|Title||Local side channel attack on RSA|
|Date||7th of July, 2021|
|Affects||All versions of Mbed TLS|
|Impact||A powerful local attacker can extract the private key|
|Credit||Zili Kou, Wenjian He, Sharad Sinha, and Wei Zhang|
The modular exponentiation operation in RSA uses a sliding window algorithm, with a memory access pattern that depends on the bits of the secret key.
Exponent blinding is used as a counter-measure: it prevents an attacker from correlating informations gathered on successive operation, but researchers found a way to recover enough information by observing a single operation, therefore by-passing this counter-measure.
An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA.
Affected users will want to upgrade to Mbed TLS 3.0.0, 2.27.0 or 2.16.11 depending on the branch they're currently using.