Remote timing attacks
Download
1 / 18

Remote Timing Attacks - PowerPoint PPT Presentation


  • 137 Views
  • Uploaded on

Remote Timing Attacks. -Rashmi Kukanur. Agenda. Timing Attacks Case Study : David Brumley Dan Boneh Defenses. What is Timing Attack. Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Remote Timing Attacks' - diella


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Remote timing attacks

Remote Timing Attacks

-Rashmi Kukanur


Agenda
Agenda

  • Timing Attacks

  • Case Study :

    • David Brumley

    • Dan Boneh

  • Defenses


What is timing attack
What is Timing Attack

  • Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.

  • General Belief: Web Servers and RSA Implementations are not vulnerable.


Cause of concern
Cause of concern:

  • RSA security broken when factors of modulus exposed

  • OpenSSL widely used

  • Challenges the security of many crypto implementations


Rsa review
RSA review

1.Select two large prime numbers p and q.

2.Let N= pq be the modulus.

3.Choose e relatively prime to (p-1)(q-1)

4.Find d s.t. ed = 1 mod (p-1)(q-1)

5.Public key (N,e)

6.Private Key d

  • Encryption C = Me mod N

  • Decryption M = Cd mod N


Openssl implementation rsa
OpenSSL implementation RSA

  • Chinese Remainder Theorem

  • Exponentiation

    • Sliding Windows

  • Multiplication Routines

    • Karatsuba Algorithm O(nlog23)

    • Normal Multiplication O(nm)

  • Montgomery Reduction


Chinese remainder theorem
Chinese Remainder Theorem

  • Let mi’s be relatively prime pair wise and

  • M = m1m2……..mk, Mi = M / mi

  • Ci = Mi( Mi-1 mod mi)

  • ai = A mod mi

  • A mod M =(a1c1+a2c2+ .+akck)mod M


Rsa decryption
RSA Decryption

  • Cd mod pq can be computed from

  • m1= cd1 mod p, m2 = cd2 mod q as

  • (m1cp + m2cq) mod pq, where

  • cp = q(q-1 mod p), cq = p(p-1 mod q)

  • RSA decryption with CRT speedup


Timing differences comparison
Timing differences comparison

Montgomery reduction

Schindler’s observation :

Pr[Extra Reduction] = (g mod q) / 2R

Multiplication Routine

Karatsuba

Normal Multiplication



Timing attack on open ssl

1

1

0

0

Timing Attack on Open SSL

  • Let N=pq with q<p.

  • Approximate q (approaching)

    guessing q: g try ghi to decide

1

2

3

i-1

i


Timing attack contd
Timing Attack (Contd.)

  • Initial guess g of q lies between 2512

    (i.e 2log2N/2) and 2511(i.e 2log2N/2-1)

  • Try all the possible combinations of the top few bits and pick the first peak i.e q.


Timing attack contd1
Timing Attack (Contd.)

  • Let g=q for top i-1 bits. Remaining bits of g=0(g<q)

  • Recover i’th bit of q as follows:

    • (1) ghi=g, but with i’th bit 1.

      If i’th bit of q is 1 then g<ghi<q,

      else g<q<ghi.

    • (2) ug=gR-1 mod N, ughi=ghiR-1 mod N

    • (3) t1=DecryptTime(ug), t2=DecryptTime(ughi).

    • (4) D=|t1-t2|.

  • If D is large then g<q<ghi and i’th bit of q is 0, otherwise the bit is 1.

  • Previous D values considered

  • Decrypting just g results in weak indicator in sliding windows.


Experiment 1
Experiment 1

  • Parameters

    • Neighborhood size n, Sample Size s

    • Total number of queries is s*n

Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.


Experiment 2
Experiment 2

  • Architecture effects: compare two versions of a program making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption.


Experiment 3
Experiment 3

  • Compile-time effects:

  • Optimized (-O3 –fomit_frame_pointer –mcpu=pentium);

  • No Pentium flag (-O3 –fomit_frame_pointer);

  • Unoptimized (-g).


Defense
Defense

  • Defense:

    • Only one multiplication routine and always carry out extra reduction in Montgomery’s algorithm

    • Quantize all RSA computations

    • Blinding (Currently preferred)


Blinding defenses
Blinding Defenses

  • Before decryption compute x=reg mod N where r is random.

  • Then decrypt x and compute x/r.


ad