RSA 1024-bit – is it secure? Researchers security ανακάλυψαν μια κρίσιμη ευπάθεια στο GnuPG cryptographic library που τους επέτρεψε να σπάσουν κρυπτογράφηση RSA 1024 bit και να εξαγάγουν το μυστικό key RSA to decrypt data.
Gnu Privacy Guard (GnuPG or GPG) is a popular one software encryption open code used by many operating systems (Linux, FreeBSD, Windows and macOS X).
Vulnerability, under the name CVE-2017-7526, is located in the Libgcrypt encryption library used by GnuPG.
It's the same software that the former NSA employee used Edward Snowden to encrypt his communications.
The research
A team of researchers from the Universities of Eindhoven, Illinois, Pennsylvania, Maryland, and Adelaide found that the "left-to-right sliding window" method used by the libgcrypt library to conduct cryptographic math leaked significantly more information than are needed, allowing the RSA key to be fully recovered.
"In this paper, we demonstrate a complete breaking of RSA-1024 as implemented in Libgcrypt. Our attack basically uses the fact that Libgcrypt uses the left-to-right method to calculate it extensionof sliding-windows", Say the researchers in their paper.
The L3 Cache Side-Channel attack requires an attacker to run "tampered" software on the hardware using the RSA private key.
For more information read 'Sliding right into disaster: Left-to-right sliding windows leak,' (PDF) by Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Christine van Vredendaal, Tanja Lange, and Yuval Yarom.
