oss-sec mailing list archives
Re: GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)
From: mancha <mancha1 () hush com>
Date: Wed, 18 Dec 2013 19:41:13 +0000 (UTC)
Solar Designer <solar@...> writes:
Hi, GnuPG 1.4.16 was released today with a curious security fix: http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See <http://www.cs.tau.ac.il/~tromer/acoustic/>. [CVE-2013-4576] Direct link to paper (8 MB; the website feels very slow at the moment): http://www.cs.tau.ac.il/~tromer/papers/acoustic-20131218.pdf Copy on SlideShare: http://www.slideshare.net/daniel_bilar/acoustic-20131218 Alexander
As the primary fix for CVE-2013-4576, GnuPG 1.x now uses blinding to mitigate RSA key extraction attacks. This doesn't affect GnuPG 2.x as libgcrypt does blinding by default. The acoustic attack leveraged some particulars of GnuPG by zero-padding input to force modular reductions in GnuPG's RSA implementation. GnuPG now cripples this lever by normalizing MPIs used as inputs to secret key functions. This secondary mitigation measure was introduced in GnuPG 1.4.16 and libgcrypt 1.6.0 (relevant for vendors shipping GnuPG 2.x). --mancha
Current thread:
- GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576) Solar Designer (Dec 18)
- Re: GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576) mancha (Dec 18)