CRACKED: RSA-1024 of GnuPG LibgCrypt

Discuss RSAs, Ciphers, Hashes and different cryptography algorithms...
User avatar
Posts: 116
Joined: Mon May 08, 2017 1:36 am
x 31
x 8

CRACKED: RSA-1024 of GnuPG LibgCrypt


Unread post by xpl0it » Tue Jul 04, 2017 5:02 pm

Gnu Privacy Guard (GnuPG or GPG) is popular open source encryption software used by many operating systems from Linux and FreeBSD to Windows and macOS X.

GNU LibgCrypt Cracked.PNG
RSA-1024 Key of GnuPG
It's the same software used by the former NSA contractor and whistleblower Edward Snowden to keep his communication secure from law enforcement.
The vulnerability, labeled CVE-2017-7526, resides in the Libgcrypt cryptographic library used by GnuPG, which is prone to local FLUSH+RELOAD side-channel attack.

A team of researchers — from Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide — found that the "left-to-right sliding window" method used by the libgcrypt library for carrying out the mathematics of cryptography leaks significantly more information about exponent bits than for right-to-left, allowing full RSA key recovery.

L3 Cache Side-Channel Attack requires an attacker to run arbitrary software on the hardware where the private RSA key is used.

The attack allows an attacker to extract the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process.

Researchers have also provided evidence that the same side channel attack also works against RSA-2048, which require moderately more computation than RSA-1024.

The research paper titled, 'Sliding right into disaster: Left-to-right sliding windows leak,' was authored by Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Christine van Vredendaal, Tanja Lange and Yuval Yarom.

Libgcrypt has released a fix for the issue in Libgcrypt version 1.7.8. Debian and Ubuntu have already updated their library with the latest version of Libgcrypt.

So, you are strongly advised to check if your Linux distribution is running the latest version of the Libgcrypt library.
0 x

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest