Mitigate a flush+reload cache attack on RSA secret exponents.

* mpi/mpi-pow.c (mpi_powm): Always perform the mpi_mul for exponents hold in secure memory. -- The attack is described in a paper to be pusblished at eprint.iacr.org: Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. Flush+Reload is a cache side-channel attack that monitors access to data in shared pages. In this paper we demonstrate how to use the attack to extract private encryption keys from GnuPG. The high resolution and low noise of the Flush+Reload attack enables a spy program to recover over 98% of the bits of the private key in a single decryption or signing round. Unlike previous attacks, the attack targets the last level L3 cache. Consequently, the spy program and the victim do not need to share the execution core of the CPU. The attack is not limited to a traditional OS and can be used in a virtualised environment, where it can attack programs executing in a different VM. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-01-21 14:47:03 +01:00 · 2013-07-19 13:49:23 +02:00 · 2013-07-19 13:49:23 +02:00 · 35646689f4
commit 35646689f4
parent fd86f30311
2 changed files with 21 additions and 3 deletions
--- a/9
+++ b/9
@ -1,6 +1,15 @@
 Noteworthy changes in version 1.4.14 (unreleased)
 -------------------------------------------------

+    * Mitigate the Yarom/Falkner flush+reload side-channel attack on
+      RSA secret keys.
+
+    * Fixed IDEA for big-endian CPUs
+
+    * Improved the diagnostics for failed keyserver lockups.
+
+    * Minor bug and portability fixes.
+

 Noteworthy changes in version 1.4.13 (2012-12-20)
 -------------------------------------------------
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@ -1,5 +1,6 @@
 /* mpi-pow.c  -  MPI functions
 * Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc.
+ * Copyright (C) 2013 Werner Koch
 *
 * This file is part of GnuPG.
 *
@ -209,7 +210,14 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod)
 		tp = rp; rp = xp; xp = tp;
 		rsize = xsize;

-		if( (mpi_limb_signed_t)e < 0 ) {
+                /* To mitigate the Yarom/Falkner flush+reload cache
+                 * side-channel attack on the RSA secret exponent, we
+                 * do the multiplication regardless of the value of
+                 * the high-bit of E.  But to avoid this performance
+                 * penalty we do it only if the exponent has been
+                 * stored in secure memory and we can thus assume it
+                 * is a secret exponent.  */
+                if (esec || (mpi_limb_signed_t)e < 0) {
 		    /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/
 		    if( bsize < KARATSUBA_THRESHOLD ) {
 			mpihelp_mul( xp, rp, rsize, bp, bsize );
@ -224,7 +232,8 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod)
 			mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize);
 			xsize = msize;
 		    }
-
+                }
+		if ((mpi_limb_signed_t)e < 0) {
 		    tp = rp; rp = xp; xp = tp;
 		    rsize = xsize;
 		}