null
(Ed.)
Trusted Platform Module (TPM) serves as a hardwarebased root of trust that protects cryptographic keys from privileged system and physical adversaries. In this work, we perform a black-box timing analysis of TPM 2.0 devices deployed on commodity computers. Our analysis reveals that
some of these devices feature secret-dependent execution
times during signature generation based on elliptic curves. In
particular, we discovered timing leakage on an Intel firmwarebased TPM as well as a hardware TPM. We show how this
information allows an attacker to apply lattice techniques to
recover 256-bit private keys for ECDSA and ECSchnorr signatures. On Intel fTPM, our key recovery succeeds after about
1,300 observations and in less than two minutes. Similarly, we
extract the private ECDSA key from a hardware TPM manufactured by STMicroelectronics, which is certified at Common
Criteria (CC) EAL 4+, after fewer than 40,000 observations.
We further highlight the impact of these vulnerabilities by
demonstrating a remote attack against a StrongSwan IPsec
VPN that uses a TPM to generate the digital signatures for
authentication. In this attack, the remote client recovers the
server’s private authentication key by timing only 45,000
authentication handshakes via a network connection.
The vulnerabilities we have uncovered emphasize the difficulty of correctly implementing known constant-time techniques, and show the importance of evolutionary testing
and transparent evaluation of cryptographic implementations.
Even certified devices that claim resistance against attacks
require additional scrutiny by the community and industry, as
we learn more about these attacks.
more »
« less