Sign in / up

back to article ROBOT crypto attack on RSA is back as Marvin arrives

An engineer has identified longstanding undetected flaws in a 25-year-old method for encrypting data using RSA public-key cryptography. In a paper titled, "Everlasting ROBOT: the Marvin Attack," Hubert Kario, senior quality engineer on the QE BaseOS Security team at Red Hat, shows that many software implementations of the PKCS …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Duncan Macdonald

    Add random delay to error responses ?

    As the attack works by sensing the time differences in error paths perhaps one fix might be to insert a random delay into error responses. It would not slow down normal operation just the normally infrequent error processing.

    2 2 Reply
    1. Tom Chiverton 1
      Reply Icon

      Re: Add random delay to error responses ?

      Doesn't work because the random jitter all cancels out over enough tests

      6 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Add random delay to error responses ?

        Other than APC (Schneider Electric), who uses this? Or am I not remembering correctly?

        0 0 Reply
        1. Michael Wojcik Silver badge
          Reply Icon

          Re: Add random delay to error responses ?

          What's the antecedent of "this"? RSA with PKCS#1 v1.5 padding?

          0 0 Reply
      2. Michael Wojcik Silver badge
        Reply Icon

        Re: Add random delay to error responses ?

        And because of their testing method, looking at pairwise difference. This is discussed in more detail on Kario's page and in the paper.

        Whitening helps to narrow or obscure side channels, but it's tough to do it perfectly – or to raise the work factor high enough to make attacks impractical, which is the real bar.

        1 0 Reply
  2. sitta_europea Silver badge

    "...Any implementation that uses general purpose integer implementation (like the default mode of OpenSSL's BIGNUM, NSS's MPI, Java's BigInteger, Python's int, Rust's apint, Gnu MP's mpz_t, Go's math/big Int, etc.) will suffer from the same issues."

    That's a bit scary.

    0 0 Reply
    1. Michael Wojcik Silver badge
      Reply Icon

      Well, where "the same issues" means "timing side channels". Kario's blog post and related materials are worth reading in full, if you're interested in cryptography, and his point that we need to pay more attention to timing side-channel attacks in general, and not just for RSA, is well taken. But at the moment there's no published timing-channel attack similar to Marvin against other asymmetric-key ciphers, or even (IIRC) against RSA with OAEP.

      Another key takeaway from Marvin, by the way, is this sentence from Kario's FAQ: "In other words, we got results because we were thorough, not because we used novel techniques." In particular, his team tested across the entire TLS handshake, and they gathered a lot of data, and they used better statistical tests that did not rely on assumptions which are invalid in practice in this case. (More details available on Kario's page and in the paper.)

      2 0 Reply
      1. Tomato42
        Reply Icon

        See the original CVE description for the OpenSSL bug, it affects all padding modes as the leak is happening before any padding operations.

        0 0 Reply
  3. ceplma

    M2Crypto mitigation

    Proper commit in M2Crypto is https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958def0

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like