1 / 34

Remote Timing Attacks are Practical

Remote Timing Attacks are Practical. David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu [Modified by Somesh Jha]. Various Types of Attacks. Cryptanalysis Look at carefully chosen plaintext/ciphertexts Differential and linear cryptanalysis

Download Presentation

Remote Timing Attacks are Practical

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Remote Timing Attacks are Practical David Brumleydbrumley@stanford.edu Dan Bonehdabo@crypto.stanford.edu [Modified by Somesh Jha]

  2. Various Types of Attacks • Cryptanalysis • Look at carefully chosen plaintext/ciphertexts • Differential and linear cryptanalysis • Differential Cryptanalysis of the Data Encryption Standard by Eli Biham and Adi Shamir • Side channel attacks • Timing attacks • Differential power analysis • Look at characteristics, such as time for decryption and power consumption

  3. Overview • Main result: RSA in OpenSSL is vulnerable to a new timing attack: • Attacker can extract RSA private key by measuring web server response time. • Exploiting OpenSSL’s timing vulnerability: • One process can extract keys from another. • Insecure VM can attack secure VM. • Breaks VM isolation. • Extract web server key remotely. • Our attack works across Stanford campus.

  4. Why are timing attacks against OpenSSL interesting? • Many OpenSSL Applications • mod_SSL (Apache+mod_SSL has 28% of HTTPS market) • stunnel (Secure TCP/IP servers) • sNFS (Secure NFS) • Many more • Timing attacks mostly applied to smartcards [K’96] • K’96: Paul Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, Advances in Cryptology, 1996. • Never applied to complex systems • Most crypto libraries do not defend: • libgcrypt, cryptlib, ... • Mozilla NSS only one we found to explicitly defend by default • OpenSSLuses well-known algorithms

  5. Outline • RSA Overview and data dependencies • Present timing attack • Results against OpenSSL 0.9.7 • Defenses

  6. RSA Algorithm • RSA decryption: gd mod N = m • d is private decryption exponent, N is public modulus • Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = gd1 mod q 2. m2 = gd2 mod p 3. combine m1 and m2 to yield m (mod N) • Goal: learn factors of N. • Kocher’s [K’96]attack fails when CRT is used.

  7. RSA Decryption Time Variance • Two reasons for decryption time variance: 1.Multiplication algorithm used • OpenSSL uses two different mult. algorithms 2. Modular reduction steps • modular reduction goal: given u, compute u mod q • Occasional extra steps in OpenSSL’s reduction algorithm • There are MANY: • multiplications by input g • modular reductions by factor q (and p)

  8. Reduction Timing Dependency • Modular reduction: given u, compute u mod q. • OpenSSL uses Montgomery reductions [M’85] . • M’85: Peter Montgomery, Modular Multiplication without Trial Division, Mathematics of Computation, 44(170), 1985. • Time variance in Montgomery reduction: • One extra step at end of reduction algorithmwith probability Pr[extra step] (g mod q)[S’00] 2q

  9. Pr[extra step] (g mod q) 2q Decryption Time 2q q p Value of ciphertext

  10. Multiplication Timing Dependency • Two algorithms in OpenSSL: • Karatsuba (fast): Multiplying two numbers of equal length • Normal (slow): Multiplying two numbers of different length • To calc xg mod q OpenSSL does: • When x is the same length as (g mod q), use Karatsuba mult. • Otherwise, use Normal multiplication

  11. OpenSSL Multiplication Summary Decryption Time Karatsuba Multiplication Normal Multiplication g g < q q g > q Value of ciphertext

  12. Data Dependency Summary • Decryption value g < q • Montgomery effect: longer decryption time • Multiplication effect: shorter decryption time • Decryption value g > q • Montgomery effect: shorter decryption time • Multiplication effect: longer decryption time Opposite effects! But one will always dominate

  13. Previous Timing Attacks • Kocher’s attack does not apply to RSA-CRT. • Schindler’s attack does not work directly on OpenSSL for two reasons: • OpenSSL uses sliding windows instead of square and multiply • OpenSSL uses two mult. algorithms. • Both known timing attacks do not work on OpenSSL.

