NinjaLab Security Researchers have developed a new attack side channel (CVE-2021-3011) to clone ECDSA keys stored on USB tokens based on NXP chips.
El ataque demonstrated for Google Titan two-factor authentication tokens based on the NXP A700X chip, but theoretically applies to Yubico and Feitian crypto tokens using the same chip.
The proposed method allows an attacker to recreate the ECDSA keys stored in the token based on the data obtained through the analysis of the electromagnetic signal emitted by the token during the generation of digital signatures.
Researchers have shown that the electromagnetic signal correlates with the ephemeral key information from ECDSA, which is sufficient to retrieve the secret key using machine learning techniques.
In particular, the nature of the signal change allows information about individual bits to be extracted during multiplication by a scalar in operations with an elliptic curve.
For ECDSA, define even a few bits with information over initialization vector (nonce) it is enough to perform an attack and sequentially recover the entire private key. To recover the secret key in the Google Titan token, it is enough to analyze about 6.000 digital signature operations based on the ECDSA key used for FIDO U2F two-factor authentication when connecting to a Google account.
To find weaknesses in the algorithm implementation ECDSA on NXP ECDSA chips, an open platform was used for creating NXP J3D081 (JavaCard) smart cards, which is very similar to NXP A700X chips and uses identical cryptographic library, but at the same time provides more opportunities to study the operation of the ECDSA engine. To retrieve the JavaCard key, it was enough to analyze about 4000 operations.
To carry out an attack, you must have physical access to the token, that is, the token must be available for the attacker to investigate for a long time. In addition, the chip is armored with an aluminum screen, so the case must be disassembled, which makes it difficult to hide traces of the attack, for example, Google Titan tokens are sealed in plastic and cannot be disassembled without visible traces. (As an option, it is proposed to print on a 3D printer of the new housing).
It takes approximately 6 hours to retrieve the key of a FIDO U2F account and requires approximately 4 more hours to disassemble and assemble the token.
The attack also requires quite expensive equipment, which cost around 10 euros, microcircuit reverse engineering skills and special software that is not publicly distributed (the possibility of the attack is confirmed by Google and NXP).
During the attack, Langer ICR HH 500-6 measurement complex used to test microcircuits for electromagnetic compatibility, the Langer BT 706 amplifier, the Thorlabs PT3 / M micromanipulator with 10 μm resolution and the PicoScope 6404D four-channel oscilloscope.
As a method implemented on the server side for partial protection against the use of cloned tokens for two-factor authentication, it is proposed to use the counter mechanism described in the FIDO U2F specification.
The FIDO U2F standard initially implies the presence of a single set of keys, which is due to the fact that the protocol supports only two basic operations: registration and authentication.
At the registration stage, a new key pair is generated, the private key is stored in a token and the public key is transmitted to the server.
The token-side authentication operation creates an ECDSA digital signature for the data transmitted by the server, which can then be verified on the server using the public key. The private key always remains in the token and cannot be copied, so if a new token needs to be bound, a new key pair is created and the old key is placed in the list of revoked keys.