Minerva attack on ARM architecture #24254
Comments
GeorgePantelakis
added
the
issue: bug report
|
In the description:
Missing search and replace with Arm? :) |
|
@GeorgePantelakis the signal is very small ~1ns and I would be very curious to see any real world attack scenario that could take an advantage of such small signal. |
t8m
added
branch: master
|
@t8m That might be true, at least for now, but as you can see for Skylark in the deterministic path the signal is ~3ns so that could be an issue. |
Note that the leakage is most likely in scalar multiplication, which means ECDH is also most likely affected. So, anything that exposes a network API that uses static ECDH, for example, Json Web Encryption, can be attacked through this. Confirming 1ns difference over the network is 100% possible, I've done that multiple times, it's just a question of persistence. |
|
There is a reason why an ECDH secret is usually not used in more than one key agreement. |
|
Depends on the use case. TLS doesn't because TLS uses signing keys for the long-lived credential, but there are plenty of protocols that are designed differently. HPKE, other ECIES schemes, Signal, the original QUIC handshake, etc. Constant time ECDH isn't meaningfully harder than constant time ECDSA signing. Arguably easier. ECDSA is a point multiplication and then some. (Although they're not quite the same multiplication. ECDSA is a base point multiplication and ECDH is an arbitrary point. But that doesn't change how hard constant time is.) |
that's why I wrote "static ECDH", not "ECDHE". Yes, for ECDHE, like in TLS, IPsec or SSH, when the key is used once, or just few hundred times, a remote network timing attack is basically impossible with leakage this small. |
@tomato42 and I have tested OpenSSL in ARM architecture and we found that it may be vulnerable to a variant of the Minerva attack. We used statistical analysis to confirm the presence of side channels but we did not perform the Minerva attack against the implementation.
In the test scenario, we measure the time of signing of random messages using the
EVP_DigestSignAPI (Init,Update, andFinal) and then use the private key to extract the K value (nonce) from the signatures. Then based on the bit size of the extracted nonce we compare the signing time of full-sized nonces to signatures that used smaller nonces using statistical tests.In our initial test, for ARM we tested P-256 in 3 microarchitectures (Ampere Altra Max CPU, Cavium's ThunderX2 CN99XX CPU with Vulcan microarchitecture, and Ampere's eMAG CPU with Skylark microarchitecture) and still found differences between them. Ampere Altra Max CPU doesn't show a signal while the other two microarchitectures do. In these results we can see a clear leak: there is a dependency between the bit size of K and the size of the side channel.
For Ampere Altra Max CPU:
Results for the non-deterministic path of the code. Skilling-Mack test p-value: 6.201480e-02. The sample tested has 291,513,535 observations.
Results for the deterministic path of the code. Skilling-Mack test p-value: 9.524591e-01. The sample tested has 161,951,709 observations.
For Cavium's ThunderX2 CN99XX CPU with Vulcan microarchitecture:
Results for the non-deterministic path of the code. Skilling-Mack test p-value: 3.958440e-20. The sample tested has 647,808,394 observations.
Results for the deterministic path of the code. Skilling-Mack test p-value: 1.215735e-12. The sample tested has 161,951,519 observations.
For Ampere's eMAG CPU with Skylark microarchitecture:
Results for the non-deterministic path of the code. Skilling-Mack test p-value: 2.028643e-12. The sample tested has 647,829,103 observations.
Results for the deterministic path of the code. Skilling-Mack test p-value: 6.354241e-59. The sample tested has 64,785,572 observations.
The text was updated successfully, but these errors were encountered: