Earlier this week, the researchers at NinjaLab presented an incredible exploit they called Eucleak. They exploited a side-channel vulnerability in the Infineon SLE78 secure element to recover private keys given only about an hour of physical access to the chip. The SLE78 is one of the bestselling secure elements out there – these are the security chips inside Yubikeys, as well as some passports and crypto wallets.
This is a pretty shocking discovery; secure elements are supposed to be some of the most secure chips in existence, going through complex and comprehensive Common Criteria security evaluation and jam-packed with advanced security and anti-tamper technologies. So, what the hell happened? How did one of the most secure chips in the world get hacked?
The basics of the attack
The Eucleak attack targets a cryptographic algorithm called the Elliptic Curve Digital Signature Algorithm, or ECDSA.
The basic ECDSA looks like this. Don’t worry if you don’t understand every step – we’ll drill down on the part that matters later.
Pick an elliptic curve over a prime field of order N. That curve will have a base point G.
Create a private key, called d.
Hash the message to be signed, m, to create h = H(m).
Randomly generate a nonce, k.
Generate a point Q by multiplying G by k. Denote the x-coordinate of Q as r.
Compute your signature s = k-1(h + rd) mod N.
ECDSA is very common because it’s very convenient from an engineering perspective. For one, ECDSA keys and signatures are extremely compact – they’re both on the order of hundreds of bits. It’s also relatively fast to compute, especially given dedicated hardware for accelerating large integer multiplication.
Infineon’s SLE78 chips have such dedicated hardware. Normally, that’s a good thing. Dedicated hardware can incorporate all sorts of secure making techniques to prevent side-channel leakage. However, Infineon’s implementation had a major issue.
While ECDSA is elegant and simple, it’s also surprisingly fragile. Not only must the nonce k be kept entirely secret, but k must be random, unbiased, and always different for different signatures. If the attacker can recover even a couple bits of the nonce for multiple ECDSA signatures, the attacker can recover the entire private key.
The researchers at Ninjalab measured the electromagnetic radiation emitted by an SLE78 chip during ECDSA execution. You can clearly see the different parts of the algorithm show up as sections of high electromagnetic activity, corresponding to a lot of complex math happening on the chip. The majority of the execution is spent multiplying G by k, which is easily secured using a constant-time Montgomery ladder and base point randomization.
At the very end of the execution trace, we can see where the SLE78 calculated k-1 mod N, which corresponds to step 6 of the algorithm we outlined above. With some post-processing, the researchers identified that this an iterative operation, and counted up the number of iterations spent on modular inversion for different ECDSA signatures.
Shockingly, it turns out that the number of iterations was not constant! It turns out Infineon is using the Extended Euclidean Algorithm to perform modular inversion, which is not a constant time algorithm. This is pretty surprising; constant time modular inversion algorithms exist, but Infineon chose not to use them.
Instead, they used a cheaper side-channel countermeasure called blinding. Instead of computing the inverse of k, they compute the inverse of k’ = mk mod N, for a random positive integer m. m needs to be truly random, as any bias in m can end up leaking information about k, and compromising the security of the algorithm. Because of the cost of generating true random numbers, this countermeasure gets more expensive for larger values of m. It turns out that Infineon only uses a 32-bit m – and that’s how the researchers hacked these chips.
In theory, the mask can be recovered given k’ somewhat efficiently using an algorithm called Pollard’s kangaroo algorithm. In practice, Infineon’s 32-bit mask is short enough to be brute-forced. There are some additional side-channel leakages in the SLE78 that the researchers found as well; by combining all of the side-channel leakage information, the researchers were able to recover k’, brute force the mask, and recover the nonce, k. Then, the attacker can easily recover the private key.
Should you be worried?
Honestly, you probably should not be super worried about this as a user. This is a difficult attack to pull off. Measuring these electromagnetic side-channels requires disassembling the device, attaching measurement probes, and then reassembling the device without a user noticing.
Also, the primary devices affected are Yubikeys. To actually compromise a user account with this attack, an attacker would first need to successfully phish a user, steal their username and password, and then also compromise their Yubikey through physical access. As Ninjalab says: “it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.”
Finally, both Yubico and Infineon have released software patches to resolve this issue. If you have a device that’s affected, I’d recommend installing the patch when you get the chance.
How did this chip get certified?
There are times when I don’t blame hardware companies for security vulnerabilities. When Chris Tarnovsky cracked the SLE66, it took him months, and he destroyed many chips in the process. Besides, Tarnovsky is basically a one man nation-state adversary. For all practical purposes, Infineon’s chips were still secure.
But the Eucleak vulnerability is different. The vulnerability relies on a timing side-channel. Writing constant-time code is one of the first things you learn to do when developing low-level cryptographic software and hardware. Leaving a timing side-channel inside of a professionally developed secure element is, to put it bluntly, embarrassing. It’s embarrassing for Infineon, and it’s embarrassing for whoever certified this implementation.
Honestly, it’s a sign of what is essentially regulatory capture. One of the reasons Infineon and its peers like NXP and STMicroelectronics have such an unassailable presence in the field of secure elements is because they are very, very good at getting their products through Common Criteria standardization. These certification processes are complex, expensive, and very difficult for outsiders to get through. But apparently Infineon is so good at the standardization process that they can get vulnerable chips certified.
How can we do better?
Ultimately, this attack is further evidence that we can’t blindly trust security certifications. Infineon keeps all of their hardware and low-level software closed source, and relies on Common Criteria certifications to prove that their secure elements are truly secure. This is the exact opposite of the single most important tenet of cryptography, Kerckhoffs's principle. According to Kerckhoff’s principle, a system should be secure even if every piece of the system, except for its private key, is known to the attacker.
The bad news is that we can’t trust security certification. The good news is that there’s a way to build hardware that adheres to Kerckhoff’s principle. OpenTitan is a fully open-source secure element, and it’s changing the way secure hardware is designed, developed, and deployed. With OpenTitan, you don’t need to simply take Infineon’s word that their software and hardware is secure, you can just look at the hardware designs yourself. This means that side-channels can get caught and fixed by the community early, rather than being discovered by security researchers over a decade into a chip’s lifetime.