Libgcrypt's RSA-1024 implementation using left-to-right method for computing the sliding-window expansion was found to be vulnerable to cache side-channel attack resulting into complete break of RSA-1024. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used. Upstream patches: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=8725c99ffa41778f382ca97233183bcd687bb0ce https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=78130828e9a140a9de4dafadbc844dbb64cb709a https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=e6a3dc9900433bbc8ad362a595a3837318c28fa9 External References: https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html https://eprint.iacr.org/2017/627
Acknowledgments: Name: the Libgcrypt project
Created libgcrypt tracking bugs for this issue: Affects: fedora-all [bug 1466267] Created mingw-libgcrypt tracking bugs for this issue: Affects: epel-7 [bug 1466268] Affects: fedora-all [bug 1466266]
Statement: This side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used. Allowing execute access to a box with private keys should be considered as an unsafe security practice, anyway. Thus in practice there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines this attack may be used by one VM to steal private keys from another VM.