Research & Development World

  • R&D World Home
  • Topics
    • Aerospace
    • Automotive
    • Biotech
    • Careers
    • Chemistry
    • Environment
    • Energy
    • Life Science
    • Material Science
    • R&D Management
    • Physics
  • Technology
    • 3D Printing
    • A.I./Robotics
    • Software
    • Battery Technology
    • Controlled Environments
      • Cleanrooms
      • Graphene
      • Lasers
      • Regulations/Standards
      • Sensors
    • Imaging
    • Nanotechnology
    • Scientific Computing
      • Big Data
      • HPC/Supercomputing
      • Informatics
      • Security
    • Semiconductors
  • R&D Market Pulse
  • R&D 100
    • Call for Nominations: The 2025 R&D 100 Awards
    • R&D 100 Awards Event
    • R&D 100 Submissions
    • Winner Archive
    • Explore the 2024 R&D 100 award winners and finalists
  • Resources
    • Research Reports
    • Digital Issues
    • R&D Index
    • Subscribe
    • Video
    • Webinars
  • Global Funding Forecast
  • Top Labs
  • Advertise
  • SUBSCRIBE

Researchers Close Security Vulnerability in Popular Encryption Program

By Kenny Walter | August 9, 2018

Researchers have closed a cybersecurity vulnerability that could have allowed hackers to retrieve the secret exponent of an encryption key in OpenSSL, a popular encryption program used for secure interactions on websites and for signature authentication.

Recently, attackers sought to exploit a security vulnerability in OpenSSL by briefly listening in on unintended side channel signals from smartphones. The attackers took advantage of programming that was, ironically, designed to provide better security.

Side channel attacks extract sensitive information from signals created by electronic activity within computing devices during normal operation, that includes electromagnetic emanations created by current flows within the devices computational and power-delivery circuitry, variation in power consumption and sound, temperature and chassis potential variation.

The attack analyzed signals in a relatively narrow—40 MHz wide—band around the phones’ processor clock frequencies, which are close to one GHz. They were able to take advantage of a uniformity in programing that aims to overcome previous vulnerabilities involving variations in how the programs operate.

A team from Georgia Institute of Technology successfully attacked the phones and an embedded system board— which all used ARM processors—and listened in on two different Android phones using probes located near but not touching the phones. They proposed a software fix that was adopted in versions of the program made available in May.

“Any variation is essentially leaking information about what the program is doing, but the constancy allowed us to pinpoint where we needed to look,” Milos Prvulovic, the associate chair of Georgia Tech’s School of Computer Science, said in a statement. “Once we got the attack to work, we were able to suggest a fix for it fairly quickly. Programmers need to understand that portions of the code that are working on secret bits need to be written in a very particular way to avoid having them leak.”

The attackers used intercepted electromagnetic signals from the phones, which could be analyzed with a small device.   However, unlike previous attacks that require analyzing several logins, this attack was conducted by just listening in on one decryption cycle and was the first attack that showed a single recoding of a cryptography key trace was enough to break 2,048 bits of a private RSA key.

“This is something that could be done at an airport to steal people’s information without arousing suspicion and makes the so-called ‘coffee shop attack’ much more realistic,” Prvulovic said. “The designers of encryption software now have another issue that they need to take into account because continuous snooping over long periods of time would no longer be required to steal this information.”

The team next plans to address other software that could have similar vulnerabilities and then develop a program that would allow automated analysis of security vulnerabilities.

“Our goal is to automate this process so it can be used on any code,” Alenka Zajic, an associate professor in Georgia Tech’s School of Electrical and Computer Engineering, said in a statement. “We’d like to be able to identify portions of code that could be leaky and require a fix. Right now, finding these portions requires considerable expertise and manual examination.”    

Related Articles Read More >

R&D 100 winner of the day: Electromagnetic spectrum management system (ESMS)
Claude computer use
AI agents could begin transforming how we work in 2025
refinery
AI takes center stage in Honeywell-Chevron collaboration
Firefly blurred lines between a human and machine researcher 72875
Copyleaks CEO: OpenAI’s o1 emergence could blur the lines between human researcher and AI assistant
rd newsletter
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest info on technologies, trends, and strategies in Research & Development.
RD 25 Power Index

R&D World Digital Issues

Fall 2024 issue

Browse the most current issue of R&D World and back issues in an easy to use high quality format. Clip, share and download with the leading R&D magazine today.

Research & Development World
  • Subscribe to R&D World Magazine
  • Enews Sign Up
  • Contact Us
  • About Us
  • Drug Discovery & Development
  • Pharmaceutical Processing
  • Global Funding Forecast

Copyright © 2025 WTWH Media LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media
Privacy Policy | Advertising | About Us

Search R&D World

  • R&D World Home
  • Topics
    • Aerospace
    • Automotive
    • Biotech
    • Careers
    • Chemistry
    • Environment
    • Energy
    • Life Science
    • Material Science
    • R&D Management
    • Physics
  • Technology
    • 3D Printing
    • A.I./Robotics
    • Software
    • Battery Technology
    • Controlled Environments
      • Cleanrooms
      • Graphene
      • Lasers
      • Regulations/Standards
      • Sensors
    • Imaging
    • Nanotechnology
    • Scientific Computing
      • Big Data
      • HPC/Supercomputing
      • Informatics
      • Security
    • Semiconductors
  • R&D Market Pulse
  • R&D 100
    • Call for Nominations: The 2025 R&D 100 Awards
    • R&D 100 Awards Event
    • R&D 100 Submissions
    • Winner Archive
    • Explore the 2024 R&D 100 award winners and finalists
  • Resources
    • Research Reports
    • Digital Issues
    • R&D Index
    • Subscribe
    • Video
    • Webinars
  • Global Funding Forecast
  • Top Labs
  • Advertise
  • SUBSCRIBE