- 137 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Remote Timing Attacks' - diella

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Remote Timing Attacks

-Rashmi Kukanur

Agenda

- Timing Attacks
- Case Study :
- David Brumley
- Dan Boneh

- Defenses

What is Timing Attack

- Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.
- General Belief: Web Servers and RSA Implementations are not vulnerable.

Cause of concern:

- RSA security broken when factors of modulus exposed
- OpenSSL widely used
- Challenges the security of many crypto implementations

RSA review

1.Select two large prime numbers p and q.

2.Let N= pq be the modulus.

3.Choose e relatively prime to (p-1)(q-1)

4.Find d s.t. ed = 1 mod (p-1)(q-1)

5.Public key (N,e)

6.Private Key d

- Encryption C = Me mod N
- Decryption M = Cd mod N

OpenSSL implementation RSA

- Chinese Remainder Theorem
- Exponentiation
- Sliding Windows

- Multiplication Routines
- Karatsuba Algorithm O(nlog23)
- Normal Multiplication O(nm)

- Montgomery Reduction

Chinese Remainder Theorem

- Let mi’s be relatively prime pair wise and
- M = m1m2……..mk, Mi = M / mi
- Ci = Mi( Mi-1 mod mi)
- ai = A mod mi
- A mod M =(a1c1+a2c2+ .+akck)mod M

RSA Decryption

- Cd mod pq can be computed from
- m1= cd1 mod p, m2 = cd2 mod q as
- (m1cp + m2cq) mod pq, where
- cp = q(q-1 mod p), cq = p(p-1 mod q)
- RSA decryption with CRT speedup

Timing differences comparison

Montgomery reduction

Schindler’s observation :

Pr[Extra Reduction] = (g mod q) / 2R

Multiplication Routine

Karatsuba

Normal Multiplication

1

0

0

Timing Attack on Open SSL- Let N=pq with q<p.
- Approximate q (approaching)
guessing q: g try ghi to decide

1

2

3

…

i-1

i

Timing Attack (Contd.)

- Initial guess g of q lies between 2512
(i.e 2log2N/2) and 2511(i.e 2log2N/2-1)

- Try all the possible combinations of the top few bits and pick the first peak i.e q.

Timing Attack (Contd.)

- Let g=q for top i-1 bits. Remaining bits of g=0(g<q)
- Recover i’th bit of q as follows:
- (1) ghi=g, but with i’th bit 1.
If i’th bit of q is 1 then g<ghi<q,

else g<q<ghi.

- (2) ug=gR-1 mod N, ughi=ghiR-1 mod N
- (3) t1=DecryptTime(ug), t2=DecryptTime(ughi).
- (4) D=|t1-t2|.

- (1) ghi=g, but with i’th bit 1.
- If D is large then g<q<ghi and i’th bit of q is 0, otherwise the bit is 1.
- Previous D values considered
- Decrypting just g results in weak indicator in sliding windows.

Experiment 1

- Parameters
- Neighborhood size n, Sample Size s
- Total number of queries is s*n

Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.

Experiment 2

- Architecture effects: compare two versions of a program making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption.

Experiment 3

- Compile-time effects:
- Optimized (-O3 –fomit_frame_pointer –mcpu=pentium);
- No Pentium flag (-O3 –fomit_frame_pointer);
- Unoptimized (-g).

Defense

- Defense:
- Only one multiplication routine and always carry out extra reduction in Montgomery’s algorithm
- Quantize all RSA computations
- Blinding (Currently preferred)

Blinding Defenses

- Before decryption compute x=reg mod N where r is random.
- Then decrypt x and compute x/r.

Download Presentation

Connecting to Server..