Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)

2 Understanding Side Channel Attacks  Systems leak info about internal computation E.g., safes can be cracked by carefully listening to the tumblers  Clever attackers can utilize leaked info to grain secrets Generally not directly Use statistical methods over time  Attacks implementation, rather than algorithm

3 Fault-Based Attack of RSA Correct behavior: Server challenge: s = m d mod n Client verifies: m = s e mod n Faulty Server: ŝ != m d mod n Public Key (e,n) Private Key (d,n) m s Public Key (e,n) Private Key (d,n) m ŝ m Tactical advantage: We have years to implement this attack!

4 Injecting Faults in RSA Authentication Making hardware fail: Lower voltage causes signals to slow down, thus missing the deadline imposed by the system clock High temperatures increase signal propagation delays  Over-clocking shortens the allowed time for traversing the logic cloud  Charged particles cause internal signals to change value, causing errors

5 Wanted: Single-Bit Errors in Multiplication A corrupted signature leaks data if only one multiplication is corrupted by a single bit flip Voltage [V] Single bit faults (%) Faulty products (%) Single bit faults Faulty multiplications

6 Implementing the Fault-Based Attack Fault-Based Attack of RSA Attackers 1. Subject server to potential single-bit faults in multiplications 2. Repeatedly authenticate to collect faulty RSA signatures 3. Offline, analyze RSA signatures to extract private key bits 4. Repeat steps 2 & 3 until entire RSA private key identified

7 Extracting the Key with Offline Analysis  The attacker collects the faulty signatures  The private key is recovered one window at the time  The attacker checks its guess against the collected faulty signatures Public Key ŝŝŝŝ Private Key m ŝŝŝŝ d=XXXXd3d3 d2d2 d1d1 d0d0

8 Computing (s=m d mod n) in OpenSSL 1101 s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s d=214= 0110 s=1 s= m 1101 s= (∙∙∙(m 1101 ) 2 ) 2 ) 2 ) 2 s= (∙∙∙(m 1101 ) 2 ) 2 ) 2 ) 2 )m 0110 window 1window 2

9 Faulty Signature: ŝ!=m d mod n s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s s=1 s= m 1101 ŝ = (∙∙∙(m 1101 ) 2 ) 2 ) ± 2 f ) 2 ) 2 ŝ = (∙∙∙(m 1101 ) 2 ) 2 ) ± 2 f ) 2 ) 2 )m d=214= 0110 window 1window 2

10 Reconstructing the Signature The private key is recovered one window at the time, guessing where and when the fault hits ŝ = (∙∙∙(m d k ) 64 )m d k-1 ) 2 ) 2 ) 2 ±2 f ) 2 ) 2 ) 2 ) m d k-2 ) 64 …m d 0 Already known Value? Which multiplication? Which bit? d=XXXdkdk d k-1 … For each window value to be guessed and signature we test: 16 possible key values 2 possible error values (0→1 or 1→0) 4 squaring iterations

11 Implementing Offline Analysis  In practice 40 bit positions typically affected by faults → the computation time is reduced to 2.5 seconds  Analyzing 8,800 corrupted signatures requires 1 CPU- year – only ~1,000 are useful  Signatures can be checked in parallel  Performed the analysis with 81 workstations ŝŝŝŝŝŝ

12 Fault-Based Attack of Leon3 SPARC RSA 1024-bit private key 8,800 corrupted signatures collected in 10 hours Distributed application with 81 machines for offline analysis Private key recovered in 100 hours

13 Exploring Temperature-Induced Faults

14 Number of Key Bits Revealed (128-bit RSA) Surprising insight: Attack is easier to implement with more sophisticated cooling systems

15 Conclusions  Transient faults can leak vital private key data  Fault-based attack devised for OpenSSL 0.9.8i ’s Fixed Window Exponentiation algorithm  Attack demonstrated on a complete physical Leon3 SPARC system  Software fix using “blind”ing available in OpenSSL to protect against timing attacks  Published: “Fault-based Attack of RSA Authentication” - DATE 2010  Presented: BlackHat 2012