Ooh Aah... Just a Little Bit : A small amount of side channel can go a long way
http://eprint.iacr.org/2014/161.pdfHow is it about Nxt?
Abstract. We apply the FLUSH+RELOAD side-channel attack based on cache hits/misses to extract a small amount
of data from OpenSSL ECDSA signature requests. We then apply a standard lattice technique to extract the
private key, but unlike previous attacks we are able to make use of the side-channel information from almost all
of the observed executions. This means we obtain private key recovery by observing a relatively small number of
executions, and by expending a relatively small amount of post-processing via lattice reduction. We demonstrate
our analysis via experiments using the curve secp256k1 used in the Bitcoin protocol. In particular we show that
with as little as 200 signatures we are able to achieve a reasonable level of success in recovering the secret key for
a 256-bit curve. This is significantly better than prior methods of applying lattice reduction techqniques to similar
side channel information.
I hope "Consequently, a spy program and the victim must execute on the same execution core of the
processor" is the key limitation of this attack. Basically if your computer ends up running a password cracker, even if it doesnt directly intercept the passkey, it can use sidechannel info (like sound, cache hit/miss, etc) to pretty quickly crack the password.
This is why for hardened servers, you want to have as few processes running on it as possible.
James
