Structure-Based RSA Fault Attacks

Fault attacks against cryptographic schemes as used in tamper-resistant devices have led to a vibrant research activity in the past. This area was recently augmented by the discovery of attacks even on the public key parts of asymmetric cryptographic schemes like RSA, DSA, and ECC. While being very powerful in principle, all existing attacks until now required very sophisticated hardware attacks to mount them practically – thus excluding them from being a critical break-once-runeverywhere attack. In contrast, this paper develops a purely software-based fault attack against the RSA verification process. This novel attack consists in completely replacing the modulus by attacking the structures managing the public key material. This approach contrasts strongly with known attacks which merely change some bits of the original modulus by introducing hardware faults. It is important to emphasize that the attack described in this paper poses a real threat: we demonstrate the practicality of our new public key attack against the RSA-based verification process of a highly protected and widely deployed conditional access device – a settop box from Microsoft used by many IPTV providers. Furthermore, we successfully applied our attack method against a 3G access point, leading to root access.