Security is Freedom

Crypto Attack Could Defeat OpenSSL, BitCoin

Posted by Robert Vamosi on 3/6/14 9:12 AM | Estimated Reading Time:

Find me on:

One of the selling points of the cybercurrency known as BitCoin is its cryptographic signatures. However, a new side channel attack might enable hackers to steal the digital currency.

In a paper, researchers Naomi Benger, Joop van de Pol, Nigel P. Smart, and Yuval Yarom from the UK and from Australia use the FLUSH+RELOAD side-channel attack to attack OpenSSL ECDSA signature requests. The same attack could be used on BitCoin. "We demonstrate our analysis via experiments using the curve secp256k1 used in the Bitcoin protocol," the reserachers wrote.

According to Ars Technica "cryptographers can retrieve the private key needed to take control of bitcoins by taking minute measurements of the CPU as it makes transactions using the digital currency. Specifically, by observing the last-level (L3) CPU cache of an Intel processor as it executes as few as 200 signatures, an attacker in many cases has enough data to completely reconstruct the secret key needed to take ownership."

The researchers conclude "the information leak in our attack originates from using the sliding window in the wNAF algorithm for scalar multiplication. Hence, an immediate fix for the problem is to use a fixed window algorithm for scalar multiplication...Another solution is available in the implementation of modular exponentiation in OpenSSL. Both these implementations ensure that the computation performs the same sequence of memory accesses, both to code and to data, irrespective of the value of the secret key."

Whitepaper: Can you afford free OpenSSL?

Topics: hacking

Leave A Comment