针对 YubiKey 5 系列的 EUCLEAK 侧通道攻击

本文描述了对英飞凌科技公司密码库中侧通道漏洞的分析和利用，该密码库通常用于电子护照、加密货币钱包和智能汽车/家庭等各种安全系统中。该研究特别关注 FIDO 硬件令牌，例如流行的 YubiKey 5 系列。该研究揭示了椭圆曲线数字签名算法 (ECDSA) 的模块化逆函数的弱点，导致侧信道攻击可以提取敏感信息，包括 ECDSA 私钥。值得注意的是，该漏洞影响较旧和较新的英飞凌安全微控制器，例如固件版本低于 5.7 的 YubiKey 5 系列中发现的微控制器。尽管攻击需要对目标系统进行物理访问，以及专门的工具和专业知识，但用户应继续利用这些 FIDO 硬件身份验证令牌来提高针对网络钓鱼尝试的安全性。研究人员计划与英飞凌和其他利益相关者进一步合作，开发补丁并确保未来的高水平安全性。没有提供何时发布此潜在修复程序的时间表。

This paper describes an analysis and exploitation of a side-channel vulnerability within the Infineon Technologies' cryptographic library, which is commonly utilized in various secure systems such as electronic passports, crypto-currency wallets, and smart cars/homes. The research focuses specifically on FIDO hardware tokens like the popular YubiKey 5 series. The study reveals a weakness in the Modular Inverse function of the Elliptic Curve Digital Signature Algorithm (ECDSA), leading to a side-channel attack that can extract sensitive information, including the ECDSA private key. Notably, the vulnerability affects both older and newer Infineon Security Microcontrollers, like those found in YubiKey 5 Series with firmware version below 5.7. Although the attack requires physical access to the targeted system, as well as specialized tools and expertise, users should continue to utilize these FIDO hardware authentication tokens for added security against phishing attempts. The researchers plan to collaborate further with Infineon and other stakeholders to develop patches and ensure a high level of security moving forward. No timeline was provided for when this potential fix may be released.

Download the Writeup

Illustration Romain Flamand – Flamingo Studio – [email protected]

Abstract

Secure elements are small microcontrollers whose main purpose is to generate/store secrets and then execute cryptographic operations. They undergo the highest level of security evaluations that exists (Common Criteria) and are often considered inviolable, even in the worst-case attack scenarios. Hence, complex secure systems build their security upon them.

FIDO hardware tokens are strong authentication factors to sign in to applications (any web service supporting FIDO); they often embed a secure element and the FIDO protocol uses Elliptic Curve Digital Signature Algorithm (ECDSA for short) as its core cryptographic primitive. YubiKey 5 Series are certainly the most widespread FIDO hardware tokens, their secure element is an Infineon SLE78.

This document shows how – finding a JavaCard open platform (the Feitian A22) based on a similar Infineon SLE78 – we understood the Infineon ECDSA implementation, found a side-channel vulnerability and designed a practical side-channel attack. The attack is then demonstrated on a YubiKey 5Ci. Finally, we show that the vulnerability extends to the more recent Infineon Optiga Trust M and Infineon Optiga TPM security microcontrollers.

Our work unearths a side-channel vulnerability in the cryptographic library of Infineon Technologies, one of the biggest secure element manufacturers. This vulnerability – that went unnoticed for 14 years and about 80 highest-level Common Criteria certification evaluations – is due to a non constant-time modular inversion.

The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.

All YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack. These security microcontrollers are present in a vast variety of secure systems – often relying on ECDSA – like electronic passports and crypto-currency hardware wallets but also smart cars or homes. However, we did not check (yet) that the EUCLEAK attack applies to any of these products.

Cautionary Note

Authentication tokens (like FIDO hardware devices) primary goal is to fight the scourge of phishing attacks. The EUCLEAK attack requires physical access to the device, expensive equipment, custom software and technical skills. Thus, as far as the work presented here goes, it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.

Discovered By

Thomas Roche (NinjaLab)

List of Impacted Products

All Infineon security microcontrollers embedding Infineon cryptographic library (any existing version). For instance, all existing versions of Infineon TPMs are affected.

All YubiKey 5 Series (with firmware version below 5.7)

Further Notes

1. The impacted Feitian A22 Javacard used in this work is an old product no more available for sale. All Feitian products currently available on their webstore (and based on an Infineon security microcontroller) use Feitian own cryptographic library, and are not impacted by our work to our knowledge.

2. The new YubiKey firmware 5.7 update (May 6th, 2024) switches the YubiKeys from Infineon cryptographic library to Yubico new cryptographic library. To our knowledge, this new cryptographic library is not impacted by our work.

3. Infineon has already a patch for their cryptographic library, to our knowledge it did not yet pass a Common Criteria certification evaluation.

CVE

We are still waiting for a CVE ID.