Timing Attacks to RSA

Presented by Zhanxiang

Agenda

Background of Timing Attack Case study: David Brumley and Dan Boneh, Remote Timing Attacks are Practical (UC Berkeley)

What is Timing Attack?

Timing attacks: Expose private information, such as RSA keys, by measuring the amount of time required to perform private key operations (Decryptions). Side-channel attacks:
Power analysis Electromagnetic radiation analysis Timing attacks

Some Timing Attacks on RSA

Kochers attack 1996 [2]

reported on page A1 of Monday's New York Times ("Secure Digital Transactions Just Got a Little Less Secure" by John Markoff). Not apply to RSA-CRT.

Schindlers attack 2001

Not work for implementation using (e.g. OpenSSL):

Sliding windows instead of square and multiply (exponentiation) Two multiplication algorithms.

Brumley-Bonehs attack 2003 [1]

Attack on RSA of OpenSSL [1] won the best paper of UsenixSecure03.

Why people care?

Security of RSA depends on the difficulty to factor the public key N OpenSSL applications are popular Since it can hack simple devices, e.g. smartcards, how about complex environments, such network?

Implementation of OpenSSL

RSA with CRT speedup Computation library

How are exponentiation, modular reduction and multiplication operations implemented

RSA quick review

Multiple prime RSA key generating algorithm 1. Select k primes: p1, p2, , pk 2. Let n=pi, i=1,2,,k 3. Let (n)=(pi-1) 4. Choose e, s.t. gcd(e,(n))=1 5. Calculate d=e-1(mod (n)) 6. Public Key = (e,n) and Private key = (d,n) Encryption: c=me mod n Decryption: m=cd mod n

Chinese Remainder Theorem

n = n1n2nk with gcd (ni; nj ) = 1 when i != j The system of congruencies x=x1(mod n1)==xk(mod nk) has a simultaneous solution x to all of the congruencies, and there exists exactly one solution x between 0 and n-1.

Speedup RSA with CRT

Any message M<N is uniquely represented by the tuple [MP;MQ ], where MP = M(mod P) and MQ = M(mod Q). CP = C(mod P) and CQ = C(mod Q). DP = D(mod (P-1)) and DQ = D(mod (Q-1)) RP = QP-1(mod N) and RQ = PQ-1(mod N) MP = CPDP(mod P) and MQ = CQDQ(mod Q) SP = MPRP(mod N) and SQ = MQRQ(mod N) M = SP + SQ. If M>=N then calc M=M-N. [3]

Operations needed for Decryption

Computing cd(mod p) and xy(mod p) requires:

Multiplication routines

Normal (unequal len) Karatsuba (equal len): faster

Exponentiation

Sliding windows

Modular reduction

Montgomery The key relevant fact is the extra reduction

What causes time variance?

Montgomery reduction
Given g calc g (mod q) Probability for and extra reduction is: P[extra step] (g mod q)/2q

Choice of multiplication routine

To calc x*g mod q, if x is the same length as (g mod q), use Karatsuba. O(nlog23) Otherwise, use Normal. O(nm)

Summary of time variance

g<q Montgomer Longer y effect Multiplicati on effect Shorter g>q Shorter Longer

g is the decryption value. Each is dominant at a different phase.

Time Attack on OpenSSL(1/4)

Assume: N=pq with q<p. Goal: approximations approaching q Idea: Make initial guess and refine it by learning bits one at a time, from the most significant.

Time Attack on OpenSSL(2/4)

Init guess g of q lying between 2512 (i.e. N/2) and 2511(i.e. N/4) Try all the combinations of the top few bits Time the decryptions and pick the first peak for guess of q; (After all we at least know the first bit is 1)

Time Attack on OpenSSL(3/4)

Suppose from 1 to i-1 bits g=q, elsewhere g=0 Recover ith bit of q as follows:

(1) ghi=g, but with ith bit 1. If ith bit of q is 1 then g<ghi<q, else g<q<ghi. (2) ug=gR-1 mod N, ughi=ghiR-1 mod N (3) t1=DecrtyptTime(ug), t2=DecryptTime(ughi). (4) D=|t1-t2|. If D is large then g<q<ghi and ith bit of q is 1, otherwise the bit is 0.

Time Attack on OpenSSL(4/4)

We know what is large and small from attack on previous bits. Decrypting just g does not work because of sliding windows

Decrypt a neighborhood of values near g, and Tg=Tg+i Will increase difference between large and small values Thus larger 0-1 gap

Only need to recover q/2 bits of q Attack requires only 2 hours, about 1.4 million queries

Real World Attack(1/2)

Discuss an attack on SSL applications such as an Apache web server with mod_SSL. During the handshake, SSL server performs RSA decryption of CLIENT-KEY-EXCHANGE message (sent by client) using its private key. The goal is getting this key. After decryption, the server checks PKCS 1 padded random bytes and sends an error message back to client in case of an error. The client can send another message to the server that will be decrypted there.

Real World Attack(2/2)

1. ClientHello

Attack Client
2. ServerHello
(send public key)

SSL Server

3. Record time t1 Send guess Ug or Ughi 4. Alert 5. Record time t2 Compute DecryptTime(Ughi)=t2 t1

Experiments (1/5) [1]

Test the effects on increasing the number of decryption requests required to recover a single bit of q reliably. Two parameters: neighborhood size (n) and sample size (s). Total number of queries is s*n.

Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.

Experiments (2/5) [1]

Architecture effects: compare two versions of a program making local calls to OpenSSL: regular and extra-inst with 6 additional nops before decryption.

Explanation: different cache hit rate: 0.139% of load misses for normal and 0.151% for extra-inst.

Experiments (3/5) [1]

Compile-time effects:

Optimized (-O3 fomit_frame_pointer mcpu=pentium); No Pentium flag (-O3 fomit_frame_pointer); Unoptimized (-g).

Experiments (4/5) [1]

Source-based optimizations: implemented a minor patch that improves the efficiency of of CRT decryption check.

Experiments (5/5) [1]

Attacking SSL applications on the local network:

Preconditions & Defense

Preconditions:

OpenSSL does not enable defend option Not fix response time

Defense:

Only one multiplication routine and always carry out extra reduction in Montgomerys algorithm Quantize all RSA computations Blinding (Currently preferred)

Blinding Defenses [1]

Blinding: before decryption compute x=reg mod N, where r is random. Then decrypt x, then compute x/r. Incurs 2%-10% penalty.

Reference
[1] David Brumley and Dan Boneh, Remote Timing Attacks are Practical, 2003 [2] Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems 2001 [3] Johann GroBschadl, The Chinese Remainder Theorem and its Application in a High-Speed RSA Crypto Chip [4]http://www.rsasecurity.com/rsalabs/challenges/f actoring/numbers.html