backtop

Print E-mail del.icio.us 15 comment(s) - last by GeorgeOrwell.. on Dec 12 at 9:30 AM
An original author of the RSA encryption algorithm cautions that a flawed processor could be used against a user to secure private encryption keys

Anyone who had a Pentium powered computer back in 1994 might remember a certain processor bug where math computations were just a bit off after a certain amount of digits. Intel was quick to squish the problem in the face of bad publicity, even though the error probably didn't effect 99% of the users that had one.

Recently one of the original authors of the RSA encryption algorithm, Adi Shamir of Weizmann Institute in Israel, noted that such a bug, if known about, could be used to break the venerable RSA encryption technique, as well as many other of the more modern ones.

RSA is a public-key encryption method. Messages are encrypted using a public key, and decrypted with a private key. Only the recipient can decode the original encoded message via his private key, not even the original sender can do so. Anyone who happens to be in possession of the target's private keys could also read the message, but that's another horse entirely.

Simple encrypted messages don't pose much of a risk, but authentication is where processor flaws can be exploited. During authentication a message must go both ways (handshake) or the user will never know if he's actually dealing with a secure site or not. This message, when decrypted with the proper private key, will have a known result. The result is then sent back to the original sender. If it matches up, chances are that the site he's hooked to is indeed secure, as the private keys were what they were expected to be.

There is a way, however, for a malicious intrusion to uncover the private keys using a known processing flaw, such as the one in those ill-fated Pentiums from 1994. An encrypted message can be written in such a way that it will force the processor to perform the calculation error it is known to have. The results will come back as unauthenticated because they are not what the sender expected. However, since the processor flaw induced a known error into the results, the error can be used to mathematically deduce the private key used to decrypt the original authentication message. Once the private keys are known, traffic can be intercepted by an interested party with the stolen key, decrypted and used for less than wholesome purposes.

The likelihood of such an attack working is certainly very slim as there haven't been any publicly announced processing flaws in recent years. There are also ways to protect against a poisoned attack like this, such as returning the same authentication message to the sender and matching the results. If the results differ, the user could be the victim of such an attack. Many encryption programs already do this sort of double check.

While there's little reason to fear such an attack presently, an exploit of this nature could cost companies vast amounts of money if their private keys are stolen. The average desktop user could suffer if he does a lot of online purchasing, bill paying, or banking, should one of those institution's keys be snooped.

Processor manufacturers like Intel and AMD certainly work diligently to ensure there are no flaws in their chips these days, but there will probably always be someone ready to exploit such a thing if found. Until then, users can probably feel safe with current RSA strategies, for the most part.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
interesting.. but
By darkpaw on 12/11/2007 11:40:07 AM , Rating: 2
It's an interesting concept, but there's way too many "if's" in that scenario.

Still, anything that is a threat to such a heavily used encryption scheme needs to be considered. Just like any potential risk to an IS should be considered.

Is it likeily to happen? Not at all.




RE: interesting.. but
By FITCamaro on 12/11/2007 12:23:05 PM , Rating: 1
Me personally, I don't know why you'd announce this publicly. Tell the government, the processor designers, those who actually need to know. Telling the whole world just gives those who actually might exploit it ideas.


RE: interesting.. but
By Darkskypoet on 12/11/2007 12:32:41 PM , Rating: 2
I do... In order for one to think that simply not revealing the information protects anything is assuming that it won't be revealed by other means, or by another person.

If reveled publicly however, then there is much liability that all of a sudden is placed upon the shoulders of those that are supposed to be securing things. There is no ignorance defense, and because of this those needing to be vigilant should become more so. Additionally, revealing this to the average person does no harm, as they would be unable to exploit it. Those that could exploit it, chances are, would have been able to figure this out themselves.

This idea that if we don't tell anyone, no one bad will find out, is kind of silly IMHO. Better for it to be a known evil, then an unknown one. Especially considering the fallout if some concerned parties don't get the memo in time to fix something, if ever this becomes an issue.


RE: interesting.. but
By Master Kenobi (blog) on 12/11/2007 2:27:24 PM , Rating: 3
That's the text book argument for Open Source, and I don't buy it. If nobody points out that the southern corner is weaker to artilley fire, maybe nobody will come up with the brilliant idea to direct it there in the first place. Just because a hole exists, doesn't mean anyone knows about it to exploit it. Known to those in charge of the system, yes. Better for everyone and their uncle to know because you publically spelled it out? Hell no.


RE: interesting.. but
By smitty3268 on 12/11/2007 2:56:49 PM , Rating: 2
Open source software can usually get patched and put out to affected systems as quickly as the attackers can come up with an attack to a vulnerability, which is why being open about the problems doesn't hurt too much. Proprietary software often takes longer to fix and distribute, and many programs don't even have an update system in place, which makes this type of system questionable. Hardware is even more affected, since nothing short of a massive recall is going to fix the bug unless you can come up with a BIOS update to fix it, and lots of average consumers never install those.

So which form of security comes out on top? I think the open source system results in fewer exploits being found by bad guys, but that doesn't mean the same system will work for hardware.

Also, in this case the flaw is rather obvious, and anyone who's smart enough to think they can crack RSA would certainly be able to think of this. It's the kind of stuff you go over in college. So it's not really a big deal, since there aren't any current processors with this type of flaw being used anyway.


RE: interesting.. but
By KristopherKubicki (blog) on 12/11/2007 7:51:48 PM , Rating: 2
Sure, tell that to DJB. I think he's found and exploited more holes in just sendmail over the last 20 years than ... I don't even know how to finish that. It's a lot.

qmail, written by DJB, still hasn't been exploited.

Both are open source. The source method has little to do with the author's competence and responsiveness.


RE: interesting.. but
By Talcite on 12/11/2007 10:27:16 PM , Rating: 2
I don't think your example has much bearing on the argument for Open Source.

The point is that, when known about, bugs can be patched relatively quickly. (Plus there's also those code nazis that go around and criticize other people's code, but that's a small effect.) The point isn't that code is more secure to start, it's that code is more secure in the end. I'm sure DJB's exploits are well patched now.

Also, your example is fundamentally flawed (sorry). Sendmail is who knows how old. Most internet protocols back then weren't designed to be secure. Take Telnet, ftp, rsh, etc... They've all been deemed to be insecure. They've all either been patched to be more secure or replaced with more secure alternatives, like SSH and scp.

Granted, deadbeat authors aren't likely to patch their code, but then again, how is that any different with closed source? If a company goes under, you better hope the application they were developing wasn't vital to your business. All development stops after that. At least with open source, if you're not happy about it you have the option of taking over the project.

For example, I'm still using a MN-720 wireless card on my laptop and I'm VERY glad that the open source community has almost completely reversed engineered the BCM43xx driver. Otherwise, I'd be using drivers from 2001. No WPA2, and sketch WPA at best. That's not quite the same as if it had been open source to start, but the end result is the same. The project doesn't die if there's demand for it.


RE: interesting.. but
By Darkskypoet on 12/11/2007 11:00:23 PM , Rating: 2
But in that case, again you are assuming that anyone in the public sufficiently advanced enough to mount such an attack, wouldn't be able to figure this out.

The battle analogy is kind of silly, as a battle is short term. Utilizing your analogy, yes it would be stupid for company x to go public with the fact that a chunk of their boxes utilize defective processors, something that the enemy probably cannot figure out through examining RSA. However, in the grander scape of a war (Long term), this being public knowledge then permits all those with such to replace them, and fast (or take them down), before any damage can be done.

Analogies are great, when they are properly used. So seldom, however, are they properly used.

As to your comments on open source; you miss the point entirely. In an open development environment finding and acknowledging flaws and then quickly fixing them is in the best interests of the developers and users (most times, one and the same). However, for closed source proprietary software this is not the case. Seeing as one can believe that their is a certain amount of shielding because their software is closed source, allows one to attempt to hide flaws and issues because no one else gets to audit their code. Because of this, oft times a firm / team won't acknowledge a flaw until they get around to fixing it, if they do. In this case, it is the administrator that gets the shaft as he does not get to be informed of such flaws as soon as they are found, and is then unable to mitigate their effects until they are finally informed about it, or it gets taken advantage of.

This is especially true when the corporate culture is such that making a mistake can cost so much to the individual or team in question. (job, demotion, ridicule)

A further complication to most firms producing closed source software, is the pressure to meet deadlines over producing quality software as share values / holders, etc demand it. In these cases however, closed source is just that, and no one gets to audit the code before implementation. The bugs and flaws that get reported quickly and honestly are not the ones that worry me. The ones that worry me are the ones that go unreported after they have been found internally. Those are the ones that get exploited and do the most damage. Because again, if its been found once, it will be found again by others.

In short: Open source very very many good and bad intentions probe the software.

Closed source, one set of good intentions and many many sets of bad probe the software...

Seeing as how if skill is equal, and probability comes into play when dealing with completely unforseen issues... I'd rather have many more good intentions probing, then otherwise.


RE: interesting.. but
By Master Kenobi (blog) on 12/11/2007 12:39:02 PM , Rating: 5
Well, on that logic I'm going to say that CNN, Fox News, BBC, and New York times to name a few need to stop reporting that "Hey, Distributing a poison here could screws the whole water supply and kill thousands before the government would be able to respond." I can't count on how many of the "They could do this, because we aren't adequately secure at point X."


RE: interesting.. but
By KristopherKubicki (blog) on 12/11/2007 12:57:54 PM , Rating: 2
I kind of think he announced this after the TLB bug got a ton of headlines. He's basically just saying that if the CPU guys have another F00F bug, he doesn't want to be liable for the problem it causes with his algorithm.

Of course, if you know much about cryptography, there are already some other serious problems with RSA (or AES, or SHA)...


RE: interesting.. but
By darkpaw on 12/11/2007 1:40:16 PM , Rating: 3
So true, the next perfect encryption scheme invented will be the first.


RE: interesting.. but
By Calin on 12/12/2007 2:43:39 AM , Rating: 2
The flaw in Pentium was in floating point operations, and it simply gave much greater error in some calculations. The error was about 10,000 as big (so instead of some 10^-15 was 10^-11).
While this kind of errors might exist, I don't remember any errors in INTEGER or bit operations (which are used in all encryption schemes).
You can't use floating point operations for encryption schemes, because the Pentium4 and Core2 could generate different floating point results for the same operation, while being both correct (i.e. having the results in the accepted error range)


Flow in CPU -> compromise RSA
By vladio on 12/11/2007 9:08:46 PM , Rating: 2
something fundamentally wrong in this concept.
So, If I screw-up some CPU on-purpose, I can read all RSA messages?! I do Not think so. All concept is ... very cheeeese.




By GeorgeOrwell on 12/12/2007 9:30:29 AM , Rating: 1
It is an argument to prevent further foreign investment in US processor and disk drive companies.

Think of "flaw" more being "spyware" and you will see the picture.


implementation
By Screwballl on 12/11/2007 11:35:48 AM , Rating: 1
so have email servers be forced to implement this to kick these spammers to the curb




"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki