Re: Fwd: Question about RSA key access mechanism
Hi there, Thank you very much for your email. As I was suspecting, I was making a mistake, after following the lead you provided (the function rsa_ossl_mod_exp in the file crypto/rsa/rsa_ossl.c) I started observing hits. I was basically making a mistake with the addresses to watch. Best regards, Danis
Re: Fwd: Question about RSA key access mechanism
On 12/04/2021 09:57, Danis Ozdemir wrote: When I define a watchpoint for that address to verify that it has been accessed when a new client connects to the server and make the server continue, I can't see a hit which means this address hasn't been accessed. *I'm attaching the s_client output as a file, since it's longer compared to the outputs above.* You don't say which version of OpenSSL you are using (1.1.1 or 3.0?). That can make a big difference to the codepaths that you go through to get to actual RSA operations. I'm assuming you are interested in the RSA signature from a TLSv1.3 CertVerify message. If so I would expect you to end up in the rsa_ossl_mod_exp function in crypto/rsa/rsa_ossl.c. It's there that I would expect to see accesses to "p". I suggest you set a breakpoint in that function and see what is happening. Matt * * I then dumped the whole non-executable pages that were allocated for this process using ptrace to see whether another copy of the key was present and I couldn't find any copies. So, either I'm doing something wrong (which is the case, most probably) or there's another area which contains another representation of the key for security reasons (given the fact that the raw key content is accessible in the RAM, this one seems less likely). Therefore, assuming I'm doing something wrong, if you could tell me what it is, I'd be grateful. Best regards, Danis Ozdemir **
Re: Fwd: Question about RSA key access mechanism
Hi all,
Just to see if I can help prompt a response... :-)
Danış is working with me to try see how hard it is to
reproduce meltdown and snarf a private key. Problem-N
of many in doing that is knowing where private key
bits are used in OpenSSL - so far gdb seems to be showing
no accesses to p,q etc. when signing as part of new
TLS session establishment, which is a puzzle. Any/all
hints gratefully received...
Thanks,
S.
On 12/04/2021 09:57, Danis Ozdemir wrote:
Hi all,
I hope all is good. My name is Danis Ozdemir, I'm a PhD student in Trinity
College (Ireland) and I'm studying computer security. I'm trying to
reproduce the meltdown attack as an effort to dive deep into the known
attack types with some specific scenarios and "trying to see whether
Meltdown could have been used against a web server making use of openssl
libraries, running on an old, non-patched Linux kernel" is one of them. *Please
notice that the intentions are purely academic here, rather than performing
a real attack.*
Before investigating a more realistic scenario, I started with an 'open
box' approach in which the openssl server process reveals the addresses of
the sub fields of its private key (The private key and the certificate used
below were created using the command 'openssl req -x509 -nodes -days 1000
-newkey rsa:2048 -keyout priv.pem -out cert.pem', so they are RSA based.
And I just used good, old printf in the function "ssl_set_pkey" in the file
"ssl/ssl_rsa.c"):
# *LD_LIBRARY_PATH=${PWD} ./apps/openssl s_server -accept 54321 -cert
my_keys/cert.pem -key my_keys/priv.pem -www*
Could not read params of DH parameters from my_keys/cert.pem
Using default temp DH parameters
*DANIS - ssl_set_pkey - c->pkeys[0].privatekey : 0x55e4f9f01670 -
144Danis - ssl_set_pkey - pkey->keydata->n : 0x55e4f9f13d50Danis -
ssl_set_pkey - pkey->keydata->e : 0x55e4f9f131e0Danis - ssl_set_pkey
- pkey->keydata->d : 0x55e4f9f05790Danis - ssl_set_pkey -
pkey->keydata->p : 0x55e4f9f05670Danis - ssl_set_pkey -
pkey->keydata->q : 0x55e4f9f058b0Danis - ssl_set_pkey -
pkey->keydata->dmp1: 0x55e4f9f18850Danis - ssl_set_pkey -
pkey->keydata->dmq1: 0x55e4f9f13800Danis - ssl_set_pkey -
pkey->keydata->iqmp: 0x55e4f9f13820*
ACCEPT
Once the server is up and running, I get the real address of the sub field
p using gdb:
# *ps -ef | grep -v grep | grep openssl*
adminq*1421* 1280 0 16:55 pts/100:00:00 ./apps/openssl s_server
-accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www
# *gdb*
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
Fwd: Question about RSA key access mechanism
Hi all,
I hope all is good. My name is Danis Ozdemir, I'm a PhD student in Trinity
College (Ireland) and I'm studying computer security. I'm trying to
reproduce the meltdown attack as an effort to dive deep into the known
attack types with some specific scenarios and "trying to see whether
Meltdown could have been used against a web server making use of openssl
libraries, running on an old, non-patched Linux kernel" is one of them. *Please
notice that the intentions are purely academic here, rather than performing
a real attack.*
Before investigating a more realistic scenario, I started with an 'open
box' approach in which the openssl server process reveals the addresses of
the sub fields of its private key (The private key and the certificate used
below were created using the command 'openssl req -x509 -nodes -days 1000
-newkey rsa:2048 -keyout priv.pem -out cert.pem', so they are RSA based.
And I just used good, old printf in the function "ssl_set_pkey" in the file
"ssl/ssl_rsa.c"):
# *LD_LIBRARY_PATH=${PWD} ./apps/openssl s_server -accept 54321 -cert
my_keys/cert.pem -key my_keys/priv.pem -www*
Could not read params of DH parameters from my_keys/cert.pem
Using default temp DH parameters
*DANIS - ssl_set_pkey - c->pkeys[0].privatekey : 0x55e4f9f01670 -
144Danis - ssl_set_pkey - pkey->keydata->n : 0x55e4f9f13d50Danis -
ssl_set_pkey - pkey->keydata->e : 0x55e4f9f131e0Danis - ssl_set_pkey
- pkey->keydata->d : 0x55e4f9f05790Danis - ssl_set_pkey -
pkey->keydata->p : 0x55e4f9f05670Danis - ssl_set_pkey -
pkey->keydata->q : 0x55e4f9f058b0Danis - ssl_set_pkey -
pkey->keydata->dmp1: 0x55e4f9f18850Danis - ssl_set_pkey -
pkey->keydata->dmq1: 0x55e4f9f13800Danis - ssl_set_pkey -
pkey->keydata->iqmp: 0x55e4f9f13820*
ACCEPT
Once the server is up and running, I get the real address of the sub field
p using gdb:
# *ps -ef | grep -v grep | grep openssl*
adminq*1421* 1280 0 16:55 pts/100:00:00 ./apps/openssl s_server
-accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www
# *gdb*
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Question about RSA Key
Hi, I'm not familiar yet in the OpenSSL library.. I used the RSA .net Crypto, generated a private public key using .net platform. And now I want to use the OpenSSl RSA algorithm using the same keys How can I create RSA Key from keys that generated by RSA .Net Crypto ??? Best Regards Rabia This mail was sent via Mail-SeCure System. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
