Successfull break on private RSA-Keys of GnuPG

Several known crypto-experts published a document “Sliding Right into Disaster”, in which they describe a working attack on private 1024-bit RSA keys.

The issues is inside of crypto library libgcrypt. Using a side-channel attack they were able to recover private 1024-bit RSA keys, and up to 13% of 2048-bit RSA keys. The attack itself was done using the CPU cache. Libgcrypt is using left-to-right window-sliding, unfortunately there will remain enough valid data to be able to reconstruct a key.

Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion. We show for the first time that the direction of the encoding matters: the pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about exponent bits than for right-to-left. We show how to incorporate this additional information into the Heninger-Shacham algorithm for partial key reconstruction, and use it to obtain very efficient full key recovery for RSA-1024. We also provide strong evidence that the same attack works for RSA-2048 with only moderately more computation.

GnuPG already fixed the issue with version 1.7.8, the vulnerability has been assigned CVE-2017-7526. The new protection in libgcrypt is called exponent blinding. This will make all remaining data in the cache useless. If the attack can be completely avoided using exponent blinding will be verified within the next days and weeks.

Users of bundled GnuPG versions might need to wait a little bit more for an update.