Cache attack against RSA key import in SGX


Cache attack against RSA key import in SGX


20th February 2020 ( Updated on 21st February 2020 )


All versions of Mbed TLS and Mbed Crypto


The RSA private key is recoverable through side channels.




Alejandro Cabrera Aldaya and Billy Brumley


If Mbed TLS is running in an SGX enclave and the adversary has control of the main operating system, they can launch a side channel attack to recover the RSA private key when it is being imported. Found by Alejandro Cabrera Aldaya and Billy Brumley and reported by Jack Lloyd.

The attack only requires access to fine grained measurements to cache usage. Therefore the attack might be applicable to a scenario where Mbed TLS is running in TrustZone secure world and the attacker controls the normal world or possibly when Mbed TLS is part of a hypervisor and the adversary has full control of a guest OS.


If an adversary has fine grained measurements to cache usage at the time an RSA key is being imported, they are able to recover the private key.


Affected users should upgrade to one of the most recent versions of Mbed TLS, including 2.21.0, 2.16.5 or 2.7.14 or later. Similarly, affected users should upgrade to the most recent version of Mbed Crypto, including 3.1.0 or later.

Warning: Even in these versions, it is only safe to import complete RSA private keys. mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile() can only import complete private keys and therefore using them is safe. Use of lower level APIs (such as mbedtls_rsa_import()) or direct access to the members of the mbedtls_rsa_context structure for importing keys is only safe if all the needed parameters are provided; in configurations with MBEDTLS_RSA_NO_CRT undefined (which is the default), this means all the components prescribed by appendix A.1.2 of the PKCS#1 v2.2 standard; in configurations with MBEDTLS_RSA_NO_CRT enabled, this means n, e, d, p and q.


There are no known workarounds.