RSA Key Generation: New Attacks

Vuillaume, Camille; Endo, Tsunehiro; Wooderson, Paul

doi:10.1007/978-3-642-29912-4_9

Cited by 9 publications

(10 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Assuming that the prime candidates are incremented by a constant value in case of a failure, Finke et al establish equations that allow to factor the modulus. Similarly, Vuillaume et al [48] considered differential power analysis (DPA), template attacks, and fault attacks to attack the prime generation procedure. However, Vuillaume et al consider the Fermat test [34,Algorithm 4.9], which is rarely used in practice due to false positives (Carmichael numbers).…”

Section: Microarchitectural Attacks On Rsamentioning

confidence: 99%

“…The attack presented in this paper differs from previous attacks on RSA key generation as follows. First, contrary to related work which target the prime generation itself [48] or the primality tests [7,19], we target the subsequent parameter checking routine. Second, previous attacks rely on power analysis while we use a purely software-based side channel.…”

Section: Microarchitectural Attacks On Rsamentioning

confidence: 99%

“…Although cryptographic implementations (e.g., in OpenSSL [20]) are often hardened against side-channel attacks on secret key operations such as decryption and signature generation of digital signature schemes, the process of key generation has been mostly neglected in these analyses. While power analysis attacks targeting the prime factor generation during RSA key generation have been investigated [7,19,48], software-based side-channel attacks have been considered out of scope for various side-channel attack scenarios. On the one hand, key generation is usually a one-time operation, limiting possible attack observations to a minimum.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Weiser

Spreitzer

Bodner

2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Microarchitectural side-channel attacks have received significant attention recently. However, while side-channel analyses on secret key operations such as decryption and signature generation are well established, the process of key generation did not receive particular attention so far. Especially due to the fact that microarchitectural attacks usually require multiple observations (more than one measurement trace) to break an implementation, one-time operations such as key generation routines are often considered as uncritical and out of scope. However, this assumption is no longer valid for shielded execution architectures, where sensitive code is executedin the realm of a potential attacker-inside hardware enclaves. In such a setting, an untrusted operating system can conduct noiseless controlled-channel attacks by exploiting page access patterns.In this work, we identify a critical vulnerability in the RSA key generation procedure of Intel SGX SSL (and the underlying OpenSSL library) that allows to recover secret keys from observations of a single execution. In particular, we mount a controlled-channel attack on the binary Euclidean algorithm (BEA), which is used for checking the validity of the RSA key parameters generated within an SGX enclave. Thereby, we recover all but 16 bits of one of the two prime factors of the public modulus. For an 8 192-bit RSA modulus, we recover the remaining 16 bits and thus the full key in less than 12 seconds on a commodity PC. In light of these results, we urge for careful re-evaluation of cryptographic libraries with respect to single trace attacks, especially if they are intended for shielded execution environments such as Intel SGX.

show abstract

Section: Microarchitectural Attacks On Rsamentioning

confidence: 99%

Section: Microarchitectural Attacks On Rsamentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Weiser

Spreitzer

Bodner

2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…The RSA key generation has then left the safe context of production firms for an hostile environment. This assessment has been highlighted in several papers [8,16,28] which show that the key generation security must be taken into account for today open platforms.…”

Section: Introductionmentioning

confidence: 99%

“…For such algorithms, which, to the best of our knowledge, correspond to the most efficient and up-to-date implementations met on embedded devices, we exhibit an Advanced Side-Channel Analysis on the sieving process even when the latter is implemented to defeat the state-of-the-art attacks [16]. Contrary to [28], our attack does not target the probable prime tests but the prime sieve which was believed to be safe if implemented in a regular way. We show how useful information can be extracted from the divisibility phase and how this could finally lead, for practical implementations, to the recovery of more than half bits of information on the prime number generated.…”

Section: Introductionmentioning

confidence: 99%

Side-Channel Attack against RSA Key Generation Algorithms

Bauer

Jaulmes

Lomné

et al. 2014

Advanced Information Systems Engineering

View full text Add to dashboard Cite

Many applications of embedded devices require the generation of cryptographic secret parameters during the life cycle of the product. In such an unsafe context, several papers have shown that key generation algorithms are vulnerable to side-channel attacks. This is in particular the case of the generation of the secret prime factors in RSA. Until now, the threat has been demonstrated against naive implementations whose operations' flow depends on secret data, and a simple countermeasure is to avoid such kind of dependency. In this paper, we propose a new attack that renders this defence strategy ineffective. It is in particular able to break secure implementations recommended by the ANSI X9.31 and FIPS 186-4 standards. We analyse its efficiency for various realistic attack contexts and we demonstrate its practicality through experiments against a smart-card implementation. Possible countermeasures are eventually proposed, drawing the following main conclusion: prime generation algorithms should avoid the use of a prime sieve combined with a deterministic process to generate the prime candidates from a random seed.

show abstract

A Homomorphic Masking Defense Scheme Based on RSA Cryptography Algorithm

Juan-mei

Sun

et al. 2018

Cloud Computing and Security

View full text Add to dashboard Cite

RSA Key Generation: New Attacks

Cited by 9 publications

References 12 publications

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Side-Channel Attack against RSA Key Generation Algorithms

A Homomorphic Masking Defense Scheme Based on RSA Cryptography Algorithm

Contact Info

Product

Resources

About