[2014-03-06] Ars - Crypto attack could one day steal secret Bitcoin keys

[DuckDodgers]

Apparently, a design flaw in some Intel processors can leak private keys:

The attack relies on "side channel analysis," in which attackers extract a secret decryption key based on clues leaked by electromagnetic emanations, data caches, or other manifestations of a targeted cryptographic system. In this case, cryptographers can retrieve the private key needed to take control of bitcoins by taking minute measurements of the CPU as it makes transactions using the digital currency. Specifically, by observing the last-level (L3) CPU cache of an Intel processor as it executes as few as 200 signatures, an attacker in many cases has enough data to completely reconstruct the secret key needed to take ownership. The attack exploits the way OpenSSL implements the elliptic curve digital signature algorithm (ECDSA) based on a specific curve known as secp265k1 found in Bitcoin.

"It should be noted that irrespective of the weakness in the Intel processors, cryptographic algorithms are not supposed to leak information," he wrote in an e-mail. "Hence, the fact that we can get data out of the OpenSSL implementation is a weakness in OpenSSL and should be fixed."

Indeed, experts have long recommended a Bitcoin key be used only once, but this advice is routinely ignored. Another measure is to avoid the use of Intel processors, since the attack doesn't work on modern CPUs made by AMD, Yarom said.

Source

Still not a reason for panic, just another good reminder not to hold all your eggs in one basket.

[ebliever]

Wouldn't this require the hackers have physical access to the CPU?

[eldentyrell]

Wouldn't this require the hackers have physical access to the CPU?

Yes.

Side channel attacks are extremely powerful, but require physical access (with a VERY few exceptions like the clever audio analysis paper, but that still requires the ability to hear the computer).

Side channel attacks are why you can't build hardware that's invulnerable to compromise by its owner.

Cache-based side channel attacks like this one are incredibly sensitive to the exact hardware, OS, CPU, and silicon stepping, and even the ambient temperature.  That's why they don't get published often -- they usually only work in totally contrived laboratory scenarios.

Article writer is confused about the application of this technology.

Also, not peer reviewed:

The Cryptology ePrint Archive provides rapid access to recent research in cryptology. Papers have been placed here by the authors and did not undergo any refereeing process other than verifying that the work seems to be within the scope of cryptology and meets some minimal acceptance criteria and publishing conditions.

[dave111223]

So in short; if there is a nerdy looking scientist standing next to your computer with all kinds of probes hooked up...it's probably not a good idea to start signing 200 transactions using the same key.

[PA992]

So in short; if there is a nerdy looking scientist standing next to your computer with all kinds of probes hooked up...it's probably not a good idea to start signing 200 transactions using the same key.

lol!

[DeathAndTaxes]

So in short; if there is a nerdy looking scientist standing next to your computer with all kinds of probes hooked up...it's probably not a good idea to start signing 200 transactions using the same key.

Or your exchange or eWallet operator is clueless about information security and is running it on a VPS and the datacenter admin is extracting keys from the hypervisor.  Still there are much more probable attack vectors from using a VPS.

It is a good general reminder that information security begins with physical security.

[jimhsu]

If physical access is required, I think it would probably be significantly easier just to take a dump of memory and try to extract keys from that.

Of course, far easier would be an unscrupulous VPS admin gaining console access (which is trivial) and dumping/deleting/whatever your VPS instance. It's elementary to log input into a console terminal, or run a process that looks for a "walletpassphrase" command, or any of several dozen other attack vectors that don't involve cache or memory sniffing. Do you trust your VPS provider?

[Bit_Happy]

Uses too much VPS cpu even when not mining.

[Swordsoffreedom]

So in short; if there is a nerdy looking scientist standing next to your computer with all kinds of probes hooked up...it's probably not a good idea to start signing 200 transactions using the same key.

Looks to the left looks to the right
Looks at self
OH MY  
But still an interesting theory of how to break into a computer the patient virus it takes way to long to really be a practical attack
On the other hand those type of caching attacks might be able to go a long time without being detected so it is interesting
Assuming all the above scenarios are met haha

[DeathAndTaxes]

Of course, far easier would be an unscrupulous VPS admin gaining console access (which is trivial) and dumping/deleting/whatever your VPS instance. It's elementary to log input into a console terminal, or run a process that looks for a "walletpassphrase" command, or any of several dozen other attack vectors that don't involve cache or memory sniffing.

Agreed.   It is just another attack vector but VPS are already swiss cheese when it comes to security.  They shouldn't be used for storing and processing irreversible money.

Do you trust your VPS provider?

The answer should be no.  Anyone stupid enough to think otherwise WILL (it is a matter of when not if) lose bitcoins.