RSA 1024-bit - is it safe? Security researchers have discovered a critical vulnerability in the GnuPG cryptographic library that allowed them to crack 1024 bit RSA encryption and extract the secret RSA key to decrypt data.
Το Gnu Privacy Guard (GnuPG ή GPG) είναι ένα δημοφιλές λογισμικό κρυπτογράφησης ανοικτού κώδικα που χρησιμοποιείται από πολλά λειτουργικά συστήματα (Linux, FreeBSD , Windows and macOS X).
Vulnerability, under the name CVE-2017-7526, is located in the Libgcrypt encryption library used by GnuPG.
It's the same software that the former NSA employee used Edward Snowden to encrypt his communications.
The research
Μια ομάδα ερευνητών από τα Πανεπιστήμια, Eindhoven, Illinois, Pennsylvania, Maryland, και Adelaide, διαπίστωσαν ότι η μέθοδος “left-to-right sliding window” που χρησιμοποιείται από τη βιβλιοθήκη libgcrypt για τη διεξαγωγή των mathematics of cryptographys leaks significantly more information than is needed, allowing the full recovery of the RSA key.
"In this work, we demonstrate a complete breakdown of RSA-1024 as applied to Libgcrypt. Our attack basically uses the fact that Libgcrypt uses the left-to-right method to calculate the sliding-window extension“, αναφέρουν οι researchers στο paper τους.
The L3 Cache Side-Channel attack requires an attacker to run "tampered" software on the hardware using the RSA private key.
For more information read 'Sliding right into disaster: Left-to-right sliding windows leak,' (PDF) of Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Christine van Vredendaal, Tanja Lange and Yuval Yarom.