Weaknesses in current RSA signature schemes

Authors:
Juliane Krämer;Dmitry Nedospasov;Jean-Pierre Seifert
Affiliations:
Security in Telecommunications, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories, Germany;Security in Telecommunications, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories, Germany;Security in Telecommunications, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories, Germany
Venue:
ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
Year:
2011

Citing 12
Cited 0

Handbook of Applied Cryptography

Handbook of Applied Cryptography
Distinguishing Exponent Digits by Observing Modular Subtractions

CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
A Practical Implementation of the Timing Attack

CARDIS '98 Proceedings of the The International Conference on Smart Card Research and Applications
Differential Power Analysis

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards

E-SMART '01 Proceedings of the International Conference on Research in Smart Cards: Smart Card Programming and Security
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
A Timing Attack against RSA with the Chinese Remainder Theorem

CHES '00 Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems
Power Analysis Attacks: Revealing the Secrets of Smart Cards (Advances in Information Security)

Power Analysis Attacks: Revealing the Secrets of Smart Cards (Advances in Information Security)
Lest we remember: cold-boot attacks on encryption keys

Communications of the ACM - Security in the Browser
The RSA cryptography processor

EUROCRYPT'87 Proceedings of the 6th annual international conference on Theory and application of cryptographic techniques
Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-Decryption

Mycrypt'05 Proceedings of the 1st international conference on Progress in Cryptology in Malaysia
Simple power analysis on exponentiation revisited

CARDIS'10 Proceedings of the 9th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Application

Quantified Score

Hi-index	0.00

Visualization

Abstract

This work presents several classes of messages that lead to data leakage during modular exponentiation. Such messages allow for the recovery of the entire secret exponent with a single power measurement. We show that padding schemes as defined by industry standards such as PKCS#1 and ANSI x9.31 are vulnerable to side-channel attacks since they meet the characteristics defined by our classes. Though PKCS#1 states that there are no known attacks against RSASSA-PKCS1-v1_5, the EMSA-PKCS1-v1_5 encoding in fact makes the scheme vulnerable to side-channel analysis. These attacks were validated against a real-world smartcard system, the Infineon SLE78, which ran our proof of concept implementation. Additionally, we introduce methods for the elegant recovery of the full RSA private key from blinded RSA CRT exponents.