A nonce covert channel attack in the context of a hardware wallet involves manipulating the cryptographic process to leak sensitive information covertly, often through the misuse of the nonce (k) in the ECDSA (Elliptic Curve Digital Signature Algorithm) signing process. Let’s break down how this can happen and how malicious transactions might be flagged on the network:

1. Background on ECDSA and Nonces

ECDSA is widely used in cryptocurrency transactions to ensure both authenticity and integrity. In this scheme:

  • A private key (d) is used to generate a signature for a transaction.

  • The signature relies on a randomly chosen number called the nonce (k) during the signing process.

  • The signature (r, s) is created using the private key, the message to be signed (typically a transaction hash), and the nonce (k).

  • For security, the nonce (k) must be random and different for each signature.

If the same k value is reused for two different messages or if k can be predicted, it compromises the private key. From an attacker’s perspective, exploiting this vulnerability can lead to the recovery of the private key.

2. How a Nonce Covert Channel Attack Works

In a nonce covert channel attack, a malicious firmware on the hardware wallet deliberately manipulates or leaks information by controlling the value of the nonce (k) in a way that allows sensitive data (such as private keys or other secrets) to be extracted over time. Here’s how it could work step-by-step:

a. Malicious Firmware Fixes the Nonce (k)

For a nonce covert channel attack, the firmware of the hardware wallet is compromised (malicious). Instead of generating a truly random k, the firmware fixes or deliberately modifies the k value used during ECDSA signature creation. This can be done in two ways:

  • The attacker might fix the nonce to a known value for every signature, creating a deterministic pattern.

  • The attacker might adjust the nonce to encode specific bits of data (for example, the private key or other sensitive information) into the signature process.

b. Leaking Information via Multiple Signatures

Once the firmware controls the nonce, it can begin leaking information through the signature process:

  • By signing multiple transactions (e.g., small transactions that would be unnoticed), the attacker can use the known values of k and the corresponding signatures (r, s) to recover the private key (d) using mathematical techniques.

  • In some cases, the fixed or manipulated nonce values could be interpreted as encoding a hidden message that can be later extracted by analyzing the pattern of signatures.

The process of extracting the private key from manipulated nonces is often done using mathematical attacks, such as nonce reuse attacks or the Bleichenbacher attack.

3. Transaction Monitoring on the Blockchain

Blockchain networks, such as Bitcoin or Ethereum, operate as public ledgers where all transactions, including their associated signatures, are broadcasted and recorded. This transparency allows anyone, including an attacker, to monitor the network for specific transactions containing the maliciously crafted signatures.

Steps:

  • Listening to Transactions: The attacker can set up a node or use public block explorers to passively monitor transactions being broadcasted across the blockchain network. Most blockchain transactions are sent through peer-to-peer networks before they are confirmed and added to a block, so it is relatively easy for anyone to observe incoming transactions.

  • Identifying the Wallet Address: The attacker will know which wallet address or addresses are under their control or have been compromised with malicious firmware. They will focus on monitoring transactions originating from these addresses.

  • Extracting Signature Data: Each transaction in ECDSA-based blockchains contains a digital signature, which includes the values r and s derived from the private key and the nonce (k). The attacker can extract these values from the transaction data and analyze them to detect the hidden information.

4. Detecting Malicious Signatures

The malicious firmware in the compromised hardware wallet would encode sensitive data (such as private key fragments or other information) in the nonce (k) used during the signing process. The attacker knows the scheme used to encode the information and can extract it from the broadcasted transactions.

Techniques for Detecting Malicious Signatures:

  • Pattern Recognition: The attacker may have pre-determined how the nonce (k) or the resulting signatures (r, s) will be manipulated. For example, they might embed bits of secret data in a fixed position of k or use a predictable modification to r or s. By analyzing the transactions’ signature components, the attacker can extract this hidden data.

