1 / 25

Side-Channel Attacks on RSA with CRT

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck. What is RSA?. As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography. RSA is known to be suitable for signing as well as encryption.

tyrone-savage
Download Presentation

Side-Channel Attacks on RSA with CRT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck

  2. What is RSA? • As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography. • RSA is known to be suitable for signing as well as encryption. • RSA is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

  3. What is CRT? • The Chinese Remainder Theorem is a result about congruences in number theory and its generalizations in abstract algebra. • The CRT can be used to speed up calculations of many math-based cryptosystems, including RSA.

  4. Montgomery Reduction Provides an efficient way of multiplying two numbers modulo a number Makes modulo reduction unnecessary during multiplications

  5. What are Side-Channel Attacks? • “Side Channel Attacks” are attacks that are based on Side “Channel Information.” • Side channel information is information that can be retrieved from the encryption device. • This information is neither the plaintext or the ciphertext.

  6. What are Side-Channel Attacks? • In the past, an encryption device was perceived as a unit that received plaintext and produces ciphertext and vice versa. • Attacks were based on knowing the ciphertext or knowing both or on the ability to define what plaintext is to be encrypted and then seeing the results of the encryption.

  7. What are Side-Channel Attacks? • Today, it is known encryption devices have additional inputs which are not the plaintext or ciphertext. • Encryption devices produce timing information that is easily measurable, radiation of various sorts, power consumption statistics and more.

  8. What are Side-Channel Attacks? • Often the encryption device also has additional “unintentional” inputs such as voltage. • Side channel attacks make use of some or all of this information, along with other cryptanalytic techniques, to recover the key the device is using.

  9. What are Side-Channel Attacks? • Side channel analysis techniques are a concern because the attacks can be mounted quickly and cheaply. • Depending on the type of attack, it can take a short amount of time to attack a card. • For example, with a Simple Power Analysis attack, attacks on smartcards take a few seconds per card.

  10. Timing Attacks • Timing attacks are based on measuring the time it takes for a unit to perform operations. • This information can lead to information about the secret keys. • For example, by measuring the amount of time required to perform private key operations, an attacker might find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems.

  11. Timing Attacks • Cryptosystems take slightly different amounts of time to process different inputs. • There are various reasons for this, including performance optimizations, branching, RAM cache hits, etc. • Attacks exist which can exploit timing measurements to find the entire key.

  12. Timing Attacks • Computing the variances is easy and provides a good way to identify correct exponent bit guesses. • The number of samples needed to gain enough information are determined by the properties of the signal and the noise. • The more noise there is, the more noise there is, the more samples will be required.

  13. Timing Attacks • These kind of attacks generally require a large amount of samples of timings. • The times are used to perform a statistical analysis on probabilities of each bit in the key. • These probabilities are then used to guess a key.

  14. Timing Attacks • There can be a large amount of error in the signals retrieved by the eavesdropper. • This can be caused by noise (such as latency), blinding, or inaccuracies in data acquisition. • The greater the error, the more samples that are required to determine a key.

  15. CRT’s Susceptibility to Timing Attacks • Modular reduction • All arithmetic is performed modulo a number • The computer must compare a value to the modulo number and reduce when necessary • Modular Exponentiation vs. Multiplication • Modular exponentiations and multiplications take different amounts of time and are executed under different circumstances • Any conditional calculations • Calculations executed under certain circumstances, however not all

  16. Montgomery Reduction’s Susceptibility • After reduction, there is a final modular comparison • This may result in an extra reduction • This extra reduction is executed only when necessary • Causes differences in timing when different values are used

  17. How to Attack CRT • Very simple • Choose values that are very close to one of the prime factors of the public key • When a value is greater than a prime factor, an additional modular reduction will be performed • When the value is less than a prime factor, no additional modular reductions will be performed • This can directly reveal the factors of the public key

  18. How to Attack CRT • Optimized RSA implementations use the Square and Multiply method of computing modular exponents • Using varying inputs, the number of exponentiations and multiplications vary • Time differences can be seen between instances when multiplications are or are not executed

  19. How to Attack Montgomery Reduction Equation and analysis from Brumley and Boneh • The probability of an extra reduction has been found to be easily calculated • The equation is • As the input g approaches one of the prime factors, the probability of an extra reduction increases • When the input g is equal to one of the factors, there is a large drop in frequency of the extra reduction

  20. Blinding The key is to ensure that timing signatures are unusable to attackers Often times result in reducing performance and increasing complexity of algorithms Can make timing attacks infeasible

  21. Blinding Techniques • Eliminate the conditional execution of steps • Example: During steps that may require either multiplication or exponentiation based on the value execute both • Ignore the results of the unwanted computation • Makes time differentiation between statements being executed difficult

  22. Blinding Techniques • Perform data independent calculations that will be performed between modular calculations of CRT • Example: calculate ar mod h where r and h are random numbers • Adds to complexity and slows computations • Can make timing very difficult

  23. Blinding Techniques • Modify the implementations of modular exponentiation and multiplication • Make both operations take the same amount of time • Makes it difficult or impossible to differentiate between either calculation • Highly effective against certain timing attacks

  24. Blinding Techniques • Ensure that all operations take the same amount of time • Drastically degrades performance • All operations must take an amount of time equal to that of the slowest operation • Makes timing impossible

  25. References • Remote Timing Attacks are Practical by David Brumley and Dan Boneh - http://www.ece.cmu.edu/~dbrumley/pubs/jcn_timing.pdf • Introduction to Side Channel Attacks - http://www.discretix.com/PDF/Introduction%20to%20Side%20Channel%20Attacks.pdf • Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems by Paul C. Kocher - http://www.cryptography.com/public/pdf/TimingAttacks.pdf • Side-Channel Attacks by Neal Koblitz and Alfred J. Menezes - http://www.springerlink.com/content/lln108g514127805/fulltext.pdf

More Related