GnuPG’s LibgCrypt RSA-1024 Cracked

A team of researchers, from Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide, have released a white paper  entitled ‘Sliding right into disaster: Left-to-right sliding windows leak,’ describing the vulnerability CVE-2017-7526 associated with Libgcrypt cryptographic library found by utilizing the local FLUSH+RELOAD side-channel attack.  The vulnerability described  is found in and with the use of the sliding window method more specifically the left-to-right sliding window method. An excerpt from the paper: “The pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about the exponent than right-to-left. We show how to extend the Heninger-Shacham algorithm for partial key reconstruction to make use of this information and obtain a very efficient full key recovery for RSA-1024.” The leak is significant enough for full recovery of RSA-1024 as well as 13% of RSA-2048 bit private keys. For the L3 Cache Side-Channel Attack to work the attacker has to be able to run arbitrary software on the hardware where the private RSA key is used. The attack allows an attacker to extract the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process.  This may seem like overkill since the attacker already has access to the machine, but where this gets interesting is with the use of VMs. Libgcrypt advisory reads: “Thus in practice, there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines, this attack may be used by one VM to steal private keys from another VM”

Background information:

The “private key” is usually described as a number pair consisting of the same key Modulus and a private exponent D. D is usually chosen to be about the same size as the modulus (~128 bytes). Random selection of Modulus, E and D starts by random selection of two large prime numbers. The sample key-data below shows typical prime numbers P, Q, the Modulus and Exponent displayed as big-endian ordered byte arrays followed by the corresponding decimal integer number. The product P*Q below is calculated to verify that P*Q = Modulus using java.math.BigInteger class methods. Generation of RSA signatures or RSA encryption first typically requires formatting the data to be signed or encrypted into a PKCS #1 Signature (Type 1) or Encryption (Type 2) data block. The data block is the same size as the key modulus. Then exponentiation(the calculation of exponentials) of the data with D (for RSA signatures) or E (for RSA encryption) (modulo Modulus) is performed producing the digital signature or RSA encrypted data. P [64 bytes/512 bits] [FA, F7, 2D, 97, 66, 5C, 47, 66, B9, BB, 3C, 33, 75, CC, 54, E0, 71, 12, 1F, 90, B4, AA, 94, 4C, B8, 8E, 4B, EE, 64, F9, D3, F8, 71, DF, B9, A7, 05, 55, DF, CE, 39, 19, 3D, 1B, EB, D5, FA, 63, 01, 52, 2E, 01, 7B, 05, 33, 5F, F5, 81, 6A, F9, C8, 65, C7, 65] Decimal: 13144131834269512219260941993714669605006625743172006030529504645527800951523697 620149903055663251854220067020503783524785523675819158836547734770656069477 Digits: 155 Q [64 bytes/512 bits] [EA, A0, F7, B0, 11, D8, 58, BC, 1F, E7, D9, EA, E6, 2B, E3, 68, 48, 39, 7A, 0C, 16, 5D, E3, 58, 95, DB, B7, CB, E8, F0, 24, B4, 65, 62, 5A, EB, 28, 08, 79, 0A, 30, 53, 18, C5, 36, 35, DC, 5C, F6, 66, 77, 44, F2, B4, BA, 46, CF, 30, 0A, DF, 05, AE, 40, 23] Decimal: 12288506286091804108262645407658709962803358186316309871205769703371233115856772 658236824631092740403057127271928820363983819544292950195585905303695015971 Digits: 155 Modulus [128 bytes/1024 bits] [E6, 03, BC, F9, FA, 9B, 40, 5C, D8, 51, AC, 0A, 3D, 33, F9, 12, 0C, 89, 57, E7, 98, 25, C2, A5, BD, AE, 35, 00, 0C, 5E, 6B, 1D, 30, 21, 62, 20, 0D, D3, 56, 59, C2, AE, 13, 8E, FF, 1E, 6B, B3, 94, A7, 45, F0, F8, 71, B8, AF, 86, 13, 71, 10, 6F, A0, DB, 08, 7C, 74, AC, 64, DF, 7C, 8B, 41, F3, 36, 3F, 7A, 79, 1D, 83, 3D, 68, 02, 90, 52, 3F, C7, 4D, 0B, 99, 26, 07, 44, 68, 1B, FE, 8C, C7, 0B, 67, 7D, 15, D1, 54, 6A, 34, F2, F4, D3, 61, A4, 3F, ED, 28, 55, 52, 39, 47, 14, 20, E4, 1A, 82, E7, 4D, 57, 69, 82, CF] Decimal: 16152174667064029642647365822885998430666314431815268152405470907824573659036629 72483772980826569393306732864932303362619914669385966910731129686267107921489042 39628873374506302653492009810626437582587089465395941375496004739918498276676334 238241465498030036586063929902368192004233172032080188726965600617167 Digits: 309 Exponent = [01, 00, 01] Decimal: 65537 Digits: 5 P*Q 16152174667064029642647365822885998430666314431815268152405470907824573659036629 72483772980826569393306732864932303362619914669385966910731129686267107921489042 39628873374506302653492009810626437582587089465395941375496004739918498276676334 238241465498030036586063929902368192004233172032080188726965600617167

FIX:

https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html

Users of this Libgcrypt library should download and use the new Libgcrypt 1.7.8.

Hacking Linux with Evil DNS

A critical vulnerability has been discovered in Systemd as described and detailed in CVE-2017-9445. The vulnerability resides with the dns_packet_new’ function of ‘systemd-resolved,’ a DNS response handler component that provides network name resolution to local applications.  This is done with a malicious DNS server which can exploit the vulnerbility by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that’s too small, and subsequently write arbitrary data beyond the end of it. The vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year.  The bug is then present in Ubuntu versions 17.04 and version 16.10; Debian versions Stretch and various other Linux distributions that use Systemd. Patches have been released and it is strongly recommended to update your current version of linux distro especially if systemd-resolved is being implemented.