May the May update be with you: OpenSSL key sniffed from radio signal

'One and Done' attack patched in library's May 2018 release

9 Reg comments Got Tips?

If you missed the OpenSSL update released in May, go back and get it: a Georgia Tech team recovered a 2048-bit RSA key from OpenSSL using smartphone processor radio emissions, in a single pass.

The good news is that their attack was on OpenSSL 1.1.0g, which was released last November, and the library has been updated since then. Dubbed “One&Done”, the attack was carried out by Georgia tech's Monjur Alam, Haider Adnan Khan, Moumita Dey, Nishith Sinha, Robert Callan, Alenka Zajic, and Milos Prvulovic.

The researchers only needed a simple and relatively low cost Ettus USRP B200 mini receiver (costing less than $1,000/€900/£800) to capture the revealing radio noise from a Samsung Galaxy phone, an Alcatel Ideal phone, and a A13-OLinuXino single-board computer.

In Georgia Tech's announcement, the group explained that its attack is the first to crack OpenSSL without exploiting cache timing or organisation.

Perhaps ironically, the attack point was created because of potential side-channel vulns in previous handling of OpenSSL exponentiation, as explained in the paper (at Semantic Scholar, PDF). So-called “fixed-window exponentiation” was adopted to fend off attacks on its previous exponent-dependent square-multiply sequences.

This comment at the OpenSSL GitHub from Prvulovic (aka milosprv) explains the vulnerability:

The One&Done attack, which is described in a paper to appear in the USENIX Security'18 conference, uses EM emanations to recover the values of the bits that are obtained using BN_is_bit_set while constructing the value of the window in BN_mod_exp_consttime.

The EM signal changes slightly depending on the value of the bit, and since the lookup of a bit is surrounded by highly regular execution (constant-time Montgomery multiplications) the attack is able to isolate the (very brief) part of the signal that changes depending on the bit.

Prvulovic said the Georgia Tech team was more than 90 per cent successful in recovering that bit change, and the group used a modified “branch and prune” approach to go from there to “recovery of the full RSA key”.

The good news is that not only was mitigation relatively simple, it improved OpenSSL's performance. “Our mitigation relies on obtaining all the bits that belong to one window at once, rather than extracting the bits one at a time,” the paper stated. “For the attacker, this means that there are now billions of possibilities for the value to be extracted from the signal, while the number of signal samples available for this recovery is similar to what was originally used for making a binary (single-bit) decision”.

“This mitigation results in a slight improvement in execution time of the exponentiation,” the paper continued.

Here's the link to the group's upcoming Usenix talk. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

AMD, boffins clash over chip data-leak claims: New side-channel holes in decades of cores, CPU maker disagrees

Maybe don't be quite so smug, security researchers warn

Microsoft movie tried to Azure Ignite attendees about CPU side-channel flaws, but biz wouldn't be drawn on details

'Sir, they're about to disclose the vulns!' 'Damn it. Accelerate the rollout!'

AMD takes a bite out of Intel's PC market share across Europe amid microprocessor shortages, rising Ryzen

Mmmm, these scraps are pretty darn meaty

Windows 10 Insider wondering where Notepad has gone? Fear not, Microsoft found it down the back of Dev Channel

'Unexpected removal' of crucial format-stripping app reversed in latest build

AMD dials 911, emits DMCA takedowns after miscreant steals a load of GPU hardware blueprints, leaks on GitHub

'We believe the stolen graphics IP is not core to the competitiveness or security of our graphics products'

Chipzilla or Chipzooky? If Intel's server CPU sales keep on shrinking, El Reg will have to update the branding

Still a monopoly in Western Euro channel, but it's smaller: shortages and AMD ROME burning Intel market share

Slack Connect: Hipster chat platform to let different orgs play in the same channel – only for paying users, mind

Teams rival hopes to consign cross-business email ping-pong to history

The winners and losers of infrastructure clouds revealed: AWS, Microsoft, Google and Alibaba get fatter

Can you smell the democratisation of IT? Neither can the shrinking 'others' section

Biting the hand that feeds IT © 1998–2020