Research team finds a way to pick-pocket OpenSSL based devices

The academic preprint that made its public appearance a couple of days ago shows yet another vulnerability of the Bitcoin protocol.

To improve protection of any system one needs to know its fracture points and the best way to find these is to attempt to break the system. The combined efforts of computer security researchers from The University of Adelaide (Australia) and University of Bristol (UK) in show that it is possible to use timing side-channels for Bitcoin private key stealing.

Listening to the Thunder

In cryptography side-channel attacks exploit the information not directly from the code but by the certain patterns of physical behavior that come with the work of a cryptosystem. There are different “weak spots” that can be used: power consumption, data remanence, sound or even electromagnetic radiation. The yet-to-become paper though researched the timing attack.

As comes from its name this attack measures how much time is required for certain calculations. The closest real life analogy is probably measuring the distance between you and a lightning bolt by counting seconds between the flash and the thunder.

Of course there are actions one can take when writing the cryptographic code to prevent these attacks. However, as the Chief Technology Officer at Uptime Technologies, Ltd, Björn Stein remarked in his comments to the preprint - “It is difficult to ensure that any computer code is truly good, which is why responsible programmers avoid reinventing the wheel and use a widely-used cryptography library such as OpenSSL.”

Betraying Signature

To fully explain this attack’s principle of work, I must turn to Dr. Stein again, as I might make some misleading mistakes in the eyes of seasoned cryptographers.

“In this article, Benger et al. have demonstrated such a timing side-channel attack against elliptic curve signatures as implemented in the widely used OpenSSL library. Whenever you send Bitcoin or similar virtual currencies, you generate such a signature. And with few exceptions, you are likely using software building on OpenSSL to do it. If you do it on a modern x86 processor architecture, then Benger et al. have demonstrated a particularly efficient way to spy on your private Bitcoin key, claiming that often witnessing your computer calculating a mere 200 signatures is sufficient.”

Dr. Stein continues with the claim that the main trick is to run another program at the same time, that way a perpetrator could make use of the fact that one program could affect the execution speed of the other. Usage of OpenSSL is widespread in general, regardless of CPU architecture. The paper is specific to the usage of OpenSSL on one particular architecture, but it is likely that other architectures, and possibly some other libraries could have a similar problem.

No need to panic

Any person that is not completely computer-illiterate knows that malware on his or her PC could steal the valuable data such as private keys and bank account details. Little did this user know that simply allowing another program to run on the computer under question is potentially a hole in his defenses in cybersecurity.

However, Dr. Stein encourages us not to panic as the method of Benger et al., whilst very effective, still only works when a Bitcoin address is used many times. Many wallets already protect against such an attack by generating new Bitcoin addresses instead of reusing old ones. A casual user will typically not make enough transactions from the same Bitcoin address to be at risk today.

Nevertheless, those of you who accept donations on one public key for a long period of time are the potential victims of the attack described in publication.

The Paper

The academic preprint was prepared by Naomi Benger, Joop van de Pol, Nigel P. Smart and Yuval Yarom and can be freely accessed here.