260 likes | 481 Views
Attacks on RSA. By, Barath Thangaraj Anup Talwalkar. Proceedings. Overview RSA-CRT Bellcore Attack and countermeasures Fault based Attack on RSA FWM and key recovery Algorithms References. Overview. Public key cryptography
E N D
Attacks on RSA By, Barath Thangaraj Anup Talwalkar
Proceedings • Overview • RSA-CRT • Bellcore Attack and countermeasures • Fault based Attack on RSA • FWM and key recovery • Algorithms • References
Overview • Public key cryptography • Secure / authenticate confidential data on public network • Sufficiently long keys makes it unbreakable • Advanced semiconductor technology and hardware design made it possible to execute on smaller machines • Possible for being used in secure services (online banking / shopping) • Vulnerability • If the hardware is compromised, Attack tamper-proof devices. Eg:SmartCard ICs • Fault attacks used to factorize RSA modulus. • Fault based attack? • Proximity to the hardware • Changing environment variables like voltage supply /temperature • In short, generating faults and extracting the key • A random fault occurs. Correct signature S, faulty signature S' are known.
Fault based attack of RSA-CRT • Sung-Ming Yen, Sangjae Moon, and Jae-Cheol Ha, "Hardware Fault Attack on RSA with CRT Revisited" Springer-Verlag Berlin Heidelberg 2003. • C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. SeifertFault, "Attacks on RSA with CRT: Concrete Results and Practical Countermeasures".
RSA-CRT • N = p * q • Sp = md mod p, Sq = md mod q • Find S (sign m) using either Gauss's or Garner's algorithm. • Gauss: S = (Sp * q * (q-1 mod p) + Sq * p * (p-1 mod q)) mod N • Garner: S = Sq + ((Sp-Sq) * (q-1 mod p) mod p) * q
Bellcore Attack • A random error occurs when computing Sp. This yields a faulty signature Sp'. • Sq is computed correctly. • Such that, S – S' <> 0 but S-S' = 0 mod q. • N can be factorized • gcd ((m – (S')e) mod N, N) = q (or) gcd(S' – S, N) = q
Countermeasures • Perform calculation twice • This is very time-consuming and it cannot always provide a satisfactory result because in case of permanent error, computing twice may also be of no use • Verify correctness by comparing inverse result with the input m • If e is large, it becomes time-consuming. Also, this seems to be safe
Countermeasures continued… Shamir's: • Using a random prime r • Sp' = Sq' (mod r) used for verifying the correctness of Sp' and Sq‘ Shamir's Limitation: • Fault when accessing p in p’ = p * r • This will not be detected by Sp’ = Sq’ (mod r)
Countermeasures continued… Infineon’s Countermeasure: • Using a random prime r. dp = d mod (p-1) • dp’ = dp + random1 * (p-1) • Sp’ = mdp’ mod p’ and Sp = Sp’ mod p • Check p’ mod p = 0 and dp’ mod (p-1) = dp • Check whether S mod p = Sp and S mod q = Sq • Additional check: (Sp’ mod r)dq’ mod (r-1) = (Sq’ mod r) dp’ mod (r-1) (mod r) Attack: • Fault when performing the modular operation Sp = Sp’ mod p
Countermeasures continued… Enhanced Version of Shamir’s Countermeasure: • Verify S = Sp’ (mod p) and S = Sq’ (mod q) • Formed from S= Sp (mod p) and Sp’ = Sp (mod p) • Also, verify Sp’ = Sq’ (mod r)
Feasibility of fault Attack – Spike • Voltage fluctuations. • A typical smartcard has a tolerance level of few voltages until which no error happens. • Eg: A 5 V Card could have a range of 4.5 V to 5.5 V. • More than 10% tolerance could cause faulty results on the smartcard IC. Spike generator
Fault based attack of RSA authentication • Andrea Pellegrini, Valeria Bertacco and Todd Austin, University of Michigan "Fault Based Attack of RSA Authentication“, 2010
Public key authentication and fault based attack • A client sends a unique message m to a server • Server signs it with its private key d • Client receives the digital signature s • the client can authenticate the identity of the server • Verify using the public key (n, e) that s will produce the original message m. • Fault based attack • produce intermittent computational errors during the authentication of a message.