  • Multiple Transactions: Often, information leakage happens gradually across multiple transactions. The attacker monitors all transactions originating from the compromised wallet and reconstructs the leaked information by analyzing a series of signatures. They may look for patterns of small, repeated transactions, which are commonly used in covert channel attacks to spread out the information leak.

Example:

Let’s say the malicious firmware encodes a bit of secret data in the lower bits of the nonce (k) for each signature. The attacker would:

  • Monitor all transactions broadcasted from the compromised wallet.

  • Extract the signature (r, s) from each transaction.

  • Analyze the nonce k or the signature values, looking for the expected pattern (e.g., specific bits in k that correspond to encoded secret data).

  • Reconstruct the full secret data (such as the private key) after collecting enough signatures.

5. Blockchain Tools and Public Explorers

Blockchain networks offer a wide range of tools that make monitoring transactions straightforward. Attackers can use:

  • Block Explorers: Public blockchain explorers (such as Etherscan for Ethereum or Blockchair for Bitcoin) allow anyone to search for transactions by address and view the detailed transaction data, including signatures.

  • Full Nodes: By running a full node on the network, an attacker can directly observe all incoming transactions in real-time. This is useful for monitoring unconfirmed transactions as they propagate through the network.

  • APIs: Some services provide APIs that allow programmatic access to transaction data. The attacker can automate the process of tracking specific addresses and extracting signatures.

6. Timing and Synchronization

Since the attacker is likely monitoring a specific compromised wallet address, they know when the wallet is making a transaction. They may even control the timing of transactions if they have direct access to the wallet or the malicious firmware.

  • Transaction Control: In cases where the attacker has complete control over the compromised device, they may even initiate transactions themselves to control when the covert information is broadcasted.

  • Batching and Spacing: The attacker may space out transactions over time or batch them in a way that helps avoid detection by network monitoring tools that look for unusual activity patterns.

7. Reassembling the Leaked Information

Once the attacker has monitored and collected enough transactions, they can start reconstructing the secret information:

  • Analyzing the Pattern: The attacker would know the encoding scheme used by the malicious firmware. For example, if each signature leaks a few bits of the private key or nonce, the attacker collects these bits across multiple signatures and then pieces them together to recover the full private key or sensitive information.

     

  • Mathematical Reconstruction: Depending on the structure of the attack, the attacker might need to use cryptographic techniques to recover the full private key from the manipulated signatures. For instance, if the nonce (k) is reused or partially known, the attacker can use techniques such as the Babai’s nearest plane algorithm or lattice reduction to derive the private key. 

While the attacker monitors the network, security researchers or anomaly detection systems could also be monitoring for unusual transaction patterns. If network participants detect non-random or repeated nonces, this could lead to suspicion of a compromised wallet, potentially flagging the malicious transactions and leading to investigations.

8. What are the security protections against Nonce covert channel attacks in Cryptnox Wallet cards

The Cryptnox hardware wallet cards are designed with two powerful security protections specifically aimed at defending against sophisticated attacks, including nonce covert channel attacks:

  • Analyzing the Pattern: Cryptnox uses a secure element with Common Criteria EAL6+ certification, one of the highest levels of tamper resistance. This secure element makes it extremely challenging to access or manipulate the internal memory, preventing attackers from directly retrieving sensitive data or compromising nonce generation. This layer of protection guards against any attempts to physically alter the device to control or fix nonce values in signatures.

     

  • Firmware Authenticity Verification: Each Cryptnox card’s firmware is digitally signed at the factory, ensuring it remains unchanged and free of malicious code. Before any transaction is executed, the Cryptnox Wallet application verifies the firmware’s authenticity by checking this digital signature. If any modification to the firmware is detected, the wallet blocks all operations, instantly preventing potential nonce manipulation. This verification protects against attempts to insert malicious firmware designed to fix or encode nonces as a covert channel for sensitive information.

Together, these security layers provide robust protection against nonce covert channel attacks by ensuring the hardware and firmware remain secure and tamper-free, blocking unauthorized access and maintaining the integrity of cryptographic operations.