1 / 37

Side-Channel Attack: timing attack

Side-Channel Attack: timing attack. Hiroki Morimoto. Overview. Review of traditional attacks Side-Channel Attacks Timing Attack Several ways to compromise RSA Countermeasures Conclusion References. Review. Basic Attacks: exploiting security holes and weakness in the systems/algorithms

rio
Download Presentation

Side-Channel Attack: timing attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Side-Channel Attack: timing attack Hiroki Morimoto

  2. Overview • Review of traditional attacks • Side-Channel Attacks • Timing Attack • Several ways to compromise RSA • Countermeasures • Conclusion • References

  3. Review • Basic Attacks: • exploiting security holes and weakness in the systems/algorithms • choosing inadequate parameters • brute force • social engineering • more … • There is 3 types of cryptanalysis: • Ciphertext-only Attack • Known plaintext Attack • Chosen plaintext Attack

  4. What is Side-Channel Attack • Side-Channel Attack don’t belong to the traditional attack • This attack is based on experiments and statistics not mathematical theories • Two types of the side-channel attack • Passive Attacks: • Observe the target such as computer or cell-phone • Gain the “additional” information leaked from the physical implementations/devices caused by any operation • i.e. timing information, power consumptions, electromagnetic leaks, voices/sounds • Active Attacks: • Add “additional” inputs • Change the environment or target itself to let abnormal operations or change the program flow • i.e. add voltage, clock gritching, or tempest virus

  5. Goal • Finds information such as: • Algorithm/operation • Cryptographic key • Partial state information • Plaintext/cyphertext • more …

  6. Advantages • The Attackers can implement: • With information easy to obtain • With available non-expensive hardware • From remote place • Often quicker than the regular attack • Compared to brute force and dictionaly attacks • From few seconds to few hours • Without damaging regular operations and physical devices • Without notifying the victims

  7. Examples of Side-Channel Attacks • Timing Attack • Power Monitoring Attack • Fault Analysis • Magnetic Emanation Attack • Light Emission Attack • Sound Attack (Includes wire-tapping and eavesdropping)‏

  8. Timing Attack • Timing attack is an example of an attack that exploits the implementation of an algoritm rather than the algorithm itself • Measure the time it takes for a certain unit to perform an operation • Keep the input, output, and consumed time • Check the correlation between time measurements of guess key or input and empirical result (often statistically)‏

  9. Background • Operation takes slightly different amounts of time to process different input because of: • Bypass operations such as branching or conditional statements • RAM cache hit • Processor instruction such as multiplication and division • Others … • Usually consumed time depends on input data, crypt keys, and modulo in cryptosystems

  10. Usages • Timing attack is often used to compromise public-key cryptosystem such as RSA • For example, most of smart-card uses RSA. Therefore, inappropriate usage of it revels its secret key easily • Sometimes, the key is tamper-proof • Timing attacks reveal key length, key values, plaintext, etc…

  11. RSA review • Multiple prime RSA key generating algorithm 1. Select two primes: p and q 2. Calculate n = p * q 3. Calculate φ(n) = (p-1) * (q-1)‏ 4. Choose e where gcd(e,φ(n)) = 1 5. Calculate d = e-1(mod φ(n))6. Public Key = (e,n) and Private key = (d)‏ • Encryption: c = me mod nDecryption: m = cd mod n

  12. Modular Exponentiation • The way of attacks depend on the details of modular exponentiation • For efficiency, modular exponentiation is done via: • Simple multiplication • Repeated squaring • Chinese Remainder Theorem (CRT)‏ • Montgomery multiplication • Sliding window • Karatsuba multiplication

  13. Simple Multiplication • The simplest case, the modular exponentiation is done by multiplying the number as many as the values of exponent such as 2^13 = 2 * 2 * 2 * 2 * 2 * 2* ….. • Therefore, the execution time is direct proportional to the exponent value (key value)‏

