Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Informatics and Mathematical Modelling Technical University of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Informatics and Mathematical Modelling Technical University of."— Presentation transcript:

1 Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Email: tkt@imm.dtu.dk Informatics and Mathematical Modelling Technical University of Denmark

2 Security Leakage  Direct Leakage  Indirect Leakage  Termination Leakage  Special case of Timing Leakage  Timing Leakage Timing Leakage is normally considered a Covert Channel

3 Termination Leaks – Intuitively  What kind of programs leak through termination channels?  while h do skip?  if h then skip else loop?

4 Timing Leaks – Intuitively  What kind of programs leak through timing channels?  while h>0 do h:=h-1?  if h then h1:=h1+1; h1:=h1+1 … else skip?

5 Covert Channels  Unintentional leak of information (Covert Channel)  Attacker learns secrets by observing normal behavior of systems, wrt.  Timing  Power consumption  Noise, Faults/Errors, Electromagnetic…  Often used to break implementations of cryptosystems

6 Timing Channels  Timing attacks: use observations of the timing behavior of system to guess secrets  Several accounts of practical attacks:  [Kocher’96]: On Diffie-Hellman, RSA, DSS…  [Dhem et al’98]: Practical implementation on Smartcard  …

7 Timing Channels - Goals  Ultimate goal: Find the secret key, so that all cipher texts can be decrypted.  Distinguishability: Find probabilities that allows the attacker to distinguish between different plaintexts.  Made more powerful in combination with the exploitation of other side channels.

8 Performing a timing attack  The attacker knows the first m bits of the secret key Initiate contact Public Key Guess: m+1’th bit Reply Time difference allows attack by varying guess

9 Q = P for i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif Example of a timing channel  Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D Y = X for i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif Scalar multiplication in EC Exponentiation in RSA (Multiply)(Add)

10 Programming Language

11 Getting rid of Termination Leaks – Identifying the cause

12 Getting rid of Termination Leaks – Being conservative  Let modify the inference rule  How does this work?  while h do skip?  while l do skip?  if h then while l do skip else skip? Not Allowed Allowed Allowed 

13 Getting rid of Termination Leaks – This time for real  Let modify the inference rule  How does this work?  while h do skip?  while l do skip?  if h then while l do skip else skip? Not allowed Allowed Not allowed

14 Getting rid of Timing Leaks – Identifying the cause  Did we get rid of Timing Leaks while taking care of Termination Leaks?  Not caused by while loops anymore, because they are only allowed to handled non-secret information.  But what about  if h then h := h + 1; h := h + 1;… else skip?

15 Getting rid of Timing Leaks – Being conservative

16 Hold on! – We are begin too conservative  This approach results in only having secret information on the right-hand side of assignments:  x := … h …  That probably won’t allow many useful/real programs.

17 Getting rid of Timing Leaks – Identifying the cause (cont.)  The cause of the timing leaks in if statement are that the branches have different execution time  Assume we knew the worst-case execution time of any piece of program!  Then we could write program like:  if h then C 1 else C 2 ; … “waste time until worst-case

18 Getting rid of Timing Leaks – Agat’s approach  Transform programs such that they waste time until both branches are done  What is worst-case?  C 1 ?  C 2 ?  How about the running time of C 1 ;C 2 ?

19 Getting rid of Timing Leaks – Agat’s approach  Transform programs such that they waste time until both branches are done  if h then C 1 else C 2  if h then C 1 ;C 2 else C 1 ;C 2  What is Agat’s problem? S2S2 S1S1

20 Getting rid of Timing Leaks – Making the slides  Assignments (to H):  Assignments (to L):

21 Getting rid of Timing Leaks – Making the slides (cont.)  Composition (C;D):  Loop (while e do C):

22 Getting rid of Timing Leaks – Making the slides (cont.)  Conditional (on H):  Conditional (on L):

23 Q = P for i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif Example of a timing channel – Revisited  Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D Y = X for i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif Scalar multiplication in EC Exponentiation in RSA (Multiply)(Add)

24 Q = P for i=0 to l do Q = 2 * Q if D(i) then Q = Q + P else skipAsn Q (Q + P) endif Example of a timing channel – Revisited  Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D ––– Not anymore! Y = X for i=0 to l do Y = Y * Y if D(i) then Y = Y * X else skipAsn Y (Y * X) endif Scalar multiplication in EC Exponentiation in RSA (Multiply) (Add)

25 Food for thought Loosening the analysis (loops)  Can we apply Agat’s approach on while loops?  Let’s unroll the loops once and try:  while h do C  if h then C; while h do C else skip  What is our problem?

26 The Information Flow Challenge  The Information Flow Challenge is a web- based game that let the player try to outsmart an information flow analysis that becomes increasingly restrictive for each challenge the player finishes.  Play with what you have learned in this course!

27 The Information Flow Challenge

28

29

Download ppt "Transforming out Timing Leaks (Agat’s approach) Terkel K. Tolstrup Informatics and Mathematical Modelling Technical University of."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
1.6 Behavioral Equivalence. 2 Two very important concepts in the study and analysis of programs –Equivalence between programs –Congruence between statements.

1.6 Behavioral Equivalence. 2 Two very important concepts in the study and analysis of programs –Equivalence between programs –Congruence between statements.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
The LC-3 – Chapter 6 COMP 2620 Dr. James Money COMP 2620 1.

The LC-3 – Chapter 6 COMP 2620 Dr. James Money COMP
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
Python Magic Select a Lesson: Why Learn to Code? Basic Python Syntax

Python Magic Select a Lesson: Why Learn to Code? Basic Python Syntax
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.
Side-Channel Attack: timing attack Hiroki Morimoto.

Side-Channel Attack: timing attack Hiroki Morimoto.

Similar presentations

Ads by Google