Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Timing Attacks

Published byŁucja Marszałek Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptographic Timing Attacks"— Presentation transcript:

1 Cryptographic Timing Attacks
Brian Honan CS498 Senior Seminar Dr. Yeh April 12, 2007

2 What is a timing attack? Timing attacks enable an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries. -David Brumley (Stanford University) Timing attacks can be classified as both a covert channel and side channel attack scheme. Covert channel: parasitic leaking (or signaling) of information to another process. Side channel: exploiting physical attribs, power consumption, timing, electromagnetic pulses.

3 Key people in timing attack theory
Paul Kocher – designed timing attacks for RSA, DSA and Diffie-Hellman. One of the original architects of SSL. Currently, he is the founder and chief scientist of Cryptography Research Inc. David Brumley – Doctoral student at Carnegie Mellon. Published numerous papers with Dan Boneh while studying for a MSCS from Stanford. Dan Boneh – professor at Stanford, developed a timing attack for SSL. Werner Schindler – developed timing attack for RSA with CRT. Alejandro Hevia – discovered vulnerability in DES crypto system using timing attacks. Jean-Pierre Seifert – demonstrated timing attack on RSA signatures.

4 Other Attacks on RSA As studied in Crypto I and II…
Fermat’s Attack (primes are close together) Pollard’s Attack (one prime is small) Initial Segment Attack (one prime has many 0’s) Directory Attack (requires many public keys) Exhaustive search (direct modulus factoring)

5 Timing attacks and RSA wait a sec, first some math…
Before we get into timing attacks against RSA we need to take a look at the mathematical algorithms used by RSA cryptosystems. This will give us a good understanding of where to exploit the RSA schema.

6 Square and Multiply Algorithm This algorithm dates back to 200BC!
RSA decryption: ciphertextprivate key mod modulus Compute: 420 mod 35 Private key = 2010 = 41 = (40)2 * 41 = 1 * 4 = 4 mod = (41)2 * 40 = * 1 = 16 mod = (42)2 * 41 = 162 * 4 = 1024 = 9 mod = (45)2 * 40 = 92 * 1 = 81 = 11 mod = (410)2 * 40 = 112 * 1 = 121 = 16 mod 35

7 Montgomery’s Algorithm
Extensively used by RSA modular exponentiation. This algorithm is beyond the scope of this presentation! - I would have to provide tylenol But I wanted to mention it since there are timing attacks against this algorithm as well. The basic idea is that the algorithm selects a larger modulus (based on HW limitations) for square and multiply algorithms to reduce the number of steps. The attack exploits the fact that the algorithm also have an conditional IF statement to compute an ‘extra reduction’. This step requires additional time and is based on the binary representation of the modulus (similar to square and multiply).

8 Timing Attack requirements…
A timing attack is a ‘chosen input’ attack. So there are a few requirements: Access to the hardware device. Ability to measure calculation time – precisely. Attacker knows the security system (RSA, etc…) Attacker knows the modulus. Running times are reproducible.

9 Now the main idea… I wrote this and had to re-read it 3 times to understand it.
If the computation takes a predictable interval to compute based on a set of inputs, and we know the steps of the algorithm, we can conversely use this information to discover other inputs by observing the time interval in a given computation.

10 Timing attack prevention (1/2)
We have seen attacks against poorly selected criteria. - this is the user’s responsibility… A timing attack can determine the two co-prime factors of a 1024-bit RSA modulus in time measurements. All attacks were successful. – Werner Schlinder So how can we stop a timing attack? - the technique is called ‘blinding’

11 Timing attack prevention (2/2)
Blinding: provide a service for a client without knowing the ‘real’ input or output. Blinding techniques: 1. instead of doing nothing when not computing the extra reduction, perform a dummy computation. 2. Pad the cipher with random data, then remove the data after the computation. E(x) = xre mod n  f(x) = E(x)d mod n  D(x) = f(x)e/r mod n r = random number

12 Any Questions? Thank you Presentation References:
Fast Exponentiation in Practice. M.B. Tandrup, M.H. Jensen, R.N. Andersen, T.F. Hansen. Dec. 6, 2004 D. Brumley, D. Boneh: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security P.C. Kocher. Timing Attacks on Implementations of DH, RSA, DSS and other systems. Proceedings of Cryptography Springer, 1996. JP. Seifert. On Authenticated Computing and RSA-Based Authentication. ACM Press, 2005. Wikipedia – “Blinding Technique” More available in Report… Thank you

Download ppt "Cryptographic Timing Attacks"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Cryptography and Network Security

Cryptography and Network Security
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Side-Channel Attack: timing attack Hiroki Morimoto.

Side-Channel Attack: timing attack Hiroki Morimoto.
Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
RSA Ramki Thurimella.

RSA Ramki Thurimella.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Similar presentations

Ads by Google