290 likes | 502 Views
Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck. What is RSA?. As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography. RSA is known to be suitable for signing as well as encryption.
E N D
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck
What is RSA? • As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography. • RSA is known to be suitable for signing as well as encryption. • RSA is believed to be secure given sufficiently long keys and the use of up-to-date implementations.
What is CRT? • The Chinese Remainder Theorem is a result about congruences in number theory and its generalizations in abstract algebra. • The CRT can be used to speed up calculations of many math-based cryptosystems, including RSA.
Montgomery Reduction Provides an efficient way of multiplying two numbers modulo a number Makes modulo reduction unnecessary during multiplications
What are Side-Channel Attacks? • “Side Channel Attacks” are attacks that are based on Side “Channel Information.” • Side channel information is information that can be retrieved from the encryption device. • This information is neither the plaintext or the ciphertext.
What are Side-Channel Attacks? • In the past, an encryption device was perceived as a unit that received plaintext and produces ciphertext and vice versa. • Attacks were based on knowing the ciphertext or knowing both or on the ability to define what plaintext is to be encrypted and then seeing the results of the encryption.
What are Side-Channel Attacks? • Today, it is known encryption devices have additional inputs which are not the plaintext or ciphertext. • Encryption devices produce timing information that is easily measurable, radiation of various sorts, power consumption statistics and more.
What are Side-Channel Attacks? • Often the encryption device also has additional “unintentional” inputs such as voltage. • Side channel attacks make use of some or all of this information, along with other cryptanalytic techniques, to recover the key the device is using.
What are Side-Channel Attacks? • Side channel analysis techniques are a concern because the attacks can be mounted quickly and cheaply. • Depending on the type of attack, it can take a short amount of time to attack a card. • For example, with a Simple Power Analysis attack, attacks on smartcards take a few seconds per card.
Timing Attacks • Timing attacks are based on measuring the time it takes for a unit to perform operations. • This information can lead to information about the secret keys. • For example, by measuring the amount of time required to perform private key operations, an attacker might find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems.
Timing Attacks • Cryptosystems take slightly different amounts of time to process different inputs. • There are various reasons for this, including performance optimizations, branching, RAM cache hits, etc. • Attacks exist which can exploit timing measurements to find the entire key.
Timing Attacks • Computing the variances is easy and provides a good way to identify correct exponent bit guesses. • The number of samples needed to gain enough information are determined by the properties of the signal and the noise. • The more noise there is, the more noise there is, the more samples will be required.
Timing Attacks • These kind of attacks generally require a large amount of samples of timings. • The times are used to perform a statistical analysis on probabilities of each bit in the key. • These probabilities are then used to guess a key.
Timing Attacks • There can be a large amount of error in the signals retrieved by the eavesdropper. • This can be caused by noise (such as latency), blinding, or inaccuracies in data acquisition. • The greater the error, the more samples that are required to determine a key.
CRT’s Susceptibility to Timing Attacks • Modular reduction • All arithmetic is performed modulo a number • The computer must compare a value to the modulo number and reduce when necessary • Modular Exponentiation vs. Multiplication • Modular exponentiations and multiplications take different amounts of time and are executed under different circumstances • Any conditional calculations • Calculations executed under certain circumstances, however not all
Montgomery Reduction’s Susceptibility • After reduction, there is a final modular comparison • This may result in an extra reduction • This extra reduction is executed only when necessary • Causes differences in timing when different values are used
How to Attack CRT • Very simple • Choose values that are very close to one of the prime factors of the public key • When a value is greater than a prime factor, an additional modular reduction will be performed • When the value is less than a prime factor, no additional modular reductions will be performed • This can directly reveal the factors of the public key
How to Attack CRT • Optimized RSA implementations use the Square and Multiply method of computing modular exponents • Using varying inputs, the number of exponentiations and multiplications vary • Time differences can be seen between instances when multiplications are or are not executed
How to Attack Montgomery Reduction Equation and analysis from Brumley and Boneh • The probability of an extra reduction has been found to be easily calculated • The equation is • As the input g approaches one of the prime factors, the probability of an extra reduction increases • When the input g is equal to one of the factors, there is a large drop in frequency of the extra reduction
Blinding The key is to ensure that timing signatures are unusable to attackers Often times result in reducing performance and increasing complexity of algorithms Can make timing attacks infeasible
Blinding Techniques • Eliminate the conditional execution of steps • Example: During steps that may require either multiplication or exponentiation based on the value execute both • Ignore the results of the unwanted computation • Makes time differentiation between statements being executed difficult
Blinding Techniques • Perform data independent calculations that will be performed between modular calculations of CRT • Example: calculate ar mod h where r and h are random numbers • Adds to complexity and slows computations • Can make timing very difficult
Blinding Techniques • Modify the implementations of modular exponentiation and multiplication • Make both operations take the same amount of time • Makes it difficult or impossible to differentiate between either calculation • Highly effective against certain timing attacks
Blinding Techniques • Ensure that all operations take the same amount of time • Drastically degrades performance • All operations must take an amount of time equal to that of the slowest operation • Makes timing impossible
References • Remote Timing Attacks are Practical by David Brumley and Dan Boneh - http://www.ece.cmu.edu/~dbrumley/pubs/jcn_timing.pdf • Introduction to Side Channel Attacks - http://www.discretix.com/PDF/Introduction%20to%20Side%20Channel%20Attacks.pdf • Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems by Paul C. Kocher - http://www.cryptography.com/public/pdf/TimingAttacks.pdf • Side-Channel Attacks by Neal Koblitz and Alfred J. Menezes - http://www.springerlink.com/content/lln108g514127805/fulltext.pdf