If you missed the OpenSSL update released in May, go back and get it: a Georgia Tech team recovered a 2048-bit RSA key from OpenSSL using smartphone processor radio emissions, in a single pass.
The good news is that their attack was on OpenSSL 1.1.0g, which was released last November, and the library has been updated since then. Dubbed “One&Done”, the attack was carried out by Georgia tech's Monjur Alam, Haider Adnan Khan, Moumita Dey, Nishith Sinha, Robert Callan, Alenka Zajic, and Milos Prvulovic.
The researchers only needed a simple and relatively low cost Ettus USRP B200 mini receiver (costing less than $1,000/€900/£800) to capture the revealing radio noise from a Samsung Galaxy phone, an Alcatel Ideal phone, and a A13-OLinuXino single-board computer.
In Georgia Tech's announcement, the group explained that its attack is the first to crack OpenSSL without exploiting cache timing or organisation.
Perhaps ironically, the attack point was created because of potential side-channel vulns in previous handling of OpenSSL exponentiation, as explained in the paper (at Semantic Scholar, PDF). So-called “fixed-window exponentiation” was adopted to fend off attacks on its previous exponent-dependent square-multiply sequences.
The One&Done attack, which is described in a paper to appear in the USENIX Security'18 conference, uses EM emanations to recover the values of the bits that are obtained using
BN_is_bit_set while constructing the value of the window in
The EM signal changes slightly depending on the value of the bit, and since the lookup of a bit is surrounded by highly regular execution (constant-time Montgomery multiplications) the attack is able to isolate the (very brief) part of the signal that changes depending on the bit.
Prvulovic said the Georgia Tech team was more than 90 per cent successful in recovering that bit change, and the group used a modified “branch and prune” approach to go from there to “recovery of the full RSA key”.
The good news is that not only was mitigation relatively simple, it improved OpenSSL's performance. “Our mitigation relies on obtaining all the bits that belong to one window at once, rather than extracting the bits one at a time,” the paper stated. “For the attacker, this means that there are now billions of possibilities for the value to be extracted from the signal, while the number of signal samples available for this recovery is similar to what was originally used for making a binary (single-bit) decision”.
“This mitigation results in a slight improvement in execution time of the exponentiation,” the paper continued.
Here's the link to the group's upcoming Usenix talk. ®