Applus+ Laboratories found out that OP-TEE is vulnerable to the Bellcore attack when using fault injection / glitching attacks.
A common way to speed up RSA calculations is to use something that is called Chinese Remainder Theorem (CRT). This optimization is also used in LibTomCrypt which is currently the default software crypto library in OP-TEE. In short, when using CRT you are operating on the individual prime factors ‘p’ and ‘q’ separately and then later combine them to final result instead of just doing the exponentiation directly. However, this also means that if somethings goes wrong in the intermediate calculations with ‘p’ or ‘q’ it is possible to completely recover the private key if you also have access to a valid signature. I.e. it’s the combination of valid and invalid signature that makes it possible to recover the private key.
The important thing is to never ever return any incorrect signature back to the caller. LibTomCrypt already has mitigations for this. They have the flag LTC_RSA_CRT_HARDENING which enables code that checks that the signature indeed is valid before returning it to the user. Then there is also the flag LTC_RSA_BLINDING which mixes in another random prime number when doing the intermediate calculations. OP-TEE hasn’t had those flags enabled by default in the past and when enabling them there was some code missing related to random number generation for big number (mpanum).
Patches
optee_os.git
- ltc: Implement mp_rand for mpa_desc (13c9b83)
- ltc: Enable RSA_CRT_HARDENING and RSA_CRT_BLINDING (93b0a70)
Workarounds
N/A
References
OP-TEE ID
OP-TEE-2016-0002
Reported by
Applus+ Laboratories
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
Applus+ Laboratories found out that OP-TEE is vulnerable to the Bellcore attack when using fault injection / glitching attacks.
A common way to speed up RSA calculations is to use something that is called Chinese Remainder Theorem (CRT). This optimization is also used in LibTomCrypt which is currently the default software crypto library in OP-TEE. In short, when using CRT you are operating on the individual prime factors ‘p’ and ‘q’ separately and then later combine them to final result instead of just doing the exponentiation directly. However, this also means that if somethings goes wrong in the intermediate calculations with ‘p’ or ‘q’ it is possible to completely recover the private key if you also have access to a valid signature. I.e. it’s the combination of valid and invalid signature that makes it possible to recover the private key.
The important thing is to never ever return any incorrect signature back to the caller. LibTomCrypt already has mitigations for this. They have the flag
LTC_RSA_CRT_HARDENINGwhich enables code that checks that the signature indeed is valid before returning it to the user. Then there is also the flagLTC_RSA_BLINDINGwhich mixes in another random prime number when doing the intermediate calculations. OP-TEE hasn’t had those flags enabled by default in the past and when enabling them there was some code missing related to random number generation for big number (mpanum).Patches
optee_os.git
Workarounds
N/A
References
OP-TEE ID
OP-TEE-2016-0002
Reported by
Applus+ Laboratories
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.