Leak the Secret Key of Elgamal Encryption in Cryptopp via Rowhammer
68 views
Skip to first unread message
Junkai Liang
Feb 18, 2024, 10:32:22 AMFeb 18
to Crypto++ Users
Hi Team,
We are writing to report a potential security issue about the implementation of Elgamal Encryption in Cryptopp.
Specifically, we cloned Cryptopp-8.9 from cryptopp.com on February 1, 2024 and analyzed the source code of the Elgamal encryption scheme (more precisely, elgamal.h). Based on our analysis, its decryption implementation (Line 78 in elgamal.h}) is vulnerable to fault injection.
As you may know, Rowhammer is a software-induced DRAM fault, which can induce bit flips in main memory that runs a commodity system. In our attack scenario, a malicious user process co-resides in the same system with a victim process that runs the Elgamal decryption of Cryptopp. As both processes share the main memory, the adversary can induce bit flips to the secret key before it is used by the victim to decrypt a ciphertext, resulting in a faulty decryption message. With enough faulty decryption messages released, the adversary can recover/leak the secret key. For more details of the analysis and possible countermeasures, they are provided in the attached pdf.
Prior to this report, we have reported similar vulnerabilities in RSA encryption and EdDSA signature schemes implemented in WolfSSL. Its security team have acknowledged our findings, fixed RSA encryption via a commit and EdDSA signature via another commit.
We are writing to report a potential security issue about the implementation of Elgamal Encryption in Cryptopp.
Specifically, we cloned Cryptopp-8.9 from cryptopp.com on February 1, 2024 and analyzed the source code of the Elgamal encryption scheme (more precisely, elgamal.h). Based on our analysis, its decryption implementation (Line 78 in elgamal.h}) is vulnerable to fault injection.
As you may know, Rowhammer is a software-induced DRAM fault, which can induce bit flips in main memory that runs a commodity system. In our attack scenario, a malicious user process co-resides in the same system with a victim process that runs the Elgamal decryption of Cryptopp. As both processes share the main memory, the adversary can induce bit flips to the secret key before it is used by the victim to decrypt a ciphertext, resulting in a faulty decryption message. With enough faulty decryption messages released, the adversary can recover/leak the secret key. For more details of the analysis and possible countermeasures, they are provided in the attached pdf.
Prior to this report, we have reported similar vulnerabilities in RSA encryption and EdDSA signature schemes implemented in WolfSSL. Its security team have acknowledged our findings, fixed RSA encryption via a commit and EdDSA signature via another commit.
Before our reports to WolfSSL, RSA signature in both WolfSSL and OpenSSL has been proven to be vulnerable to Rowhammer-based attacks. WolfSSL tracked the RSA signature vulnerability via CVE-2019-19962. OpenSSL fixed it by a commit.
If you have any question or need more details, please let us know. We are looking forward to your reply. Thank you.
Best Regards,
Junkai Liang (Peking University)
Zhi Zhang (The University of Western Australia)
Xin Zhang (Peking University)
Qingni Shen (Peking University)
Best Regards,
Junkai Liang (Peking University)
Zhi Zhang (The University of Western Australia)
Xin Zhang (Peking University)
Qingni Shen (Peking University)
Junkai Liang
Feb 18, 2024, 10:45:05 AMFeb 18
to Crypto++ Users
The attach pdf is provided as following pictures because pdf cannot be uploaded in the group.
Reply all
Reply to author
Forward
0 new messages