Util::Lookup: Exploiting key decoding in cryptographic libraries

TL;DR

This paper reveals that utility functions in cryptographic libraries, especially base64 decoding, can leak sensitive information and are exploitable even in trusted environments, with recent countermeasures sometimes easing attacks.

Contribution

It identifies and demonstrates the exploitability of utility functions in cryptographic libraries, showing how they leak information and can be attacked with minimal traces.

Findings

Base64 decoding functions leak sufficient information for key recovery.

Recent countermeasures to transient attacks can facilitate these leaks.

Complete RSA key recovery is feasible with optimized side-channel attacks.

Abstract

Implementations of cryptographic libraries have been scrutinized for secret-dependent execution behavior exploitable by microarchitectural side-channel attacks. To prevent unintended leakages, most libraries moved to constant-time implementations of cryptographic primitives. There have also been efforts to certify libraries for use in sensitive areas, like Microsoft CNG and Botan, with specific attention to leakage behavior. In this work, we show that a common oversight in these libraries is the existence of \emph{utility functions}, which handle and thus possibly leak confidential information. We analyze the exploitability of base64 decoding functions across several widely used cryptographic libraries. Base64 decoding is used when loading keys stored in PEM format. We show that these functions by themselves leak sufficient information even if libraries are executed in trusted execution environments. In fact, we show that recent countermeasures to transient execution attacks such as LVI \emph{ease} the exploitability of the observed faint leakages, allowing us to robustly infer sufficient information about RSA private keys \emph{with a single trace}. We present a complete attack, including a broad library analysis, a high-resolution last level cache attack on SGX enclaves, and a fully parallelized implementation of the extend-and-prune approach that allows a complete key recovery at medium costs.