Broken crypto

A team of eight researchers from various universities has found a bug in the Libcrypto library that allows an attacker with local access to extract the RSA-1024 private key that was used to encrypt local data.

Their researcher paper was focused on GnuPG, an encryption software for Android, Linux, macOS, and Windows. More accurately, the researchers focused their work on Libgcrypt, GnuPG's module responsible for the actual GnuPG's encryption operations.

Researchers say they found that Libgcrypt used a method known as "sliding windows" to compute part of these mathematical equations behind data encryption. The problem, they say, was that "sliding windows" is a computation method known to leak data via side-channel attacks.

Older unpatched attack led to compromise

The research team says that the Libgcrypt team had patched only two [1, 2] of the three attacks[3] known to be capable of leaking the bits of an encryption key.

Previously, Libgcrypt and its unpatched "sliding window" method for dealing with part of the computational tasks was deemed acceptable because it leaked only part of the RSA private key. For example, implementations of Libgcrypt that used "4-bit left-to-right sliding windows" leaked only 40% of the private key, while "5-bit left-to-right sliding windows" leaked only 33% of the key.

Starting from this simple discovery that one of the attacks was never patched in Libgcrypt, researchers put together an algorithm that combines several previously known methods to recover the full RSA-1024 private key.

This allowed researchers to decrypt any data encrypted by that key, such as local files, emails, or backups.

Issue fixed in Libgcrypt

The researchers reported their findings to the GnuPG team, who released Libgcrypt 1.7.8, a release that contains fixes to prevent exploitation via this new side-channel attack.

The GnuPG team, Libgcrypt's maintainers, also downplayed the bug's importance, but also warned about situations that users need to take into considerations.

Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used. Allowing execute access to a box with private keys should be considered as a game over condition, anyway.  Thus in practice there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines this attack may be used by one VM to steal private keys from another VM.

The Libgcrypt patch has already started making its way down Linux distros such as Debian and Ubuntu. The issue s tracked as 2017-7526, and doesn't appear to affect RHEL distros.

Our readers can find out more details about the crypto attack in the research team's paper, entitled Sliding right into disaster: Left-to-right sliding windows leak. This is also not the first time that researchers borke RSA-1024.