Security Researchers from NinjaLab developed a new kind of side-channel attack (CVE-2021-3011 ), which allows you to clone ECDSA keys stored in USB tokens based on NXP chips. The attack was demonstrated for two-factor authentication tokens Google Titan based on the chip NXP A700X , but theoretically applicable for Yubico and Feitian crypto tokens using the same chip.
The proposed method allows an attacker to recreate the ECDSA keys stored in the token based on the data received through the analysis of the electromagnetic signal emitted by the token during the generation of digital signatures. Researchers have shown that the electromagnetic signal correlates with ECDSA’s ephemeral key information, which is sufficient for key recovery using machine learning techniques. To recover the secret key in the Google Titan token, it is enough to analyze about 6,000 digital signature operations based on the ECDSA key used for FIDO U2F two-factor authentication when connecting to a Google account.
To find weaknesses in the implementation of the ECDSA algorithm in NXP ECDSA chips, an open platform for creating smart cards NXP J3D081 (JavaCard) was used, which is very similar to NXP A700X chips and uses an identical cryptographic library, but at the same time provides more opportunities for studying the engine ECDSA. To recover the key from JavaCard, it turned out to be enough to analyze about 4000 operations.
An attack requires physical access to the token, i.e. the token should be available for investigation by the attacker for a long time (it takes about 6 hours to recover the key for one FIDO U2F account, plus about 4 more hours are required to disassemble and assemble the token). Moreover, the chip is shielded with an aluminum screen, therefore, the case must be disassembled, which makes it difficult to hide the traces of an attack, for example, Google Titan tokens are sealed in plastic and cannot be disassembled without visible traces (as an option, printing on a 3D printer of the new case is proposed). p>
The attack also requires quite expensive equipment, costing about 10 thousand euros, skills in reverse engineering of microcircuits and special software that is not publicly distributed (the possibility of the attack is confirmed by Google and NXP). During the attack, the Langer ICR HH 500-6 measuring complex used for testing the electromagnetic compatibility of microcircuits, the Langer BT 706 amplifier, the Thorlabs PT3 / M micromanipulator with a resolution of 10μm and the PicoScope 6404D four-channel oscilloscope were used.