Hardware fault model • Vulnerability in the hardware • Most of the computation goes through multiplier circuit • Often critical path of microprocessor system goes through multiplier circuit • Multiplier circuit is one of the first unit to fail in changing conditions • Possibility that signal through critical path not reaching corresponding register • Assumptions • Attacker can inject faults that affecting the result of multiplication • The system is subjected to a battery of infrequent short duration transient faults • Hardware faults producing multiplication result differ only in one bit position
Fixed window modular exponentiation (FWM) • Modular exponentiation - md mod n • Similar to square and multiply if window size is 1 • Defines a window of w bits (fixed length) • Accumulates partial results FWE(m, d, n, win size) num win = #bits(d) / win size acc = 1 for(win idx in [num win-1..0] ) for(sqr iter in [0..win size-1] ) acc = (acc * acc) mod n d[win idx] = bits(d, win idx*win size,win size) acc = (acc * mˆd[win idx]) mod n return acc
Theorem • < n, d, e > where n and e are known and d is not known, • the signature with the private key d of length N is computed using the fixed-window exponentiation (FWE) algorithm with a window size w, • k = N/w. • ˆs - a corrupted signature of the message m computed with the private key d. • Assume that a single-bit binary value change has occurred at the output of any of the squaring operations in FWE during the computation of ˆs. • An attacker that can collect at least S = k ·ln(2k) different pairs <m,ˆs> has a probability pr = 1/2 to recover the private key d of N bits in polynomial time - O(2wN3S).
Fault model • FWE in presence of transient faults • fth bit is flipped – can be found out by modifying the signature +- 2f • Error amount is added or subtracted: 0 to 1 – error subtracted, 1 to 0 – error added • S: number of pairs <m, ˆs> (corrupted message signature pair) • Pair for which fault has been injected in a bit position revealing key bits • Ignore if error bits = 0 or more than 1 • <di, f, p> • di -window of the decryption key • f - position of bit flipped in the partial result • p – pth squaring operation in computation for the ith window of d • Soon the signature is found that provides a unique solution to <di, f, p> di can be determined
Key recovery • d is the key to be recovered • Key size 16 bits - window size 4 bits • Recovery from msb – window d3 to d0 • Determine d3 • Search for appropriate d2, f, p that satisfies the equation by varying the values of d, f and p within the range • d:[0,15], p[0,3] and f[0,15]
Algorithms • Private Key window search window search (m, s, e, win size, win idx) found = 0; for(d[win idx] in [0..2ˆwin size-1]; sqr iter in [0..win_size-1]; fault in [0..#bits(d)-1] ) found += test_equation 10( m, s, e, win idx, d[win idx], sqr iter, fault loc) if (found == 1) return d[win idx] else return -1 • Private key recovery algorithm private key recovery ( array<m,s>, e, win size) num win = #bits(d) / win size for(win idx in [num win-1..0] ) for (<m,s> in array<m,s>) d[win idx] = window_search(m,s,e, win size, win idx) if (d[win idx] >= 0) break if (d[win idx] < 0) double win size
Experimental results and conclusion • FPGA (field programmable gate array) device • 1024 bit FWE multiplications • voltage 1.25V • 8800 of 10000 incorrect signatures recovered and analyzed • Key recovered in 104 hours • Potential danger of fault based attack on OpenSSL libraries
rEferenceS • Andrea Pellegrini, Valeria Bertacco and Todd Austin, University of Michigan "Fault Based Attack of RSA Authentication“, 2010 • Sung-Ming Yen, Sangjae Moon, and Jae-Cheol Ha, "Hardware Fault Attack on RSA with CRT Revisited" Springer-Verlag Berlin Heidelberg 2003 • C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. SeifertFault, "Attacks on RSA with CRT: Concrete Results and Practical Countermeasures“ 2002