Recover a RSA Private Key From a TLS Session With Perfect Forward Secrecy

Learn how to recover an RSA private key from a TLS session with Perfect Forward Secrecy in this 42-minute Black Hat conference talk. Explore the theory behind the attack, including the generation of faulty digital signatures due to hardware faults, and understand why embedded devices are particularly vulnerable. Discover the prerequisites for a successful attack, examine RSA signatures and RSA-CRT, and analyze vulnerable crypto libraries. Gain insights into the practical implementation of this technique, including both passive and active attack modes. Delve into topics such as PKCS 1.5 padding, suitable ciphersuites, and the workings of the High Voltage! tool. Examine the application of these concepts to IKEv1 Phase 1 Main Mode and Aggressive Mode with signature authentication.

Intro
About the topic
Roadmap
What is a RSA signature
Recover a RSA private key: Prerequisites
What if the attack is successful?
(a) RSA Signature with RSA-CRT
(c) Presence of faulty signature
(b) Signature calculated on known values
(b) PKCS 1.5 Padding
The right ciphersuite...
How High Voltage! works...
How RSA works
RSA Rule 1
Signing with RSA-CRT
TLS RSA-CRT Attack in "pills"
Vulnerable crypto libraries (2)
IKEV1 Phase 1 Main Mode (Signature Auth)
IKEv1 Phase 1 Aggressive Mode (Signature Auth)