Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cryptographic Information Security. Show all posts

Intel and AMD CPU Trageted by the New 'Hertzbleed' Remote Side-Channel Attack

A group of academic researchers has found a potential side-channel method that uses a CPU timing hack to allow attackers to remotely retrieve critical information from a target network. The problem, which has been dubbed Hertzbleed by a team of researchers from the University of Texas, the University of Illinois Urbana-Champaign, and the University of Washington, is induced by dynamic voltage and frequency scaling (DVFS), power and thermal management feature used to conserve power and reduce the amount of heat generated by a chip.  

"Periodic CPU frequency adjustments depend on current CPU power usage under particular situations, and these adjustments immediately translate to execution time variations (since 1 hertz Equals 1 cycle per second)," the researchers stated. An intruder can exploit cryptographic software and get crucial cryptographic keys by analyzing these temporal differences – in some circumstances, even a remote attacker can detect the variances.

SIKE, or Supersingular Isogeny Key Encapsulation, a post-quantum key encapsulation technology utilized by firms like Microsoft and Cloudflare, was used to demonstrate the assault. In reaction to the discoveries, both AMD (CVE-2022-23823) and Intel (CVE-2022-24436) have released independent advisories, with the latter stating that Hertzbleed affects all Intel processors due to unauthorized access. 
There are no patches available. 

Intel has issued two customer advisories in response to the Hertzbleed attacks. All of Intel's chips are affected, as per the chipmaker. While no CPU firmware changes have been released, the company has provided cryptography recommendations for software developers to "harden its libraries and applications from frequency throttling information leaking."

Hertzbleed has been the subject of an AMD alert; several desktops, mobile, Chromebook, and server processors have been identified as being affected by the bug, as per the company. AMD has also recommended that software developers implement defenses.

It's not the first time that new data theft techniques from Intel chips have been discovered. Two Hertzbleed co-authors showed an "on-chip, cross-core" side-channel attack targeting Intel Coffee Lake and Skylake CPUs' ring interconnect in March 2021. The researchers stated, "The message is that current cryptography engineering approaches for writing constant-time code are no longer sufficient to guarantee constant-time execution of software on newer, variable-frequency CPUs."

Russian payment systems will switch to using domestic cryptographic information security tools by 2031


Russian payment systems will switch to using domestic cryptographic information security tools by 2031

Existing payment systems in Russia will have to switch to the use of cryptographic information protection tools of domestic production. This was announced by Ivan Kosyakin, chief engineer of the information security Department of the Bank of Russia, during his speech at the scientific and practical conference "Ruscrypto 2020" held in the Moscow region.

Thus, according to him, Russia's sovereignty in the field of information security for the needs of the banking sector will be increased. So, to achieve this goal, functional technical requirements for payment systems with a terminal core, hardware security modules, payment cards were approved in 2019.

In turn, as noted by Elena Mareeva, Deputy Director for scientific and technical development of Practical Security Systems, in January of this year, requirements for cryptographic information protection tools were approved, according to which automatic security modules used in payment systems must comply with the requirements of Federal Executive authorities and the Bank of Russia, as well as the provisions of international standards.

Moreover, on June 25, 2019, it became known that the technical Committee for standardization "Cryptographic information protection" (TC 26), which is managed by the FSB, has prepared draft recommendations on the use of domestic cryptographic algorithms in key protocols used to protect information on the Internet.

One of the documents contains a set of recommendations on the use of Russian cryptographic algorithms "Magma" and "Grasshopper", developed by the FSB.

According to Russian legislation, domestic crypto-algorithms must be used in information security media certified by the FSB and mandatory for use by state agencies in their electronic document management, and from 2024, according to the requirements of the Central Bank of the Russian Federation, they will become mandatory for use in payment systems.

Members of TC 26 claimed that the use of Russian algorithms will improve the security of data transfer. According to Smyshlyaev, director of information security at Crypto-PRO (part of TC 26), the Russian crypto sets of the TLS1.2 protocol, approved in 2018, unlike foreign ones, guarantee control of the amount of data encrypted on one key.