Are you a Linux user? Make sure to check whether a bug in libgcrypt20 has been patched. Researchers David Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom from various respected universities found and reported the bug leading to a side-channel attack. Their findings were published recently, and a patch has been issued for Debian and Ubuntu. The vulnerabilities were given the following identifiers: CVE-2017-7526 and CVE-2017-9526. The researchers demonstrated “a complete break of RSA-1024 as implemented in Libgcrypt”.
Why the Direction of Encoding Matters
The researchers’ attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion, as explained. The findings reveal for the first time that the direction of the encoding does matter: “the pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about exponent bits than for right-to-left”.
We show how to incorporate this additional information into the Heninger-Shacham algorithm for partial key reconstruction, and use it to obtain very efficient full key recovery for RSA-1024. We also provide strong evidence that the same attack works for RSA-2048 with only moderately more computation.
In short, what the team found was that the libgcrypt library used sliding windows, a method for executing the mathematical side of the cryptography. Unfortunately, this method has been known to leak data. What the experts did was to inspect the left-to-right slinding window calculation the library, where the sliding window data leak was allowed as it was thought only part of key was recoverable. The researchers came across an unpleasant revelation: a complete break of libgcrypt’s RSA-1024 encryption. And as mentioned above, this is how they demonstrated the direction of the encoding is very important.
A side-channel attack was also performed, more precisely a flush+reload cache-timing attack monitoring the target’s cache access patterns. To avoid attacks from happening, Debian users are advised to get update from Debian’s security advisory. Respectively, Ubuntu users should go here.
As for the researchers’ work – it has been published at the International Association for Cryptologic Research e-print archive.