1 / 18

# Remote Timing Attacks - PowerPoint PPT Presentation

Remote Timing Attacks. -Rashmi Kukanur. Agenda. Timing Attacks Case Study : David Brumley Dan Boneh Defenses. What is Timing Attack. Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Remote Timing Attacks' - diella

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Remote Timing Attacks

-Rashmi Kukanur

• Timing Attacks

• Case Study :

• David Brumley

• Dan Boneh

• Defenses

• Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.

• General Belief: Web Servers and RSA Implementations are not vulnerable.

• RSA security broken when factors of modulus exposed

• OpenSSL widely used

• Challenges the security of many crypto implementations

1.Select two large prime numbers p and q.

2.Let N= pq be the modulus.

3.Choose e relatively prime to (p-1)(q-1)

4.Find d s.t. ed = 1 mod (p-1)(q-1)

5.Public key (N,e)

6.Private Key d

• Encryption C = Me mod N

• Decryption M = Cd mod N

• Chinese Remainder Theorem

• Exponentiation

• Sliding Windows

• Multiplication Routines

• Karatsuba Algorithm O(nlog23)

• Normal Multiplication O(nm)

• Montgomery Reduction

• Let mi’s be relatively prime pair wise and

• M = m1m2……..mk, Mi = M / mi

• Ci = Mi( Mi-1 mod mi)

• ai = A mod mi

• A mod M =(a1c1+a2c2+ .+akck)mod M

• Cd mod pq can be computed from

• m1= cd1 mod p, m2 = cd2 mod q as

• (m1cp + m2cq) mod pq, where

• cp = q(q-1 mod p), cq = p(p-1 mod q)

• RSA decryption with CRT speedup

Montgomery reduction

Schindler’s observation :

Pr[Extra Reduction] = (g mod q) / 2R

Multiplication Routine

Karatsuba

Normal Multiplication

1

0

0

Timing Attack on Open SSL

• Let N=pq with q<p.

• Approximate q (approaching)

guessing q: g try ghi to decide

1

2

3

i-1

i

• Initial guess g of q lies between 2512

(i.e 2log2N/2) and 2511(i.e 2log2N/2-1)

• Try all the possible combinations of the top few bits and pick the first peak i.e q.

• Let g=q for top i-1 bits. Remaining bits of g=0(g<q)

• Recover i’th bit of q as follows:

• (1) ghi=g, but with i’th bit 1.

If i’th bit of q is 1 then g<ghi<q,

else g<q<ghi.

• (2) ug=gR-1 mod N, ughi=ghiR-1 mod N

• (3) t1=DecryptTime(ug), t2=DecryptTime(ughi).

• (4) D=|t1-t2|.

• If D is large then g<q<ghi and i’th bit of q is 0, otherwise the bit is 1.

• Previous D values considered

• Decrypting just g results in weak indicator in sliding windows.

• Parameters

• Neighborhood size n, Sample Size s

• Total number of queries is s*n

Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.

• Architecture effects: compare two versions of a program making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption.

• Compile-time effects:

• Optimized (-O3 –fomit_frame_pointer –mcpu=pentium);

• No Pentium flag (-O3 –fomit_frame_pointer);

• Unoptimized (-g).

• Defense:

• Only one multiplication routine and always carry out extra reduction in Montgomery’s algorithm

• Quantize all RSA computations

• Blinding (Currently preferred)

• Before decryption compute x=reg mod N where r is random.

• Then decrypt x and compute x/r.