Presentation is loading. Please wait.

Presentation is loading. Please wait.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses."— Presentation transcript:

1 Remote Timing Attacks -Rashmi Kukanur

2 Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses

3 What is Timing Attack  Timing Attack : Extract secrets (private keys) in a security system by measuring the amount of time required to perform private key operations.  General Belief: Web Servers and RSA Implementations are not vulnerable.

4 Cause of concern:  RSA security broken when factors of modulus exposed  OpenSSL widely used  Challenges the security of many crypto implementations

5 RSA review 1.Select two large prime numbers p and q. 2.Let N= pq be the modulus. 3.Choose e relatively prime to (p-1)(q-1) 4. Find d s.t. ed = 1 mod (p-1)(q-1) 5.Public key (N,e) 6.Private Key d  Encryption C = M e mod N  Decryption M = C d mod N

6 OpenSSL implementation RSA  Chinese Remainder Theorem  Exponentiation –Sliding Windows  Multiplication Routines –Karatsuba Algorithm O(nlog 2 3) –Normal Multiplication O(nm)  Montgomery Reduction

7 Chinese Remainder Theorem  Let m i ’s be relatively prime pair wise and  M = m 1 m 2 ……..m k, Mi = M / m i  C i = M i ( M i -1 mod m i )  a i = A mod mi  A mod M =(a 1 c 1 +a 2 c 2 +.+a k c k )mod M

8 RSA Decryption  C d mod pq can be computed from  m 1 = c d1 mod p, m 2 = c d2 mod q as  (m 1 c p + m 2 c q ) mod pq, where  c p = q(q -1 mod p), c q = p(p -1 mod q)  RSA decryption with CRT speedup

9 Timing differences comparison Montgomery reduction Schindler’s observation : Pr[Extra Reduction] = (g mod q) / 2R Multiplication Routine Karatsuba Normal Multiplication

10 Time variance - overview g<qg>q Montgomery effect LongerShorter Multiplication effect ShorterLonger g is the decryption value. Each is dominant at a different phase.

11 Timing Attack on Open SSL  Let N=pq with q<p.  Approximate q (approaching) guessing  q: g try g hi to decide guessing  q: g try g hi to decide 11 0 0 1 2 3i-1…i

12 Timing Attack (Contd.)  Initial guess g of q lies between 2 512 (i.e 2 log 2 N/2 ) and 2 511 (i.e 2 log 2 N/2-1 ) (i.e 2 log 2 N/2 ) and 2 511 (i.e 2 log 2 N/2-1 )  Try all the possible combinations of the top few bits and pick the first peak i.e q.

13 Timing Attack (Contd.)  Let g=q for top i-1 bits. Remaining bits of g=0(g<q)  Recover i’th bit of q as follows: –(1) g hi =g, but with i’th bit 1. If i’th bit of q is 1 then g<g hi <q, else g<q<g hi. –(2) u g =gR -1 mod N, u ghi =g hi R -1 mod N –(3) t1=DecryptTime(u g ), t2=DecryptTime(u ghi ). –(4) D=|t1-t2|.  If D is large then g<q<g hi and i’th bit of q is 0, otherwise the bit is 1.  Previous D values considered  Decrypting just g results in weak indicator in sliding windows.

14 Experiment 1  Parameters –Neighborhood size n, Sample Size s –Total number of queries is s*n Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.

15 Experiment 2  Architecture effects: compare two versions of a program making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption.

16  Compile-time effects:  Optimized (-O3 –fomit_frame_pointer –mcpu=pentium);  No Pentium flag (-O3 –fomit_frame_pointer);  Unoptimized (-g). Experiment 3

17 Defense  Defense: –Only one multiplication routine and always carry out extra reduction in Montgomery ’ s algorithm –Quantize all RSA computations –Blinding (Currently preferred)

18 Blinding Defenses  Before decryption compute x=r e g mod N where r is random.  Then decrypt x and compute x/r.

Download ppt "Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Data encryption with big prime numbers

Data encryption with big prime numbers
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1.

Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1.
Mid-term Review Network Security. Gene Itkis: CS558 Network Security2 Secure channel SSL SSL (and many others: incl. IPSEC) Shared key establishing Trusted.

Mid-term Review Network Security. Gene Itkis: CS558 Network Security2 Secure channel SSL SSL (and many others: incl. IPSEC) Shared key establishing Trusted.
Mid-term Review Network Security. Secure channel SSL SSL (and many others: incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be.

Mid-term Review Network Security. Secure channel SSL SSL (and many others: incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be.
RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.

RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.
Network Security Review. Secure channel Communication security Confidentiality Message Traffic Authentication Integrity How to achieve? Establish shared.

Network Security Review. Secure channel Communication security Confidentiality Message Traffic Authentication Integrity How to achieve? Establish shared.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
Public Key Cryptography

Public Key Cryptography
Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
RSA Exponentiation cipher

RSA Exponentiation cipher
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Mid-term Review Network Security. Secure channel SSL (and many others:incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be covered)

Mid-term Review Network Security. Secure channel SSL (and many others:incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be covered)
RSA Encryption William Lu. RSA Background  Basic technique first discovered in 1973 by Clifford Cocks of CESG (part of British GCHQ)  Invented in 1977.

RSA Encryption William Lu. RSA Background  Basic technique first discovered in 1973 by Clifford Cocks of CESG (part of British GCHQ)  Invented in 1977.
Chapter 3 Encryption Algorithms & Systems (Part B)

Chapter 3 Encryption Algorithms & Systems (Part B)
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Similar presentations

Ads by Google