A black box timing attack applied to TPMs to recover private keys. Analysis revealed that some TPMs feature secret-dependent execution times during signature generation based on elliptic curves. Timing leakage was discovered on an Intel firmware-based TPM (fTPM) as well as a hardware TPM. This leakage allows an attacker to apply lattice techniques to recover 256-bit private keys for ECDSA and ECSchnorr signatures. On Intel fTPM, key recovery succeeds after about 1,300 observations and in less than two minutes. Similarly, private ECDSA key extraction was demonstrated on a hardware TPM manufactured by STMicroelectronics, which is certified at Common Criteria (CC) EAL 4+, after fewer than 40,000 observations. The impact of these vulnerabilities was further demonstrated with a remote attack against a StrongSwan IPsecVPN that uses a TPM to generate the digital signatures for authentication. In this attack, the remote client recovers the server’s private authentication key by timing only 45,000 authentication handshakes via a network connection.
TPM Fail: TPM Meets Timing and Lattice Attacks