Linux users need to check out their distributions to see if a nasty bug in
libgcrypt20 has been patched.
The software fix, which has landed in Debian and Ubuntu, addresses a side-channel attack published last week.
The researchers published their work at the International Association for Cryptologic Research's e-print archive last week. The paper was authored by Daniel Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom (who hail variously from the Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide).
What they found is that the
libgcrypt library used what's called “sliding windows”, a method for carrying out the mathematics of cryptography – but one that's known to leak data.
The researchers looked at the left-to-right sliding window calculation in
libgcrypt, in which the sliding window data leak was tolerated because it was believed only part of a key was recoverable (40 percent of bits in a four-bit sliding window; 33 percent in a five-bit sliding window).
What they found was an unpleasant surprise: a complete break of the library's RSA-1024: “We show for the first time that the direction of the encoding matters: the pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about the exponent than right-to-left”.
To get at the processing, the researchers also needed to carry out a side-channel attack, specifically a flush+reload cache-timing attack “that monitors the target's cache access patterns”.