1 / 18

Remote Timing Attacks

Remote Timing Attacks. -Rashmi Kukanur. Agenda. Timing Attacks Case Study : David Brumley Dan Boneh Defenses. What is Timing Attack. Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.

diella
Download Presentation

Remote Timing Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Remote Timing Attacks -Rashmi Kukanur

  2. Agenda • Timing Attacks • Case Study : • David Brumley • Dan Boneh • Defenses

  3. What is Timing Attack • Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations. • General Belief: Web Servers and RSA Implementations are not vulnerable.

  4. Cause of concern: • RSA security broken when factors of modulus exposed • OpenSSL widely used • Challenges the security of many crypto implementations

  5. RSA review 1.Select two large prime numbers p and q. 2.Let N= pq be the modulus. 3.Choose e relatively prime to (p-1)(q-1) 4.Find d s.t. ed = 1 mod (p-1)(q-1) 5.Public key (N,e) 6.Private Key d • Encryption C = Me mod N • Decryption M = Cd mod N

  6. OpenSSL implementation RSA • Chinese Remainder Theorem • Exponentiation • Sliding Windows • Multiplication Routines • Karatsuba Algorithm O(nlog23) • Normal Multiplication O(nm) • Montgomery Reduction

  7. Chinese Remainder Theorem • Let mi’s be relatively prime pair wise and • M = m1m2……..mk, Mi = M / mi • Ci = Mi( Mi-1 mod mi) • ai = A mod mi • A mod M =(a1c1+a2c2+ .+akck)mod M

  8. RSA Decryption • Cd mod pq can be computed from • m1= cd1 mod p, m2 = cd2 mod q as • (m1cp + m2cq) mod pq, where • cp = q(q-1 mod p), cq = p(p-1 mod q) • RSA decryption with CRT speedup

  9. Timing differences comparison Montgomery reduction Schindler’s observation : Pr[Extra Reduction] = (g mod q) / 2R Multiplication Routine Karatsuba Normal Multiplication

  10. Time variance - overview

  11. 1 1 0 0 Timing Attack on Open SSL • Let N=pq with q<p. • Approximate q (approaching) guessing q: g try ghi to decide 1 2 3 … i-1 i

  12. Timing Attack (Contd.) • Initial guess g of q lies between 2512 (i.e 2log2N/2) and 2511(i.e 2log2N/2-1) • Try all the possible combinations of the top few bits and pick the first peak i.e q.

  13. Timing Attack (Contd.) • Let g=q for top i-1 bits. Remaining bits of g=0(g<q) • Recover i’th bit of q as follows: • (1) ghi=g, but with i’th bit 1. If i’th bit of q is 1 then g<ghi<q, else g<q<ghi. • (2) ug=gR-1 mod N, ughi=ghiR-1 mod N • (3) t1=DecryptTime(ug), t2=DecryptTime(ughi). • (4) D=|t1-t2|. • If D is large then g<q<ghi and i’th bit of q is 0, otherwise the bit is 1. • Previous D values considered • Decrypting just g results in weak indicator in sliding windows.

  14. Experiment 1 • Parameters • Neighborhood size n, Sample Size s • Total number of queries is s*n Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.

  15. Experiment 2 • Architecture effects: compare two versions of a program making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption.

  16. Experiment 3 • Compile-time effects: • Optimized (-O3 –fomit_frame_pointer –mcpu=pentium); • No Pentium flag (-O3 –fomit_frame_pointer); • Unoptimized (-g).

  17. Defense • Defense: • Only one multiplication routine and always carry out extra reduction in Montgomery’s algorithm • Quantize all RSA computations • Blinding (Currently preferred)

  18. Blinding Defenses • Before decryption compute x=reg mod N where r is random. • Then decrypt x and compute x/r.

More Related