  14. Attacking Scenario: simple multiplication • An attacker eavesdrops the decryption operation where he gets a plaintext and its computation time (the decryption key is 13 which is hidden from the attacker)‏ • He guesses the key is 12. He decrypts with the guess key and it returns small computation time • Then, he guesses the key is 14 and retuned computation time is greater than empirical data • Now, he knows the key is between 12 and 14

  15. Repeated Squaring • The most common and fast algorithm • The number of loops is proportional to its key bit length • Kotcher found a possible attack

  16. Algorithm • In each step, the number is squared and mod by n • If the current bit is 1, then a modular multiplication is executed • If the current bit is 0, goto the next step

  17. Pseudo-Code // Compute c = md (mod n)‏ // where, in binary, d = (d0,d1,d2,…,dnum) with d0 = 1 s = m for i = 1 to num s = s2 (mod n)‏ if di == 1 then s = s  m (mod n)‏ end if next i return s

  18. Example • For example: • 520 = 95367431640625 = 25 mod 35 • With repeated squaring • d = 20 = 10100 base 2, m = 5, and n = 35 • Initialize s = 5^1 (d0 == 1)‏ • s = (5 * 5) mod 35 and d1 == 0  s = 25 • s = (25 * 25) mod 35 and d2 == 1 so that (30 * 5) mode 35  s = 10 • s = (10 * 10) mod 35 and d3 == 0  s = 30 • s = (30 * 30) mod 35 and d3 == 0  s = 25 • No huge numbers and it’s efficient • In this example, 5 steps vs 20 multiplications

  19. Attacking Scenario: repeated squaring • This attack also measures the correlation between guessed and empirical time measurements • Because the 2nd consuming time depends on the 1st data (s) and second bit of the key, and so forth. In other word, the high-order bits affect a result more than the lower-bits. • Thus the attacker begins the top of the bit, then continues to next bit and so on • The more bits the attacker already knows, the stronger the signal, thus easier to detect (error-correction property)

  20. Attacking Scenario: repeated squaring • First, the attacker wants to know the first bit of the secret key where he has a target plaintext and knows its consumed time • He decrypts the plaintext with 1111 • Next he decrypts the plaintext with 0111 • Then he creates two graphs for each pair of consumed times • Then he finds the strong correlation for 0111 especially at the last step. Thus the first bit may be 0. • He continues this procedure to the next bit and so on • He can efficiently recover low-order bits when enough high-order bits are known because of error correlation property

  21. Chinese Reminder Theorem • Modular Reduction is done by subtracting multiples of the modules which also takes most of the computation time • Given m = cd (mod n) where n = pq • With CRT, first compute cd modulo p, and them cd modulo q. After that “glue” them together • Two modular reductions of size n1/2 • As opposed to one reduction of size n • CRT provides significant speedup by a factor of 4 • (comment) several researchers claim above two statements. However, I don’t think so !

  22. Algorithm • To compute Cd (mod N) where N = pq • First pre-computes: • dp = d (mod (p  1)) • dq = d (mod (q  1))‏ • Second, pre-find a and b such that • a = 1 (mod p) and a = 0 (mod q) • b = 0 (mod p) and b = 1 (mod q)‏ • Now computes: • Solution is:

  23. Example • Suppose N = 33, p = 11, q = 3 and d = 7 • Pre-compute • dp = 7 (mod 10) = 7 • dq = 7 (mod 2) = 1 • Pre-find, a = 12 and b = 22 • Suppose decrypt C = 5 • Cp = 5 (mod 11) = 5 and Cq = 5 (mod 3) = 2 • xp = 57 = 3 (mod 11), xq = 21 = 2 (mod 3)‏ • Solution: 57 = 312 + 222 = 14 (mod 33)‏ • Regular Operation: Cd = 57 (mod 33) = 14

