Vulnerability Note VU#997481
Cryptographic libraries and applications do not adequately defend against timing attacks
Cryptographic libraries and applications do not provide adequate defense against a side-channel timing attack against RSA private keys. Such an attack has been shown to be practical using currently available hardware on systems and networks with sufficiently low variance in latency.
David Brumley and Dan Boneh, researchers at Stanford University, have written a paper that demonstrates a practical attack that can be used to extract private keys from vulnerable RSA applications. Using statistical techniques and carefully measuring the amount of time required to complete an RSA operation, an attacker can recover one of the factors (q) of the RSA key. The timing differences examined in the paper are based on whether an extra Mongtomery reduction is performed (section 2.3) and whether Karatsuba (recursive) or "normal" multiplication is used (section 2.4). With the public key and the factor q, the attacker can compute the private key. As noted in the VMM/attestation example in section 4 of the paper, applications that perform RSA encryption (signing) operations may also be vulnerable if the attacker can control the data to be signed.
Similar types of timing attacks are discussed in CERT Advisory CA-1998-07, a paper by Daniel Bleichenbacher et al., and a paper by Paul Kocher.
A remote attacker could derive private RSA keys. It is important to note that the attacks described in this paper appear to be practical under certain conditions. In the case of remote attacks against SSL/TLS-enabled web servers, variance in network latency must be sufficiently low (less than 1ms), and the attacker must account for other variables such as the load on the server. A server may be more vulnerable during a period of low activity. In the case of local interprocess attacks against a web server or a VM, all the necessary conditions exist.
Monitor RSA applications
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||11 Mar 2003||25 Mar 2003|
|Conectiva||Affected||11 Mar 2003||14 Apr 2003|
|Covalent||Affected||11 Mar 2003||04 Apr 2003|
|cryptlib||Affected||11 Feb 2003||04 Apr 2003|
|Crypto++||Affected||25 Feb 2003||25 Mar 2003|
|Debian||Affected||11 Mar 2003||23 Apr 2003|
|eSoft||Affected||11 Mar 2003||23 Apr 2003|
|F5 Networks||Affected||11 Mar 2003||25 Mar 2003|
|Foundry Networks Inc.||Affected||11 Mar 2003||22 Apr 2003|
|FreeBSD||Affected||11 Mar 2003||25 Mar 2003|
|FreSSH||Affected||11 Mar 2003||25 Mar 2003|
|Gentoo Linux||Affected||-||05 Apr 2003|
|GNU Libgcrypt||Affected||11 Feb 2003||24 Mar 2003|
|GNU TLS||Affected||15 Apr 2003||23 Apr 2003|
|Guardian Digital Inc.||Affected||11 Mar 2003||05 Apr 2003|
CVSS Metrics (Learn More)
This vulnerability is documented in a research paper written by David Brumley and Dan Boneh of Stanford University.
This document was written by Art Manion.
- CVE IDs: CAN-2003-0147
- Date Public: 14 Mar 2003
- Date First Published: 25 Mar 2003
- Date Last Updated: 25 Aug 2004
- Severity Metric: 9.42
- Document Revision: 66
If you have feedback, comments, or additional information about this vulnerability, please send us email.