Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can exchange with an application not implementing the
RSA-CRT protection, in order to progressively guess the private
key.

Impacted products: Java OpenJDK, openSUSE, Java Oracle, JavaFX,
SSL protocol, Unix (platform) not comprehensive.

Severity: 2/4.

Creation date: 08/09/2015.

DESCRIPTION OF THE VULNERABILITY

An implementation of the RSA algorithm can use the CRT (Chinese
Remainder Theorem) optimization, so computations are faster.
However, the RSA-CRT signature is affected by a side-channel
attack, known since 1996 (Arjen Lenstra). OpenSSL and NSS are for
example protected.

The GnuPG software is protected, but the Libgcrypt library is not.
An attacker can therefore exchange with an application linked to
Libgcrypt, to trigger a series of error and attack RSA-CRT, in
order to progressively guess the private key.

The TLS protocol can use the Perfect Forward Secrecy. In this
case, a RSA signature is used. However, several implementations,
such as OpenJDK or JRE, do not have the RSA-CRT protection. An
attacker can therefore exchange with a TLS server with the Perfect
Forward Secrecy enabled, to trigger a series of error and attack
RSA-CRT, in order to progressively guess the private key.

An attacker can therefore exchange with an application not
implementing the RSA-CRT protection, in order to progressively
guess the private key.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/RSA-private-key-computation-via-CRT-17836