  24. Limitation: • Factors p and q of N must be known • Only for private key operations

  25. Attacking Scenario: CRT • The attacker doesn’t have to know anything • As we mentioned before, the CRT operates first computes cd modulo p, and then cd modulo q • First guess cd and measure the consumed time for first (or second) operation. • If the p is smaller than cd, takes no time. • If the p is larger than cd, it must subtract p at least once • Then extract the p (or q)‏

  26. Attacking Scenario: CRT • The attacker wants to know decryption key (d)‏ • First, he tries to extract the value p so that he runs the program with cd = 1, 3, 5, 7, 11 …. and measures the consumed times • The consumed times are constant from 1 to 5, but increase after 7. Thus,pmight be 7 • Then he does the same operation to find q • Now, he knows q and p • Thus, he can calculate n = p * q and φ(n) = (p-1) * (q-1)‏ • Because e is public so that d = e-1(mod φ(n))‏

  27. Countermeasures • How To prevent or make difficult to do timing attack • Reduce or eliminate coherence between the execution time and parameters such as input data, modulo, and keys OR • Add noises because the number of samples needed to obtain enough information are proportional to the noises

  28. Examples of Countermeasures • Constant Time Calculation • Random Time Calculation • RSA Blinding • Avoid Conditional Operation • Time Equalization of Multiplication and Exponentiation

  29. Constant Time Calculation • In this strategy, the time it takes to do any operation must be independent from input and key (constant and equal at every time)‏ • Thus, every operation takes the slowest operational time by waiting • However, this strategy raises the execution time dramatically (corresponding to the worst case)‏

  30. Random Time Calculation • In this strategy, the time it takes to do any operation changes every operation at each time • It is done by waiting a random time before going to the next execution • However, this strategy also raises the execution time and its random variance must be large and completely random

  31. RSA Blinding • The idea is same as the random time calculation; time it takes to do any operation changes every operation at each time • However, randomized time is done via multiplying the random seed before the operation and multiplying the inverse of the seed after the operation. In other word, it changes m (plaintext) or c (ciphertext)‏ • This strategy adds slight execution time

  32. Algorithm and Example • Algorithm: • Generate random r • First multiply re: m” = rec (mod N)‏ • Then decrypt: m’ = m” d (mod N)‏ • Finally, multiply by r1 (mod N): m = r1m’ = r1(rec)d = r1rcd = cd (mod N)‏ • Example: c = 3, r = 2, e = 3, d = 7, and N = 33 • m” = 23 * 3 (mod 33) = 24 • m’ = 247 (mod 33) = 18 • m = ½ * 18 = 9 • Regular Operation: m = 37 (mod 33) = 9

  33. Avoid Branch and Conditional Operation • Conditional Statement often depends on input or key • As we mentioned before, branch and condition statements (i.e. if statement) changes the consuming time • So that eliminates any branch and conditional statement to equalize the computational time • Also the calculation must be performed via elementary operations (such as AND, OR, and XOR)‏

  34. Time Equalization of Multiplication and Exponentiation • Time taken by multiplication and exponentiation (especially squaring) are different • Therefore, when one need to equalize them by performing both operations when one of the operations required and discards unnecessary result • So, the attacker will not be able to learn when and how many multiplications and exponentiations are made • This strangely also adds overhead

  35. Conclusion • Side-Channel Attack is a real threat with wide range ofpossibility and a large impact • Side-Channel Attack is not a traditional cryptanalysis • Side-Channel Attack is easy, quick, inexpensive, and few risk to be notified by victims • When one design algorithm or system such as cryptosystem, one must think about additional output leaked from the devices, too.

  36. References • Bar-El Hagai “Introduction to Side Channel Attack” • Kocher Paul. “Timing Attacks On Implementation of DH, RSA, DSS and Other Systems” • Haas Job. “Side Channel Analysis and Embedded Systems Impact and Coutner measure” • Endrodi, Csilla, “Side-Channel Attack of RSA” • Cid Carlos. “Cryptanalysts of RSA: A Survey”

More Related