Structure-Based RSA Fault Attacks

  • Benjamin Michéle
  • Juliane Krämer
  • Jean-Pierre Seifert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7232)


Fault attacks against cryptographic schemes as used in tamper- resistant devices have led to a vibrant research activity in the past. This area was recently augmented by the discovery of attacks even on the public key parts of asymmetric cryptographic schemes like RSA, DSA, and ECC. While being very powerful in principle, all existing attacks until now required very sophisticated hardware attacks to mount them practically - thus excluding them from being a critical break-once-run-everywhere attack.

In contrast, this paper develops a purely software-based fault attack against the RSA verification process. This novel attack consists in completely replacing the modulus by attacking the structures managing the public key material. This approach contrasts strongly with known attacks which merely change some bits of the original modulus by introducing hardware faults. It is important to emphasize that the attack described in this paper poses a real threat: we demonstrate the practicality of our new public key attack against the RSA-based verification process of a highly protected and widely deployed conditional access device - a set-top box from Microsoft used by many IPTV providers. Furthermore, we successfully applied our attack method against a 3G access point, leading to root access.


Fault attacks RSA signature verification public key cryptography 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. In: Proceedings of the IEEE 1994, pp. 370–382 (2006)Google Scholar
  2. 2.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Attacks on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Brier, E., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why One Should Also Secure RSA Public Key Elements. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 324–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
  5. 5.
    Bushing, Marcan: Console Hacking 2008: Wii Fail (2008),
  6. 6.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-Control-Data Attacks Are Realistic Threats. In: USENIX Security Symposium, pp. 177–192 (2005)Google Scholar
  7. 7.
    Gueron, S., Seifert, J.-P.: Is It Wise to Publish Your Public RSA Keys? In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 1–12. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Huang, A.: Hacking the Xbox. No Starch Press (2003)Google Scholar
  9. 9.
    Huang, A.: Xbox Hardware Hacking (2003),
  10. 10.
    ITU. Abstract Syntax Notation One (ASN.1): Specification of basic notation (ITU-T Recommendation X.680). International Telecommunications Union, Nov. 2208Google Scholar
  11. 11.
    Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447 (Informational) (February 2003)Google Scholar
  12. 12.
    Kelsey, J., Schneier, B., Wagner, D.: Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996)Google Scholar
  13. 13.
    Kleinjung, T., et al.: Factorization of a 768-bit RSA modulus. Cryptology ePrint Archive, 2010/006Google Scholar
  14. 14.
    Knuth, D.E.: The Art of Computer Programming, 3rd edn., vol. 2. Addison-Wesley (1997)Google Scholar
  15. 15.
    Lenstra, A.K., Hendrik, J., Lenstra, W. (eds.): The development of the number field sieve. Lecture Notes in Mathematics, vol. 1554. Springer, Berlin (1993)zbMATHGoogle Scholar
  16. 16.
    Leyland, P.: The FAQ (1997),
  17. 17.
  18. 18.
    MIPS Technologies. MIPS32 Architecture (2008),
  19. 19.
    Mitre. Common Vulnerabilities and Exposures: CVE-2006-4339, RSA Signature Forgery (2006),
  20. 20.
    Muir, J.A.: Seiferts RSA fault attack: Simplified analysis and generalizations. IACR Eprint archive (2005)Google Scholar
  21. 21.
    Naccache, D., Nguyên, P.Q., Tunstall, M., Whelan, C.: Experimenting with Faults, Lattices and the DSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 16–28. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    National Institute of Standards and Technology. Secure Hash Standard. Federal Information Processing Standard (FIPS) 180-1 (April 1993)Google Scholar
  23. 23.
    National Institute of Standards and Technology. NIST’s Policy on Hash Functions (2008),
  24. 24.
    Paar, C., Pelzl, J.: Understanding Cryptography. A Textbook for Students and Practitioners. Springer, Heidelberg (2010)zbMATHGoogle Scholar
  25. 25.
  26. 26.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 120–126 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  27. 27.
    Seifert, J.-P.: On authenticated computing and RSA-based authentication. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 122–127. ACM, New York (2005)CrossRefGoogle Scholar
  28. 28.
    Ubiquisys. Residential femtocells,
  29. 29.
    US-CERT. Vulnerability note vu#748355 (2002),
  30. 30.
    US-CERT. Technical cyber security alert ta04-041a (2004),
  31. 31.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  32. 32.
    Zimmermann, P.: GMP-ECM,
  33. 33.
    Zimmermann, P.: Optimal parameters for ECM,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Benjamin Michéle
    • 1
  • Juliane Krämer
    • 1
  • Jean-Pierre Seifert
    • 1
  1. 1.Security in TelecommunicationsTechnische Universität Berlin and Telekom Innovation LaboratoriesGermany

Personalised recommendations