No, RSA is not catastrophically broken

| Comments (2) | COMSEC
This paper on a new fault-based attack on RSA has been making the rounds (Pellegrini, Bertacco, and Austin, "Fault-Based Attack of RSA Authentication). The general idea here is that you have a system that is doing RSA signatures (e.g., an SSL/TLS Web Server). You induce faults in the signature computation by reducing the power to the processor, which causes the process to produce invalid signatures which can then be analyzed by the attacker to recover the private key. They demonstrate this attack on OpenSSL.

Theoretically, this is interesting, but I'm not sure how much practical impact it has: in order to mount this attack, you need direct physical access to the machine in order to control the input voltage supply. Unless you're working with a computer that is fairly heavily secured, physical access generally translates into being able to take control of the device and extract the private key in any case. Second, the attack as implemented was performed on a FPGA-based SPARC implementation, and the researchers seem to have directly controlled the input power to the processor. In most computers (though DC-based datacenters may be different) the power to the chip is pretty heavily controlled by the power supply, and so it's at least an open question if you would be able to get good control over the chip input voltage by manipulating the AC line voltage. So, it's not like there are a huge number of environments in which this attack would be feasible.

Based on my reading of this paper, because the attack relies on invalid signatures, the simple countermeasure is just to check signatures before you emit them, which OpenSSL doesn't currently do (I'm not sure I agree wih the authors call OpenSSL's failure to do this a "serious vulnerability", but I'm not sure I agree with this characterization, since my understanding is that it's pretty standard practice not to do so). Because RSA signature verification is about 20x faster than RSA signature generation, adding this additional check would not cause significant performance overhead. However, even without this countermeasure, this doesn't seem like a significant risk to most uses of RSA.


The paper says that OpenSSL does check the result, but if it detects an inconsistency, it does not abort (which I would have assumed to be the right approach), but uses a method which is considered extra-safe. The paper focuses on that method.

Disclaimer: I'm not a crypto-expert by any means.

I see this as a way to attack "embedded" systems (like a TPM) which shouldn't divulge the private key they contain, but can be forced to indirectly by attacks like this.

Leave a comment