NinjaLab has revealed a side channel vulnerability in Infineon’s Elliptic Curve Digital Signature Algorithm (ECDSA) implementation that allows attackers to recover private keys from a few signatures. The vulnerability affected several products that use Infineon’s cryptographic library, including the Yubikey 5 hardware authentication device.
Physical access required — yet a serious threat
The EUCLEAK attack requires physical access to the device and involves opening the target to place an electromagnetic (EM) probe. While this makes a practical attack more difficult, the result is recovery of the ECDSA private key. In the case of FIDO 2FA tokens, this means an attacker could clone a victim’s token — though it’s important to note that the attacker would also need the victim’s username and password. In other scenarios, just having the ECDSA key may be sufficient for a full compromise.
However, using a hardware token like YubiKey, even one potentially vulnerable to side channel attacks, is still significantly more secure than relying on software-only authentication. Overall, it’s better to use a token without known vulnerabilities.
The attack in summary
Blackbox attacks often involve extensive reverse engineering, making it advantageous to start with a similar target that has known parameters and fewer countermeasures in place. In this case, the initial investigation focused on profiling a programmable Feitian card that uses the same Infineon chip as the YubiKey. By using the Feitian card, the researchers could set and control the ECDSA private key, providing a clear baseline for analysis. Additionally, NinjaLab first examined the ECDSA verification process, which generally operates without countermeasures since it doesn’t involve protecting secrets. This contrasts with ECDSA signing, which employs the private key and thus has built-in countermeasures for protection.
Once they started looking at measurements of ECDSA, timing leakages became apparent after just a few traces, specifically in the modular inversion of the value k. This is very interesting because knowledge of k instantly gives away the ECDSA private key. But the real challenge was mapping the timing leakages to the bits of k.
The brute-force journey
To decode the leakage, it must be clear what algorithm one is looking at. NinjaLab used trial and error to match observations with potential algorithms. After much analysis, researchers identified the Extended Euclidean Algorithm (EEA) and division as the vulnerable components. Without going into the details, they could distinguish by how many bits one intermediate value differs (in the paper: r0 and r1), distinguish the sign of another intermediate (r), and distinguish whether an intermediate is 0 (l).
Each ECDSA trace revealed a series of these constraints, because EEA and division run in nested loops. Using this information, NinjaLab built a set of templates for these behaviors from an ECDSA verification and matched them to the ECDSA signing operation, effectively turning it into a Simple Power Analysis (SPA) template attack.
Since this approach only recovers a set of constraints rather than the full value of k, the researchers conducted multiple (partial) EEA simulations to match candidates for k against their observations. As it turns out, this recovered not k, but k’, a masked version of k. An important detail here is that k was masked with only 32 bits of random.
To unmask k’ and recover k, NinjaLab used Pollard’s Kangaroo algorithm instead of brute-forcing the entire keyspace. In case of errors during classification, they gathered multiple EM traces, ensuring a higher success rate through redundancy. With k, they could calculate the ECDSA private key.
What comes next?
We all know that attacks never get worse; they only improve. Therefore, it is interesting to consider what improvements to the attack could look like:
- Single-trace attacks: With more sophisticated signal processing, the attack could be refined to require just a single trace, increasing the practicality of the method.
- Minimally invasive probing: It may be possible to perform the attack with only a small hole in the device, which could be sealed afterward, leaving minimal evidence.
- Power side channel attacks: In the worst case, the attack could evolve into a VCC-based attack, where the device is simply plugged into an acquisition box for a few minutes to collect the necessary data with no physical modifications or evidence.
Public response
Yubico has issued a statement addressing the vulnerability. The CVE-2024-45678 has been assigned to this issue, with more details available on the National Vulnerability Database.
Recognizing NinjaLab’s contributions
We would like to commend the research conducted by NinjaLab. Their work has been a valuable contribution to the security landscape.