Abstract
This work presents several classes of messages that lead to data leakage during modular exponentiation. Such messages allow for the recovery of the entire secret exponent with a single power measurement. We show that padding schemes as defined by industry standards such as PKCS#1 and ANSI x9.31 are vulnerable to side-channel attacks since they meet the characteristics defined by our classes. Though PKCS#1 states that there are no known attacks against RSASSA-PKCS1-v1-5, the EMSA-PKCS1-v1-5 encoding in fact makes the scheme vulnerable to side-channel analysis. These attacks were validated against a real-world smartcard system, the Infineon SLE78, which ran our proof of concept implementation. Additionally, we introduce methods for the elegant recovery of the full RSA private key from blinded RSA CRT exponents. © 2012 Springer-Verlag.
Author supplied keywords
Cite
CITATION STYLE
Krämer, J., Nedospasov, D., & Seifert, J. P. (2012). Weaknesses in current RSA signature schemes. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 7259 LNCS, pp. 155–168). https://doi.org/10.1007/978-3-642-31912-9_11
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
