[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] Fault attacks on RSA in libgcrypt

From: NIIBE Yutaka
Subject: Re: [Taler] Fault attacks on RSA in libgcrypt
Date: Fri, 2 Sep 2016 09:34:21 +0900
User-agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Icedove/45.2.0


On 09/02/2016 06:19 AM, Jeff Burdges wrote:
> Appears someone just improved Rowhammer : 
> http://arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/

This is a bit different.  The attack doesn't get the private key of
RSA.  The attack changes a bit of public key of RSA and cheats the
verification process.  Newer gpgv of GnuPG has a tweak and the
particular attack scenario is not valid, now.

But, in a hardware condition we can flip a bit (rather arbitrary), it
would be possible to achieve some privilege escalation to get more
control of a system.

So, I think that the idea of this attack itself is valid and we have
no way to solve it by software, in general (while we could find a way
to mitigate somehow for a given scenario).

For the original discussion:

> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> Mehdi Tibouchi and Jean-Christophe Zapalowicz.
>  https://eprint.iacr.org/2014/252

I read it briefly.  IIUC, this is more related to smartcard and
"secure chip".

For general purpose computer, if such multi-factor fault attacks can
be applied (by rowhammer, or by laser, electric power), it would be
more easier for an attacker to achieve another privilege escalation to
get more control of a system (to get the private key easily).

That's my current opinion.

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]