Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Encryption Security IT Linux

Researchers Find Way To Zap RSA Algorithm 173

alphadogg writes "Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose-built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours – all without leaving a trace. The researchers in their paper outline how they made the attack (PDF) on a SPARC system running Linux."
This discussion has been archived. No new comments can be posted.

Researchers Find Way To Zap RSA Algorithm

Comments Filter:
  • Article == Summary (Score:5, Informative)

    by fishwallop ( 792972 ) on Thursday March 04, 2010 @04:06PM (#31361882)
    The only thing the article "ads" to the summary posted here is a pretty splash screen, which in my case tried to sell me SQL Server.
  • by Animats ( 122034 ) on Thursday March 04, 2010 @04:08PM (#31361898) Homepage

    Machines where software can alter the CPU voltages and clock speeds for "overclocking" purposes may be especially vulnerable to this attack. "Advanced power management" may also offer an attack vector.

    Also worry about Intel's Nehalem architecture, where there's a small CPU dedicated to power, clock, and thermal management. Access to that allows detailed control over power.

  • by Sir_Lewk ( 967686 ) <> on Thursday March 04, 2010 @04:11PM (#31361940)

    A first poster that actually RTFA? What the hell is slashdot coming to?!?

    He's right though, skip TFA and just read the linked PDF if you want more details.

  • wrong headline (Score:5, Informative)

    by Lord Ender ( 156273 ) on Thursday March 04, 2010 @04:12PM (#31361964) Homepage

    Researchers Find Way To Zap RSA Algorithm

    No, reasearchers find side-channel attack on SPARC CPU (which requires elevated access, anyway).

  • !news (Score:5, Informative)

    by betterunixthanunix ( 980855 ) on Thursday March 04, 2010 @04:20PM (#31362056)
    This is just a fault injection attack. People have been doing similar things to block ciphers for years, it is not a mathematical weakness, just a side channel attack, and an active one at that. Cool that they did it against RSA, but not really headline news...
  • Re:wrong headline (Score:5, Informative)

    by Andy Dodd ( 701 ) <atd7.cornell@edu> on Thursday March 04, 2010 @04:34PM (#31362190) Homepage

    To be more specific:

    No one attacked the algorithm itself here. They attacked one specific implementation of the RSA algorithm.

    Side channel attacks are nothing new. There are plenty of crytographic algorithms that have no known flaws which have had implementations broken via side channel attacks, due to flaws in the implementation, not the algorithm.

  • by wizardforce ( 1005805 ) on Thursday March 04, 2010 @04:38PM (#31362248) Journal

    There are two articles, one is mostly worthless. The other is a PDF which is actually much more informative. The attack focuses on the implementation of RSA in OpenSSL and uses a cluster of processors to carry out the attack. All in all TFA notes that about a year of computing time is actually required to extract the key. The voltage manipulation causes faults which are used to extract the key after quite some time.

  • Re:Physical Access (Score:4, Informative)

    by Eric Smith ( 4379 ) on Thursday March 04, 2010 @04:45PM (#31362322) Homepage Journal
    So everyone who ever uses colocation has lost?

    Yes. Are you actually surprised?

  • by pclminion ( 145572 ) on Thursday March 04, 2010 @05:04PM (#31362516)

    In what kind of scenario would you have access to the PSU of the server you attacked?

    I don't know, how about a world where you've arrested a political dissident and you want to obtain his/her private key, and he/she refuses to hand it over?

  • by BitZtream ( 692029 ) on Thursday March 04, 2010 @05:09PM (#31362582)

    Great, another 'if you have physical access to the key, you can get the key' methods.

    Look, 'stressing' the computer for a hundred hours while screwing with the voltage is going to get you noticed if its a key important enough for to use this method to do it. I can go to your PC and steal the contents of the entire drive without leaving a trace, but you're probably going to notice when I move you out of my way so I can put in a boot cd and external drive to copy the data to.

    Practical value: 0
    Research value: 1
    Geek Cred: 11
    Priceless, or rather, worthless.

  • by pz ( 113803 ) on Thursday March 04, 2010 @05:39PM (#31363124) Journal

    "the researchers say that by varying electric current to a secured computer"...

    Um, if they have physical access to the computer (in order to monkey with the power), why would it be considered secure?

    The faults described by the paper are so ... what's the word ... specialized that it challenges believability. Not only does the attacker have to have physical access -- and likely pretty good physical access -- they have to know precisely when the encryption algorithms are being performed so that the faults can be induced then and only then otherwise the operation of the computer will be compromised. Furthermore, the faults must be induced at a reasonable, but not too great, rate, and at randomly varying times in the computation, so as to explore the full error space and have insight into the keys. And the computations have to be repeated MANY times over in order to extract enough information. So, not only do attackers have to know exactly, to the microsecond, when the system under attack is computing the RSA algorithm, they also have to be able to vary the voltage to the CPU. Their physical proof of concept, as much as it is described in the paper, is contrived. Their assertion that the technique does not require physical access is wholly unsupported. Color me skeptical. Anyone with this level of access is going to be able to do more than trigger faults.

    The paper asserts that the probes can be done without leaving any trace. I don't know about the authors, but the voltages on my computers are monitored by software and excursions logged so that I can know if/when there are problems. Since the RSA-breaking technique requires substantial exploration of the response to voltage tweaks, it is likely to be detected by a decent monitoring program.

    Finally, the PDF does not carry any publication information suggesting strongly that it describes work that is not peer-reviewed. It is shoddy science to bypass peer review and release to the general public.

  • by Anonymous Coward on Thursday March 04, 2010 @06:48PM (#31364054)

    Your sarcasm meter is broken and your sense of humor sucks. The OP is essentially complimenting the dudes.

  • by electrostatic ( 1185487 ) on Thursday March 04, 2010 @07:50PM (#31364912)
    A very pertinent comment.

    Level 4

    Security Level 4 provides the highest level of security.

    At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access.

    Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate zeroization of all plaintext CSPs.

    Security Level 4 cryptographic modules are useful for operation in physically unprotected environments. Security Level 4 also protects a cryptographic module against a security compromise due to environmental conditions or fluctuations outside of the module's normal operating ranges for voltage and temperature. Intentional excursions beyond the normal operating ranges may be used by an attacker to thwart a cryptographic module's defenses. A cryptographic module is required to either include special environmental protection features designed to detect fluctuations and zeroize CSPs, or to undergo rigorous environmental failure testing to provide a reasonable assurance that the module will not be affected by fluctuations outside of the normal operating range in a manner that can compromise the security of the module.

  • by Captain Segfault ( 686912 ) on Thursday March 04, 2010 @09:12PM (#31365684) Homepage Journal

    There is nothing, as far as we know, short of factoring a number that is a component of both the private and public keys.

    If you can factor that number you can very easily generate the private key from the public key. The point is that it's important to pick a number which is sufficiently large as to be impossible to factor with current technology.

We declare the names of all variables and functions. Yet the Tao has no type specifier.