30 Jun 2022
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.
A new type of side-channel vulnerability called Hertzbleed was published recently. The attack relies on dynamic frequency scaling, a power-saving and performance feature on modern CPUs.
What the authors discovered is that certain CPU operations can lead to frequency changes depending on the processed data. This makes common constant-time programming methods insufficient to mitigate this type of attack.
The Hertzbleed authors were able to demonstrate their attack against SIKE, a post-quantum algorithm based on supersingular isogenies. But it should be noted that the attack is more generic, and it’s expected that variations of it may impact other cryptographic algorithms.
According to the authors, a possible mitigation to Hertzbleed is to disable frequency boosting features on CPUs. On Intel CPUs, this feature is called Turbo Boost; on AMD, it’s called Turbo Core or Precision Boost. It's possible to disable these features via BIOS settings or via the operating system, but it will cause a slowdown of the system.
In response to the attack Daniel Bernstein has created a webpage with links to research and resources about timing attacks.
A mitigation for the specific attack on SIKE is also available. A previous research paper, published in January, has already identified a power side-channel that works similarly to the attack the Hertzbleed authors demonstrated, and the mitigation proposed in that paper works here as well. However, it adds a significant overhead of between 5 and 11 percent to the already slow SIKE algorithm.
This subscription is just for the newsletter; we won't send you anything else.
Here are some things that caught our attention since the previous newsletter:
Here are some interesting jobs we've come across in the last month:
If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.