  14. Outline • RSA Overview and data dependencies during decryption • Present timing attack • Results against OpenSSL 0.9.7 • Defenses

  15. Timing Attack: High Level Assume we have i-1 top bits of q. Goal: find i-th bit of q. • Set g=q for the top i-1 bits, and 0 elsewhere. • ghi = g, but with the ith bit 1. Then g < ghi - g <q <ghi i’th bit of q is 0. - g <ghi <q  i’th bit of q is 1. Goal: decide if g<q<ghi or g<ghi<q

  16. Decryption Time # ReductionsMult routine ghi? ghi? g q Value of ciphertext 2 cases for ghi

  17. Time diff creates 0-1 gap Timing Attack High Level Attack: • Suppose g=q for the top i-1 bits, and 0 elsewhere. • ghi = g, but with the ith bit 1. Then g < ghi Goal: decide if g<q<ghi or g<ghi<q 3) Sample decryption time for g and ghi: t1 = DecryptTime(g) t2 = DecryptTime(ghi) • If |t1 - t2| is large   bit i is 0 (g < q < ghi) else   bit i is 1 (g < ghi < q) g and ghistraddle q g and ghi don’t straddle q

  18. Decryption Time # ReductionsMult routine g q Value of ciphertext Small time differenceg < ghi < q ghi |t1 – t2|0-1 gap small

  19. Decryption Time # ReductionsMult routine ghi g q Value of ciphertext Large time differenceg < q < ghi |t1 – t2|0-1 gaplarge

  20. Timing Attack Details • We know what is “large” and “small” from attack on previous bits. • Decrypting just g does not work because of sliding windows • Decrypt a neighborhood of values near g • Will increase diff. between large and small values  larger 0-1 gap • Only need to recover top half bits of q [C’97] • Attack requires only 2 hours, about 1.4 million queries to recover server’s private key.

  21. The Zero-One Gap Zero-one gap

  22. How does this work with SSL? How do we get the server to decrypt our g?

  23. Result: Encrypted with computed shared master secret Normal SSL Session Startup 1. ClientHello USENIXSSL Server Regular Client 2. ServerHello (send public key) 3. ClientKeyExchange(re mod N)

  24. Attacking Session Startup 1. ClientHello USENIXSSL Server 2. ServerHello (send public key) Attack Client 3. Record time t1 Send guess g or ghi 4. Alert 5. Record time t2 Compute t2 –t1

  25. Outline • RSA Overview and data dependencies during decryption • Present timing attack • Results against OpenSSL 0.9.7 • Defenses

  26. Montgomery reductionsdominates zero-one gap Multiplication routine dominates Attack extract RSA private key

  27. Attack extract RSA private key Montgomery reductionsdominates zero-one gap Multiplication routine dominates

  28. Attack works on the network Similar timing onWAN vs. LAN

  29. Attack Summary • Attack successful, even on a WAN • Attack requires only 350,000 – 1,400,000 decryption queries. • Attack requires only 2 hours to extract server’s private key.

  30. Outline • RSA Overview and data dependencies during decryption • Present timing attack • Results against OpenSSL 0.9.7 • Defenses

  31. RSA Blinding • Decrypt random number related to g: • Compute x’ = g*re mod N, r is random • Decrypt x’ = m’ • Calculate m = m’/r mod N • Since r is random, the decryption time should be random • 2-10% performance penalty

  32. Blinding Works!

  33. Conclusion • We developed a timing attack based on multiplication and reduction timings • Attack works against real OpenSSL-based servers on regular PC’s. • Lesson: Crypto libraries should always defend against timing attacks. • OpenSSL 0.9.7b enables blinding by default.

  34. Questions? Thanks for listening!

More Related