Side-channel PoC attack could allow cybercriminals to extract RSA encryption keys

• Researchers demonstrated the side-channel attack process by using the electromagnetic waves.
• The mitigation process has been submitted to OpenSSL and a patch for the same was released on May 20, 2018.

A group of security researchers at Georgia Tech have discovered a side-channel attack that allowed them to retrieve the encryption keys from an RSA implemented mobile device, despite not having physical access to the device. The researchers demonstrated the attack process by using the electromagnetic waves and accessed the RSA keys from the encryption software program OpenSSL, version 1.1.0g.

“The approach is demonstrated using electromagnetic emanations on two mobile phones and an embedded system, and after only one decryption in a fixed-window RSA implementation, it recovers enough bits of the secret exponents to enable very efficient (within seconds) reconstruction of the full private RSA key,” said the researchers in a research paper.

Using this attack technique, attackers could extract crucial information such as cryptographic keys. The researchers explained that the attack can be executed just by listening to the electromagnetic signals generated by a data processor and then capturing the data and converting it to encryption keys.

To execute the PoC attack, the researchers used two Android mobiles and an embedded system board - all using ARM processor with high frequencies between 800MHz and 1.1 GHz. These frequencies are capable of capturing signals from compact, commercially available, software-defined radio (SDR) receivers.

“The attack recovers the exponent’s bits during modular exponentiation from analog signals that are unintentionally produced by the processor as it executes the constant-time code that constructs the value of each ‘window’ in the exponent, rather than the signals that correspond to squaring/multiplication operations and/or cache behavior during multiplication and table lookup operations,” researchers explained.

Researchers claim that they were successful in carrying out an attack and that the issue can be avoided when the bits of the exponent are obtained from an exponent that have larger number of digits (ranging in tens of bits).

“This mitigation is effective because it forces the attacker to attempt recovery of tens of bits from a single brief snippet of the signal, rather than having a separate signal snippet for each individual bit,” researcher said.

The mitigation process has been submitted to OpenSSL and a patch for the same was released on May 20, 2018. Users using Open SSL 1.1.0g will need to apply the patch immediately to fix the issue.