New 'Minerva attack’ Can Recover Private Keys From Cryptographic Libraries

• Athena IDProtect card devices that use the Atmel Toolbox 00.03.11.05 cryptographic library are vulnerable.
• Athena IDProtect cards with an Inside Secure AT90SC chip are also vulnerable.

What’s the matter?

Researchers from the Centre for Research on Cryptography and Security (CROCS) at Masaryk University have detailed a new attack dubbed ‘Minerva attack’ that can recover private keys from cryptographic libraries.

A brief overview

The researchers tested the attack against an Athena IDProtect card, running on an Inside Secure AT90SC chip. The attack took around 30 minutes, including the time required for the collection of signatures.

Researchers described that Minerva attack required 11000 signatures to recover the private key on the standard secp256r1 curve, using an off-the-shelf smart card reader, running on a Linux system.

More details about the attack

Minerva attack is a lattice-based cryptography attack, that is based on the timing leakage of the bit-length of nonces used in ECDSA and other similar signature algorithms.

• The vulnerable devices and cryptographic libraries leak the bit-length of the scalar used in scalar multiplication in ECDH, ECDSA, and key generation.
• This leakage is very minimal as only the bit-length of the private key is leaked.
• However, in the case of ECDSA or other signature schemes, the bit-length of the random nonces is leaked, which is much more significant as each signature presents critical information on the private key.

This information can be used to recover the private key by converting the problem to an instance of the Hidden Number Problem and then solving it via lattice reduction techniques.

Which devices are vulnerable?

• Athena IDProtect card devices that use the Atmel Toolbox 00.03.11.05 cryptographic library are vulnerable.
• Athena IDProtect cards with an Inside Secure AT90SC chip are also vulnerable.
• Other smart cards that are from Valid, SafeNet, and TecSec are likely affected.

“We believe all of the cards above are affected because they share a common ECDSA component (FIPS module 214) , which is described as Athena OS755 ECDSA2 Component on Inside Secure AT90SC A1.0 (Firmware),” researchers said.

Key takeaway

Researchers recommend organizations that use older Athena IDProtect smart cards to ensure if their cards are impacted by this issue. Furthermore, users of the open-source crypto libraries are advised to update to the latest release.