Submitted by “Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and ecommerce servers.RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. The researchers – Andrea Pellegrini, Valeria Bertacco and Todd Austin – outline their findings in a paper titled “Fault-based attack of RSA authentication”, to be presented 10 March at the Design, Automation and Test in Europe conference.”
This kind of attack doesn’t break the algorithm, it exploits features of a physical implementation, meaning you need access the the hardware that implements the algorithm.
So these kinds of attacks mainly are a way to break DRM, they don’t affect e-commerce security.
If an attacker has physical access to the hardware that implements the security, hasn’t your security failed already?
Is this the same principle to crack SSH in earlier post?
This is the same story that was reported on in this thread: http://www.osnews.com/comments/22964
This about sums it up: http://www.osnews.com/thread?412272
This made a huge splash on Slashdot, but I’m not sure what the big deal is. As I understand it, their attack involves widely varying the voltage supplying the CPU that is manipulating the private key. A sane person would realize that the key being used is in memory, and probably also in a physical storage medium attached to that memory, and would not need to burn out the CPU by overvolting it.
What am I missing from this? Or are we really exaggerating a piece of nothing?
In the case of embedded devices, such as smart cards, it might be more convenient to fiddle with the power supply than to try and get access to the memory. But yes, the impact of this “security flaw” is widely exaggerated. The average Slashdot reader probably only gets “RSA is broken”, and that would be quite a story.
What we all really want to know is, do you get a blowjob while breaking it?