Chip Bug Could Compromise RSA-based Security Systems


Modern microprocessor chips have become increasingly complex, which also increases the likelihood that there will be undetected errors, Shamir wrote in a note circulated to a small group of colleagues. The content of the note was first reported by the New York Times.

In this particular situation, a subtle math error could make it possible for an attacker to break protections for some electronic messages, Shamir wrote. Using an approach called public key cryptography, a message could be scrambled using a publicly known number and then unscrambled with a privately held number -- a technology which allows two people who have never met, to securely and safely exchange information.

If an intelligence organization discovered a math error in the widely used chip, then "any key in any RSA-based security program running on any one of the millions of PCs that contain this microprocessor can be trivially broken with a single chosen message," Shamir wrote.

He also stated that with the new bug attack, the target PC could be located at a secure location "half a world away," and that "the attacker has no way of influencing its operating environment in order to trigger a fault. In addition, millions of PCs can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually."

Sponsored post

Paul Kocher, president of Cryptography Research, a San Francisco-based consulting and design firm, said via e-mail that the note focused on data input which could be submitted to a device that essentially "tickled" a bug. "The adversary would then be able to submit the chosen input to vulnerable systems and analyze the defective computation result to find cryptographic secrets," he said.

In the past, this security risk has been demonstrated in incidents like the detection of an obscure division bug in Intel's Pentium microprocessor in the mid 1990s, and in a multiplication bug in Microsoft's Excel spreadsheet program, Shamir wrote.

"Adi's note isn't a new mathematical result; attacks that exploit defective computations have been known for a quite a long time," Kocher wrote. "However, the exploitation scenario where someone uses (possibly intentionally placed) obscure defects to trigger the problem is interesting since it elegantly illustrates why security can be so difficult to achieve."

Kocher said that there are several strategies for correcting the problem, such as checking cryptographic computations.

Shamir warned that because the exact workings of microprocessor chips are protected by government trade laws, it is almost impossible to ascertain that they have been designed correctly. Shamir told the New York Times that so far, he had no knowledge of anyone using the described attack.