A team of security experts has discovered the critical vulnerability CVE-2017-7526 in a Gnu Privacy Guard Crypto Library, which let them break RSA-1024 Encryption and extract the RSA key to decrypt data.
Presently, the open source encryption software GnuPG is used by many operating systems, such as Windows, macOS X, and Linux.
The critical vulnerability was found in the Libgcrypt cryptographic library used by GnuPG, which opens to local FLUSH+RELOAD side-channel attack on RSA secret keys, called “Sliding right into disaster”.
According to the security researchers, the “left-to-right sliding window” method used by the libgcrypt library leaks much more information about exponent bits than for right-to-left, which lets RSA key recovery.
“It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery attack against RSA. Specifically, 4-bit sliding windows leak only 40% of the bits, and 5-bit sliding windows leak only 33% of the bits.” states the experts’ report.
“In this paper, we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion.”
“The pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about the exponent than right-to-left. We show how to extend the Heninger-Shacham algorithm for partial key reconstruction to make use of this information and obtain a very efficient full key recovery for RSA-1024.”
In the L3 Cache Side-Channel Attack scenario, cyber criminals run arbitrary software on the hardware handling the private RSA key. According to the analysis of the pattern of memory, utilization or the electromagnetic outputs emitted during the decryption process could allow the attacker to extract the encryption key from a system.
“Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used. Allowing execute access to a box with private keys should be considered as a game over condition, anyway.” the Libgcrypt advisory states.
“Thus in practice, there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines, this attack may be used by one VM to steal private keys from another VM.”
The security researchers claim that the side channel attack also works against RSA-2048, and the attack is efficient for 13% of keys.
“Scaling up to RSA-2048 does not stop our attack: we show that 13% of all RSA-2048 keys with CRT and w = 5 are vulnerable to our method after a search through 2000000 candidates” continues the paper.
The Libgcrypt version 1.7.8. was released by GnuPG Project to fix the local side-channel attack. In addition, Ubuntu and Debian have already added the latest version of Libgcrypt to their library.