The libgcrypt encryption library as used by the open source Gnu Privacy Guard (GnuPG) has been cracked wide open by researchers from the universities of Adelaide, Eindhoven, Illinois, Maryland and Pennsylvania.
In their paper the researchers display a good sense of humour in calling the vulnerability 'sliding right into disaster'. That's because it exploits the fact that exponent bits leaked by the 'sliding window' process used by libgcrypt can be used to carry out a key recovery attack against RSA. This despite it previously being thought that even if the entire pattern of squarings and multiplications was observed courtesy of s side-channel attack, it wouldn't leak enough exponent bits to be of any real use.
However, the researchers managed to demonstrate "a complete break of RSA-1024" as implemented in libgcrypt. They state that this was due to the fact that libgcrypt uses a left-to-right method of computing the sliding window expansion.
While we at SC Media UK don't claim to fully comprehend the math behind cryptography, we believe the experts who say they have discovered for the first time that the direction is important as it leaks much more significant information about these exponent bits than a right-to-left sliding window.
"We show how to incorporate this additional information into the Heninger-Shacham algorithm for partial key reconstruction," the researchers insist, "and use it to obtain very efficient full key recovery for RSA-1024."
And it's not just RSA-1024 keys at risk. The paper continues: "13 percent of all RSA-2048 keys with CRT and w = 5 are vulnerable to our method after a search through 2,000,000 candidates."
In practical terms this means that an attacker who has gained the Edwards-curve Digital Signature Algorithm (EdDSA) key through use of a 'FLUSH+RELOAD' side-channel attack observing the signing process (see CVE-2017-9526), can go on to fully recover the RSA-1024 key itself (CVE-2017-7526).
The researchers have demonstrated this works, but that doesn't mean it's a real world threat for the vast majority of real world use cases. Not least as the attacker has to be able to perform that side-channel attack in order to exploit the sliding window vulnerability – which is easier said than done as it means the attacker would have to be able to execute arbitrary code on the hardware where the RSA key is in use. As the libgcrypt advisory itself states: "Allowing execute access to a box with private keys should be considered as a game over condition."
That said, it remains a possibility where one Virtual Machine may be able to steal the private keys of another Virtual Machine residing in the same box.
There is already a patch for Debian and Ubuntu users, with both updating their libraries to use the fixed libgcrypt version 1.7.8.
There are plenty of organisations that think that Linux is secure, period, and ditto for data that is encrypted. Should research such as this shake them out of that illusion? Notwithstanding that GnuPG is used outside of just Linux systems, it's also found in Microsoft and Apple operating systems.
Richard Moulds, general manager at Whitewood Security, told SC that "crypto needs to constantly evolve to keep ahead of the attackers, the swords and shields analogy." As swords get longer, so shields need to get bigger and vice-versa. "The very nature of crypto is that if the attacker can get the key then the game is over. Crypto is either strong or gone!"
Moulds warns that system designers and developers need to think long and hard about how long an application or piece of equipment will be in service or how long the data that they are protecting will continue to be interesting to attackers. "They need to factor this into their decision about which algorithms and key lengths to use," he insists, concluding: "They also need to think about where the applications will actually be hosted."
And, as Javvad Malik, security advocate at AlienVault, says: "It is naïve to regard any technology at any level as being completely secure. It doesn't matter if a product is open source or not, developed by individuals or the military. There will always be vulnerabilities and relying on one technology for total security is a fast track to disappointment."