Cryptography Reference
In-Depth Information
Risk 6: Stealthy or Accidental Change to the Private Key
RSA signatures (Section 6.3) are normally determined by the so-called Chinese
Remainder Theorem (CRT). Rather than having to calculate values modulo pq ,
they are calculated individually — modulo p and modulo q .
Now, if a bit of either p or q is changed due to a hardware or software error,
the wrong signature thus computed can be used to compute p and q [BonRSA].
This is a dangerous attack. An unnoticed one-time bit error in a register can
cause a disaster.
This can be prevented, for example, by subsequently checking the signature
for correctness, but it requires some computation time. Stealthy changes to
private keys (on smartcards, or if it is XOR-encrypted, as discussed at the end
of Section 7.1) can be reliably detected by using suitable checksums.
Appropriate implementation allows us to prevent the six risks discussed so far,
but not the following risks.
Risk 7: Private Key Stolen
Absolutely clear, you will think — the private key has to be protected as well as
it possibly can. Everything is actually 'only' a matter of implementation, but it
is so important that it is listed as a separate risk here. The problem is as follows:
private keys are normally encrypted by their owners (e.g., using a passphrase
like in PHP; see Section 7.1), so they are (hopefully) protected against unau-
thorized access. But some time sooner or later when owners will want to work
with their private keys, these keys form a coherent area in the memory. On
Web servers that establish secure connections over the SSL protocol, private
keys are held in memory even permanently.
Until not so long ago, people thought that private keys were hidden well enough
amidst all those many megabytes of data in memory. The trouble is that keys
have a distinct feature: they look really random, while almost all program code
and 'normal' data have a structure. Nicko van Someren and Adi Shamir robbed
people of this illusion when they showed in [SomSham] that these keys can
be found astonishingly fast. At the IHW '99 convention in Dresden, Germany,
Someren demonstrated just how fast. In fact, searching for a private RSA key
on a hard disk can even be as fast as physically reading the disk! This opens
up ways for a specific attack: hacker methods are used to intrude a Web server,
bring the server down, and analyze the core image created on the disk. The
process can be automated.
Search WWH ::




Custom Search