4

I'm aware of attacks extracting information via timing and volume. But none that care or attack the actual cryptographic algorithm implementation or end up extracting the key.

Seeking examples if any for such attacks which happened outside the lab, Or evidence where we suspect this was the means of attack used.

Any side channel: timing, sound, power, something else?

Meir Maor
  • 11,835
  • 1
  • 23
  • 54
  • 2
    I cite a few experiences in the Smart Card field here, and just added 1 and 3 are first-hand experience. I have detailed 1 here, with link to a video demo. I think I still have card samples for 3, perhaps 1. I trust reports that fault injection is routinely practiced with success. – fgrieu Sep 05 '20 at 05:36
  • 1
    Thank you, I indeed heard of smart card attacks, didn't think of those. These give the attacker a huge degree of control(Including fault injection). – Meir Maor Sep 05 '20 at 05:38
  • 1
    There is the classical attack from 1956 against the Hagelin cipher machine in the Egyptian embassy (see https://link.springer.com/article/10.1007/s00145-015-9224-2). – j.p. Sep 05 '20 at 06:17
  • I think that is mostly illegal and we don't see in the articles. And the hackers, usually go on the other ways. – kelalaka Sep 05 '20 at 09:32
  • 1
    When attackers attack crypto in the wild we often know about it. We have seen multiple instances of Beast and Poodle and MD5 collisions just to name a few. If for instance timing attacks on RSA were common I expect we would see some evidence of those. – Meir Maor Sep 05 '20 at 10:16
  • 1
    Not quite a side-channel attack, but related: When Organized Crime Applies Academic Results. – j.p. Sep 06 '20 at 21:42

1 Answers1

2

None that recover the key?

  • Osvik, Shamir, Tromer, 2006: Recover AES-256 secret key of Linux’s dmcrypt in just 65 ms
  • AlFardan, Paterson, 2013: “Lucky13” recovers plaintext of CBC-mode encryption in pretty much all TLS implementations
  • Yarom, Falkner, 2014: Attack against RSA-2048 in GnuPG 1.4.13: “On average, the attack is able to recover 96.7% of the bits of the secret key by observing a single signature or decryption round.”
  • Benger, van de Pol, Smart, Yarom, 2014: “reasonable level of success in recovering the secret key” for OpenSSL ECDSA using secp256k1 “with as little as 200 signatures”

Those are all examples of timing attacks that were usable in the wild. Also, they're all timing attacks. Nevermind Spectre, Meltdown, and the plethora of other predictive branching vulnerabilities that followed suit. There's also the RSA "exponent 3" attack (which I may or may not have exploited myself one or 2 times against web servers' TLS certificates)

(edit: The exponent 3 attack isn't really a side-channel attack but it's so hilarious I couldn't resist.)

In short, most timing attacks can be performed in the wild. There was even an issue with Amazon AWS instances that allowed someone to steal encryption keys from other instances simply by creating an AWS free tier account.

The good news is, usually researchers find them before bad actors and there's time to develop a fix before it gets too crazy. But these attacks are very real and usually crippling; both on paper and in practice.

I might suggest reading this document [PDF] which outlines the nature of such attacks in slightly more detail.

Serpent27
  • 1,461
  • 5
  • 11
  • 1
    These are all in the lab. The attacker chooses the scenario, knows the setup very well. isolates extra interference. And even if they are realistic attacks. There is a big difference between realistic attack and real attack. – Meir Maor Sep 05 '20 at 05:35
  • 2
    Lab conditions? The AWS attack I described was performed by researchers actually renting out an AWS instance; Meltdown was exploited through the web browsers of unsuspecting users; power-based attacks are successfully performed on ordinary laptops using a parabolic microphone at significant distance. None of those are "lab conditions" – Serpent27 Sep 05 '20 at 05:41
  • It was nearly an AWS lab. The conditions were perfect. Not really in the wild. – kelalaka Sep 05 '20 at 06:30
  • What does an "AWS lab" mean? The hardware wasn't owned or controlled by the researchers, and the server was running code from other Amazon clients. That's the definition of an in-the-wild attack. What you call perfect conditions I call a production server. – Serpent27 Sep 05 '20 at 06:34
  • Go on, get an AWS account and use your server. Now ask the researcher to locate your shared AWS instance! And wait for the attack! If not shared, forget about it. – kelalaka Sep 05 '20 at 07:17
  • Yes, I'll just ask a security researcher I've never met (because I'm best friends with everyone I don't know) and have them exploit a vulnerability that was patched multiple years ago... You know the wonderful thing about the security community is they fix issues instead of pretending they don't matter "in the wild". – Serpent27 Sep 05 '20 at 07:33
  • I know some of those researchers and I was in their lab during some of those reserach. It was perfect condition on AWS. One server is the target and the other is the attacker. That's it. The only meaningful is the smart card attacks as pointed by Fgriue. – kelalaka Sep 05 '20 at 17:26
  • @MeirMaor please note real attackers don't use to publish their achievements (2) researchers do publish, and are much more restricted to legality (even if they could get the secrets of an unsuspecting party, it is not in their interest to do or admit it) (3) side-channels are notoriously silent, you can easily detect a shellshock payload but detecting someone at a different VM is trying to exploit a side-channel to read your memory would be much harder (4) "normal" attackers won't generally use side-channels, it's more for a dedicated adversary e.g. secretive three-letter agencies – Ángel Sep 06 '20 at 01:23
  • @Angel I disagree. Hackers get caught others leave evidence most side channel attacks require interacting with the private key holder. Triggering private key operations while monitoring the side channel. This could leave evidence. This is exactly what I'm looking for the difference between realistic attack and real attack. – Meir Maor Sep 06 '20 at 04:28
  • Evidence is often lost, and hackers don't exactly have the highest rate of actually getting caught. If someone is sophisticated enough to actually use a side-channel attack hiding the evidence is the easy part. – Serpent27 Sep 06 '20 at 04:42