-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plan to address RSA attacks of eprint.iacr.org/2020/055? #347
Comments
Internal Jira reference: https://jira.arm.com/browse/IOTCRYPT-1040 |
@jack-fortanix thank you for reporting this issue!
Yes, we would like to fix this issue as soon as possible. We would be very grateful for contributions addressing this issue! If you would like to submit a PR, please let us know in advance, so that we can avoid double work! Regarding the nature of the fix, I think we should take the performance penalty, the issue only happens on private key import, which usually does not happen very frequently. |
@yanesca Glad to hear. I spent some time examining the right way to fix this. The paper recommends computing the modular inverse Making GCD, mod-exp and modular inverse all constant time seems like it solves the problem, and is one thing we'd like to see on our end anyway since it neatly closes many possible avenues for side channels, including ones which have not yet been identified or analyzed. I will not be able to work on these until next month, and I will check in to make sure we are not duplicating work there but you can expect PRs here. But what to do in the short term? I remembered that Q^-1 mod P is already included in PKCS1 private keys. But currently |
In cases like this we usually introduce a new API with the additional parameter and deprecate the old one. In this case we could take a similar approach. The difference would be that we don't deprecate the old API function. The intention here would be that if or when the GCD and mod-exp functions are fixed and resistant to microarchitectural SCA we deprecate the API that takes the RNG parameter.
I think that is a brilliant idea! Although the fix does not cover every use case, it protects the majority of existing applications without them having to change their code.
I think we should do both of these fixes. This way we can provide full protection for those who can change their application code and severely limit the impacted use cases for those who can't. |
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed#347
Thank you very much! |
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed/mbed-crypto#347 Backport of ARMmbed/mbed-crypto#352
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed/mbed-crypto#347 Backport of ARMmbed/mbed-crypto#352
Thank you very much for submitting the fix! Would you like to contribute the second fix too? |
@yanesca Yes I'm going to create a PR adding the alternative version of CRT recomputation using blinding, probably will have that next week. I also would like to contribute changes to const-time gcd, modular inversion, and possibly also modular exponentiation, which would prevent a range of these vulnerabilities for good. But I probably will not have time for the const time work until end of Feb. |
@jack-fortanix Thank you very much! The alternative CRT recomputation fix is very important and urgent for us, we are very grateful for your fix and we would like to integrate it as soon as possible. Eventually we would like to have a bignum implementation in Mbed TLS that is constant time, but we haven't got plans about the timeline or the exact approach yet. Meanwhile we are very happy to take incremental improvements in this direction like the one you are suggesting. |
@jack-fortanix Although we would like to avoid duplicating work as much as possible, as I mentioned, the alternative CRT recomputation fix is very important and urgent for us. Because of this, we need to start working on it on Monday. That being said, we are very grateful for your efforts and we are still going to favour your contribution if it arrives before our version of the fix is ready. |
@yanesca Indeed I have been pulled away by other high priority projects and have not been able to work on this, nor will I be able to begin until at least week after next, so your efforts will likely be available faster. Glad this is being addressed and I would like continue to coordinate in this area (const time gcd etc) to avoid any duplicated efforts on either side. |
@jack-fortanix In the end we decided to go with a different temporary fix, so it is not necessary to implement the alternative CRT recomputation anymore. |
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed/mbed-crypto#347 Backport of ARMmbed/mbed-crypto#352
https://eprint.iacr.org/2020/055.pdf describes side channel attacks affecting mbedtls ECDSA signing and RSA key loading. It appears the ECDSA signing was already resolved in 247c4d3 but as best I can determine the RSA side channel has not yet been resolved since
mbedtls_rsa_deduce_crt
(https://github.com/ARMmbed/mbed-crypto/blob/development/library/rsa_internal.c#L480) invokesmbedtls_mpi_inv_mod
(https://github.com/ARMmbed/mbed-crypto/blob/development/library/bignum.c#L2345) which is implemented using an extended binary GCD which leaks information due to conditional branching and which additional invokes binary GCD which is also leaky (https://github.com/ARMmbed/mbed-crypto/blob/development/library/bignum.c#L2252), the second being the attack implemented in 2020/055 though they note that the BEEA implementation can also be used as a source of information.I wanted to know if you have plans to address these issues and/or would be willing to accept patches addressing them.
For computing Q^-1 mod P following the papers suggested remediation of using a side-channel secured mod-exp and computing Q^(P-2) mod P seems good to me, albeit with some probable runtime overhead.
The paper https://gcd.cr.yp.to/safegcd-20190413.pdf proposes various constant-time algorithms for GCD and extended GCD. In particular the plain GCD algorithm (Figure 1.2 in the paper) is quite easy to implement.
Another option for inversion is the algorithm given in the appendix of https://hal.inria.fr/hal-01506572/document (Algorithm 5) which works for any odd modulus and is quite easily implemented in const time.
The text was updated successfully, but these errors were encountered: