1 / 26

Timing Attacks to RSA

Timing Attacks to RSA. Presented by Zhanxiang. Agenda. Background of Timing Attack Case study: David Brumley and Dan Boneh, “ Remote Timing Attacks are Practical ” (UC Berkeley). What is Timing Attack?.

Mercy
Download Presentation

Timing Attacks to RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Timing Attacks to RSA Presented by Zhanxiang

  2. Agenda • Background of Timing Attack • Case study: David Brumley and Dan Boneh, “Remote Timing Attacks are Practical” (UC Berkeley)

  3. What is Timing Attack? • Timing attacks: Expose private information, such as RSA keys, by measuring the amount of time required to perform private key operations (Decryptions). • Side-channel attacks: • Power analysis • Electromagnetic radiation analysis • Timing attacks

  4. Some Timing Attacks on RSA • Kocher’s attack 1996 [2] • reported on page A1 of Monday's New York Times ("Secure Digital Transactions Just Got a Little Less Secure" by John Markoff). • Not apply to RSA-CRT. • Schindler’s attack 2001 • Not work for implementation using (e.g. OpenSSL): • Sliding windows instead of square and multiply (exponentiation) • Two multiplication algorithms. • Brumley-Boneh’s attack 2003 [1] • Attack on RSA of OpenSSL • [1] won the best paper of UsenixSecure’03.

  5. Why people care? • Security of RSA depends on the difficulty to factor the public key N • OpenSSL applications are popular • Since it can hack simple devices, e.g. smartcards, how about complex environments, such network?

  6. Implementation of OpenSSL • RSA with CRT speedup • Computation library • How are exponentiation, modular reduction and multiplication operations implemented

  7. RSA quick review • Multiple prime RSA key generating algorithm 1. Select k primes: p1, p2, …, pk 2. Let n=∏pi, i=1,2,…,k 3. Let φ(n)=∏(pi-1) 4. Choose e, s.t. gcd(e,φ(n))=1 5. Calculate d=e-1(mod φ(n))6. Public Key = (e,n) and Private key = (d,n) • Encryption: c=me mod nDecryption: m=cd mod n

  8. Chinese Remainder Theorem • n = n1n2…nk with gcd (ni; nj ) = 1 when i != j • The system of congruencies x=x1(mod n1)=…=xk(mod nk) has a simultaneous solution x to all of the congruencies, and there exists exactly one solution x between 0 and n-1.

  9. Speedup RSA with CRT • Any message M<N is uniquely represented by the tuple [MP;MQ ], where MP = M(mod P) and MQ = M(mod Q). CP = C(mod P) and CQ = C(mod Q). DP = D(mod (P-1)) and DQ = D(mod (Q-1)) RP = QP-1(mod N) and RQ = PQ-1(mod N) MP = CPDP(mod P) and MQ = CQDQ(mod Q) SP = MPRP(mod N) and SQ = MQRQ(mod N) M = SP + SQ. If M>=N then calc M=M-N. [3]

  10. Operations needed for Decryption • Computing cd(mod p) and xy(mod p) requires: • Multiplication routines • Normal (unequal len) • Karatsuba (equal len): faster • Exponentiation • Sliding windows • Modular reduction • Montgomery • The key relevant fact is the extra reduction

  11. What causes time variance? • Montgomery reduction • Given g calc g (mod q) • Probability for and extra reduction is: P[extra step]  (g mod q)/2q • Choice of multiplication routine • To calc x*g mod q, if x is the same length as (g mod q), use Karatsuba. O(nlog23) • Otherwise, use Normal. O(nm)

  12. Summary of time variance

  13. Time Attack on OpenSSL(1/4) • Assume: N=pq with q<p. Goal: approximations approaching q • Idea: Make initial guess and refine it by learning bits one at a time, from the most significant.

  14. Time Attack on OpenSSL(2/4) • Init guess g of q lying between 2512 (i.e. N/2) and 2511(i.e. N/4) • Try all the combinations of the top few bits Time the decryptions and pick the first peak for guess of q; (After all we at least know the first bit is 1)

  15. Time Attack on OpenSSL(3/4) • Suppose from 1 to i-1 bits g=q, elsewhere g=0 • Recover i’th bit of q as follows: (1) ghi=g, but with i’th bit 1. If i’th bit of q is 1 then g<ghi<q, else g<q<ghi. (2) ug=gR-1 mod N, ughi=ghiR-1 mod N (3) t1=DecrtyptTime(ug), t2=DecryptTime(ughi). (4) D=|t1-t2|. If D is large then g<q<ghi and i’th bit of q is 1, otherwise the bit is 0.

  16. Time Attack on OpenSSL(4/4) • We know what is “large” and “small” from attack on previous bits. • Decrypting just g does not work because of sliding windows • Decrypt a neighborhood of values near g, and Tg=∑Tg+i • Will increase difference between large and small values Thus larger 0-1 gap • Only need to recover q/2 bits of q • Attack requires only 2 hours, about 1.4 million queries

  17. Real World Attack(1/2) • Discuss an attack on SSL applications such as an Apache web server with mod_SSL. • During the handshake, SSL server performs RSA decryption of CLIENT-KEY-EXCHANGE message (sent by client) using its private key. The goal is getting this key. • After decryption, the server checks PKCS 1 padded random bytes and sends an error message back to client in case of an error. The client can send another message to the server that will be decrypted there.

  18. Real World Attack(2/2) 1. ClientHello Attack Client SSL Server 2. ServerHello (send public key) 3. Record time t1 Send guess Ug or Ughi 4. Alert 5. Record time t2 Compute DecryptTime(Ughi)=t2 –t1

  19. Experiments (1/5) [1] • Test the effects on increasing the number of decryption requests required to recover a single bit of q reliably. Two parameters: neighborhood size (n) and sample size (s). Total number of queries is s*n. Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.

  20. Experiments (2/5) [1] • Architecture effects: compare two versions of a program making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption. • Explanation: different cache hit rate: 0.139% of load misses for “normal” and 0.151% for “extra-inst”.

  21. Experiments (3/5) [1] • Compile-time effects: • Optimized (-O3 –fomit_frame_pointer –mcpu=pentium); • No Pentium flag (-O3 –fomit_frame_pointer); • Unoptimized (-g).

  22. Experiments (4/5) [1] • Source-based optimizations: implemented a minor patch that improves the efficiency of of CRT decryption check.

  23. Experiments (5/5) [1] • Attacking SSL applications on the local network:

  24. Preconditions & Defense • Preconditions: • OpenSSL does not enable defend option • Not fix response time • … • Defense: • Only one multiplication routine and always carry out extra reduction in Montgomery’s algorithm • Quantize all RSA computations • Blinding (Currently preferred)

  25. Blinding Defenses [1] • Blinding: before decryption compute x=reg mod N, where r is random. Then decrypt x, then compute x/r. Incurs 2%-10% penalty.

  26. Reference [1] David Brumley and Dan Boneh, “Remote Timing Attacks are Practical”, 2003 [2] Paul C. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems” 2001 [3] Johann GroBschadl, “The Chinese Remainder Theorem and its Application in a High-Speed RSA Crypto Chip” [4]http://www.rsasecurity.com/rsalabs/challenges/factoring/numbers.html

More Related