Professional Documents
Culture Documents
Presented by Zhanxiang
Agenda
Background of Timing Attack Case study: David Brumley and Dan Boneh, Remote Timing Attacks are Practical (UC Berkeley)
Timing attacks: Expose private information, such as RSA keys, by measuring the amount of time required to perform private key operations (Decryptions). Side-channel attacks:
Power analysis Electromagnetic radiation analysis Timing attacks
reported on page A1 of Monday's New York Times ("Secure Digital Transactions Just Got a Little Less Secure" by John Markoff). Not apply to RSA-CRT.
Sliding windows instead of square and multiply (exponentiation) Two multiplication algorithms.
Security of RSA depends on the difficulty to factor the public key N OpenSSL applications are popular Since it can hack simple devices, e.g. smartcards, how about complex environments, such network?
Implementation of OpenSSL
Multiple prime RSA key generating algorithm 1. Select k primes: p1, p2, , pk 2. Let n=pi, i=1,2,,k 3. Let (n)=(pi-1) 4. Choose e, s.t. gcd(e,(n))=1 5. Calculate d=e-1(mod (n)) 6. Public Key = (e,n) and Private key = (d,n) Encryption: c=me mod n Decryption: m=cd mod n
Multiplication routines
Exponentiation
Sliding windows
Modular reduction
Montgomery reduction
Given g calc g (mod q) Probability for and extra reduction is: P[extra step] (g mod q)/2q
To calc x*g mod q, if x is the same length as (g mod q), use Karatsuba. O(nlog23) Otherwise, use Normal. O(nm)
Assume: N=pq with q<p. Goal: approximations approaching q Idea: Make initial guess and refine it by learning bits one at a time, from the most significant.
Init guess g of q lying between 2512 (i.e. N/2) and 2511(i.e. N/4) Try all the combinations of the top few bits Time the decryptions and pick the first peak for guess of q; (After all we at least know the first bit is 1)
Suppose from 1 to i-1 bits g=q, elsewhere g=0 Recover ith bit of q as follows:
(1) ghi=g, but with ith bit 1. If ith bit of q is 1 then g<ghi<q, else g<q<ghi. (2) ug=gR-1 mod N, ughi=ghiR-1 mod N (3) t1=DecrtyptTime(ug), t2=DecryptTime(ughi). (4) D=|t1-t2|. If D is large then g<q<ghi and ith bit of q is 1, otherwise the bit is 0.
We know what is large and small from attack on previous bits. Decrypting just g does not work because of sliding windows
Decrypt a neighborhood of values near g, and Tg=Tg+i Will increase difference between large and small values Thus larger 0-1 gap
Only need to recover q/2 bits of q Attack requires only 2 hours, about 1.4 million queries
Discuss an attack on SSL applications such as an Apache web server with mod_SSL. During the handshake, SSL server performs RSA decryption of CLIENT-KEY-EXCHANGE message (sent by client) using its private key. The goal is getting this key. After decryption, the server checks PKCS 1 padded random bytes and sends an error message back to client in case of an error. The client can send another message to the server that will be decrypted there.
Attack Client
2. ServerHello
(send public key)
SSL Server
3. Record time t1 Send guess Ug or Ughi 4. Alert 5. Record time t2 Compute DecryptTime(Ughi)=t2 t1
Test the effects on increasing the number of decryption requests required to recover a single bit of q reliably. Two parameters: neighborhood size (n) and sample size (s). Total number of queries is s*n.
Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.
Architecture effects: compare two versions of a program making local calls to OpenSSL: regular and extra-inst with 6 additional nops before decryption.
Explanation: different cache hit rate: 0.139% of load misses for normal and 0.151% for extra-inst.
Compile-time effects:
Optimized (-O3 fomit_frame_pointer mcpu=pentium); No Pentium flag (-O3 fomit_frame_pointer); Unoptimized (-g).
Source-based optimizations: implemented a minor patch that improves the efficiency of of CRT decryption check.
Preconditions:
OpenSSL does not enable defend option Not fix response time
Defense:
Only one multiplication routine and always carry out extra reduction in Montgomerys algorithm Quantize all RSA computations Blinding (Currently preferred)
Blinding: before decryption compute x=reg mod N, where r is random. Then decrypt x, then compute x/r. Incurs 2%-10% penalty.
Reference
[1] David Brumley and Dan Boneh, Remote Timing Attacks are Practical, 2003 [2] Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems 2001 [3] Johann GroBschadl, The Chinese Remainder Theorem and its Application in a High-Speed RSA Crypto Chip [4]http://www.rsasecurity.com/rsalabs/challenges/f actoring/numbers.html