anonymous via Panta Rhei
> <anonymous@panta-rhei.eu.org> wrote:
>
>
>
>
>
>
>
> The trick relies on having physical access to the computer being
> attacked. A far simpler method would be to just read the directory
> where the keys are stored. No need to muck around listening to CPU
> branches.
You're badly mistaken. Branch prediction analysis, like most other side
channel attacks, can be carried out remotely. That is precisely why
most of these types of attacks are considered side channel attacks. They
specifically do *not* require any direct attack on a key or algorithm,
or physical access.
A branch prediction attack could be mounted by a trojan or worm for
instance. It's certainly possible for an unprivileged user to attack a
privileged user. And it may even be possible to mount a BPA attack
without actually compromising a cryptographic machine at all if an
attacker could manipulate the cryptographic process remotely and
account for any network lag. Think high spped network and some sort of
automatic key generation or signing. Like SSL/TLS. Or similarly
something like a smart card, which has already been proved vulnerable
to BPA
http://eprint.iacr.org/2006/351
http://www.linuxsecurity.com/content/view/125870/
| |
| AZ Nomad 2006-12-03, 1:14 am |
| On Sun, 3 Dec 2006 06:24:07 +0100 (CET), Non scrivetemi <nonscrivetemi@pboxmix.winstonsmith.info> wrote:
>You're badly mistaken. Branch prediction analysis, like most other side
>channel attacks, can be carried out remotely. That is precisely why
>most of these types of attacks are considered side channel attacks. They
>specifically do *not* require any direct attack on a key or algorithm,
>or physical access.
>A branch prediction attack could be mounted by a trojan or worm for
A trojan or worm can read the certificates directly, can insert into
libraries to catch functions calls and do it all a hell of a lot easier
then messing around with the cpu's pipelines.
>instance. It's certainly possible for an unprivileged user to attack a
>privileged user. And it may even be possible to mount a BPA attack
>without actually compromising a cryptographic machine at all if an
>attacker could manipulate the cryptographic process remotely and
>account for any network lag. Think high spped network and some sort of
>automatic key generation or signing. Like SSL/TLS. Or similarly
>something like a smart card, which has already been proved vulnerable
>to BPA
>http://eprint.iacr.org/2006/351
>http://www.linuxsecurity.com/content/view/125870/
| |
|
| AZ Nomad <aznomad.2@PremoveOBthisOX.COM> writes:
>On 2 Dec 2006 08:12:08 -0000, Anonymous via Panta Rhei <anonymous@panta-rhei.eu.org> wrote:
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
>The trick relies on having physical access to the computer being attacked.
>A far simpler method would be to just read the directory where the keys are
>stored. No need to muck around listening to CPU branches.
>If you don't have physical security then you don't have any security at all.
No, as I understand it, the trick is having programs running on that machine. the idea is that
if you have programs running on the same cpu as that running the crypto
then you can determine the key. As a user you can run programs at the same
time as someone else runs their crypto.
Obviously if this required you being root then this would be silly for
exactly the reason you give.
| |
| George Orwell 2006-12-03, 1:14 am |
| AZ Nomad wrote:
> On Sun, 3 Dec 2006 06:24:07 +0100 (CET), Non scrivetemi
> <nonscrivetemi@pboxmix.winstonsmith.info> wrote:
>
>
> A trojan or worm can read the certificates directly, can insert into
> libraries to catch functions calls and do it all a hell of a lot
> easier then messing around with the cpu's pipelines.
I'm sorry but you're mistaken about this also. At least in as much as
what BPA might accomplish above and beyond what something that might
simply read a file can accomplish. You apparently don't understand BPA
very well at all, even after I directed you toward a couple fine URIs. I
suggest you actually follow those links. Nobody has to "mess around
with the cpu's pipelines" to perform BPA. It's essentially a
statistical analysis made using what's known about a cryptographic
system or "cpu", and a sufficient amount of data.
The possibilities reach far beyond the sort of direct privileged access
you're fixated on. As I said, you may not even need access at all in the
classical sense to launch a successful attack. You're also being
extremely narrow of vision with respect to what constitutes a target.
PC's running PGP or holding SSL certs are only a tiny fraction of the
potential for abuse here. Even more insidious is the ramifications this
has regarding "smart" passports/cards, wireless devices, and
transaction using other types of cryptographic-enabled credit or ID
cards.
>
>
>
>
>
| |
| Non scrivetemi 2006-12-03, 7:13 am |
| Unruh wrote:
> AZ Nomad <aznomad.2@PremoveOBthisOX.COM> writes:
>
>
>
>
>
>
>
>
>
>
> No, as I understand it, the trick is having programs running on that
> machine. the idea is that if you have programs running on the same
> cpu as that running the crypto then you can determine the key. As a
> user you can run programs at the same time as someone else runs their
> crypto.
No. It's not necessary to have anything "running on that machine" at
all. Nor is the problem limited to, or even mainly a problem with,
personal computers in the first place. The most likely targets are
smart cards, which we already know can have their keys compromised by
this method. There's no compromise of the card itself in any way, the
attack relies on what's known about how the card functions, and
sufficient amounts of transaction data.
>
>
> Obviously if this required you being root then this would be silly for
> exactly the reason you give.
It also has nothing at all to do with privilege over another user. In
fact an unprivileged could attack "root" without privilege escalation
if "root" can be made to perform cryptographic calculations at will.
>
>
|
|
|
|
|