Cryptographic Timing Attacks Brian Honan CS498 Senior Seminar Dr. Yeh April 12, 2007

What is a timing attack? Timing attacks enable an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries. -David Brumley (Stanford University) Timing attacks can be classified as both a covert channel and side channel attack scheme. Covert channel: parasitic leaking (or signaling) of information to another process. Side channel: exploiting physical attribs, power consumption, timing, electromagnetic pulses.

Key people in timing attack theory Paul Kocher – designed timing attacks for RSA, DSA and Diffie-Hellman. One of the original architects of SSL. Currently, he is the founder and chief scientist of Cryptography Research Inc. David Brumley – Doctoral student at Carnegie Mellon. Published numerous papers with Dan Boneh while studying for a MSCS from Stanford. Dan Boneh – professor at Stanford, developed a timing attack for SSL. Werner Schindler – developed timing attack for RSA with CRT. Alejandro Hevia – discovered vulnerability in DES crypto system using timing attacks. Jean-Pierre Seifert – demonstrated timing attack on RSA signatures.

Other Attacks on RSA As studied in Crypto I and II… Fermat’s Attack (primes are close together) Pollard’s Attack (one prime is small) Initial Segment Attack (one prime has many 0’s) Directory Attack (requires many public keys) Exhaustive search (direct modulus factoring)

Timing attacks and RSA wait a sec, first some math… Before we get into timing attacks against RSA we need to take a look at the mathematical algorithms used by RSA cryptosystems. This will give us a good understanding of where to exploit the RSA schema.

Square and Multiply Algorithm This algorithm dates back to 200BC! RSA decryption: ciphertextprivate key mod modulus Compute: 420 mod 35 Private key = 2010 = 101002 41 = (40)2 * 41 = 1 * 4 = 4 mod 35 42 = (41)2 * 40 = 42 * 1 = 16 mod 35 45 = (42)2 * 41 = 162 * 4 = 1024 = 9 mod 35 410 = (45)2 * 40 = 92 * 1 = 81 = 11 mod 35 420 = (410)2 * 40 = 112 * 1 = 121 = 16 mod 35

Montgomery’s Algorithm Extensively used by RSA modular exponentiation. This algorithm is beyond the scope of this presentation! - I would have to provide tylenol But I wanted to mention it since there are timing attacks against this algorithm as well. The basic idea is that the algorithm selects a larger modulus (based on HW limitations) for square and multiply algorithms to reduce the number of steps. The attack exploits the fact that the algorithm also have an conditional IF statement to compute an ‘extra reduction’. This step requires additional time and is based on the binary representation of the modulus (similar to square and multiply).

Timing Attack requirements… A timing attack is a ‘chosen input’ attack. So there are a few requirements: Access to the hardware device. Ability to measure calculation time – precisely. Attacker knows the security system (RSA, etc…) Attacker knows the modulus. Running times are reproducible.

Now the main idea… I wrote this and had to re-read it 3 times to understand it. If the computation takes a predictable interval to compute based on a set of inputs, and we know the steps of the algorithm, we can conversely use this information to discover other inputs by observing the time interval in a given computation.

Timing attack prevention (1/2) We have seen attacks against poorly selected criteria. - this is the user’s responsibility… A timing attack can determine the two co-prime factors of a 1024-bit RSA modulus in 300-570 time measurements. All attacks were successful. – Werner Schlinder So how can we stop a timing attack? - the technique is called ‘blinding’

Timing attack prevention (2/2) Blinding: provide a service for a client without knowing the ‘real’ input or output. Blinding techniques: 1. instead of doing nothing when not computing the extra reduction, perform a dummy computation. 2. Pad the cipher with random data, then remove the data after the computation. E(x) = xre mod n  f(x) = E(x)d mod n  D(x) = f(x)e/r mod n r = random number

Any Questions? Thank you Presentation References: Fast Exponentiation in Practice. M.B. Tandrup, M.H. Jensen, R.N. Andersen, T.F. Hansen. Dec. 6, 2004 D. Brumley, D. Boneh: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security P.C. Kocher. Timing Attacks on Implementations of DH, RSA, DSS and other systems. Proceedings of Cryptography 1996. Springer, 1996. JP. Seifert. On Authenticated Computing and RSA-Based Authentication. ACM Press, 2005. Wikipedia – “Blinding Technique” More available in Report… Thank you