Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 380S Timing Attacks. slide 2 Reading uKocher. “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems”

Published byBertram Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 380S Timing Attacks. slide 2 Reading uKocher. “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems”"— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 380S Timing Attacks

2 slide 2 Reading uKocher. “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems” (CRYPTO 1996). uBrumley and Boneh. “Remote Timing Attacks Are Practical” (Best Paper Award, USENIX Security 2003).

3 slide 3 Attacking Cryptographic Schemes uCryptanalysis Find mathematical weaknesses in constructions Statistical analysis of plaintext / ciphertext pairs uSide channel attacks Exploit characteristics of implementations Power analysis Electromagnetic radiation analysis Acoustic analysis Timing analysis

4 slide 4 Timing Attack uBasic idea: learn the system’s secret by observing how long it takes to perform various computations uTypical goal: extract private key uExtremely powerful because isolation doesn’t help Victim could be remote Victim could be inside its own virtual machine Keys could be in tamper-proof storage or smartcard uAttacker wins simply by measuring response times

5 slide 5 RSA Cryptosystem uKey generation: Generate large (say, 512-bit) primes p, q Compute n=pq and  (n)=(p-1)(q-1) Choose small e, relatively prime to  (n) –Typically, e=3 (may be vulnerable) or e=2 16 +1=65537 (why?) Compute unique d such that ed = 1 mod  (n) Public key = (e,n); private key = d –Security relies on the assumption that it is difficult to compute roots modulo n without knowing p and q uEncryption of m (simplified!): c = m e mod n uDecryption of c: c d mod n = (m e ) d mod n = m

6 slide 6 How Does RSA Decryption Work? uRSA decryption: compute y x mod n This is a modular exponentiation operation uNaïve algorithm: square and multiply

7 slide 7 Kocher’s Observation This takes a while to compute This is instantaneous Whether iteration takes a long time depends on the k th bit of secret exponent

8 slide 8 Outline of Kocher’s Attack uIdea: guess some bits of the exponent and predict how long decryption will take uIf guess is correct, will observe correlation; if incorrect, then prediction will look random This is a signal detection problem, where signal is timing variation due to guessed exponent bits The more bits you already know, the stronger the signal, thus easier to detect (error-correction property) uStart by guessing a few top bits, look at correlations for each guess, pick the most promising candidate and continue

9 slide 9 RSA in OpenSSL uOpenSSL is a popular open-source toolkit mod_SSL (in Apache = 28% of HTTPS market) stunnel (secure TCP/IP servers) sNFS (secure NFS) Many more applications uKocher’s attack doesn’t work against OpenSSL Instead of square-and-multiply, OpenSSL uses CRT, sliding windows and two different multiplication algorithms for modular exponentiation –CRT = Chinese Remainder Theorem –Secret exponent is processed in chunks, not bit-by-bit

10 slide 10 Chinese Remainder Theorem un = n 1 n 2 …n k where gcd(n i,n j )=1 when i  j uThe system of congruences x = x 1 mod n 1 = … = x k mod n k Has a simultaneous solution x to all congruences There exists exactly one solution x between 0 and n-1 uFor RSA modulus n=pq, to compute x mod n it’s enough to know x mod p and x mod q

11 slide 11 RSA Decryption With CRT uTo decrypt c, need to compute m=c d mod n uUse Chinese Remainder Theorem (why?) d 1 = d mod (p-1) d 2 = d mod (q-1) qinv = q -1 mod p Compute m 1 = c d 1 mod p; m 2 = c d 2 mod q Compute m = m 2 +(qinv*(m 1 -m 2 ) mod p)*q these are precomputed Attack this computation in order to learn q. This is enough to learn private key (why?)

12 slide 12 Montgomery Reduction uDecryption requires computing m 2 = c d 2 mod q uThis is done by repeated multiplication Simple: square and multiply (process d 2 1 bit at a time) More clever: sliding windows (process d 2 in 5-bit blocks) uIn either case, many multiplications modulo q uMultiplications use Montgomery reduction Pick some R = 2 k To compute x*y mod q, convert x and y into their Montgomery form xR mod q and yR mod q Compute (xR * yR) * R -1 = zR mod q –Multiplication by R -1 can be done very efficiently

13 slide 13 Schindler’s Observation uAt the end of Montgomery reduction, if zR > q, then need to subtract q Probability of this extra step is proportional to c mod q uIf c is close to q, a lot of subtractions will be done uIf c mod q = 0, very few subtractions Decryption will take longer as c gets closer to q, then become fast as c passes a multiple of q uBy playing with different values of c and observing how long decryption takes, attacker can guess q! Doesn’t work directly against OpenSSL because of sliding windows and two multiplication algorithms

14 slide 14 Value of ciphertext c Decryption time q2qp Reduction Timing Dependency

15 slide 15 Integer Multiplication Routines u30-40% of OpenSSL running time is spent on integer multiplication uIf integers have the same number of words n, OpenSSL uses Karatsuba multiplication Takes O(n log 2 3 ) uIf integers have unequal number of words n and m, OpenSSL uses normal multiplication Takes O(nm)

16 slide 16 g<qg>q Montgomery effect LongerShorter Multiplication effect ShorterLonger g is the decryption value (same as c) Different effects… but one will always dominate! Summary of Time Dependencies

17 slide 17 Decryption time #Reductions Mult routine Value of ciphertext q 0-1 Gap Attack Is Binary Search

18 slide 18 uInitial guess g for q between 2 511 and 2 512 (why?) uTry all possible guesses for the top few bits uSuppose we know i-1 top bits of q. Goal: i th bit Set g =…known i-1 bits of q…000000 Set g hi =…known i-1 bits of q…100000 (note: g<g hi ) –If g<q<g hi then the i th bit of q is 0 –If g<g hi <q then the i th bit of q is 1 uGoal: decide whether g<q<g hi or g<g hi <q Attack Overview

19 slide 19 Two Possibilities for g hi Decryption time #Reductions Mult routine Value of ciphertext q gg hi ? Difference in decryption times between g and g hi will be small Difference in decryption times between g and g hi will be large

20 slide 20 Timing Attack Details uWhat is “large” and “small”? Know from attacking previous bits uDecrypting just g does not work because of sliding windows Decrypt a neighborhood of values near g Will increase difference between large and small values, resulting in larger 0-1 gap uAttack requires only 2 hours, about 1.4 million queries to recover the private key Only need to recover most significant half bits of q

21 slide 21 The 0-1 Gap Zero-one gap

22 slide 22 Extracting RSA Private Key Montgomery reduction dominates Multiplication routine dominates zero-one gap

23 slide 23 Normal SSL Handshake Regular client SSL server 1. ClientHello 2. ServerHello (send public key) 3. ClientKeyExchange (encrypted under public key) Exchange data encrypted with new shared key

24 slide 24 Attacking SSL Handshake SSL server 1. ClientHello 2. ServerHello (send public key) Attacker 3. Record time t 1 Send guess g or g hi 4. Alert 5. Record time t 2 Compute t 2 –t 1

25 slide 25 Works On The Network Similar timing on WAN vs. LAN

26 slide 26 Defenses uGood: Use RSA blinding uWorse: require statically that all decryptions take the same time For example, always do the extra “dummy” reduction … but what if compiler optimizes it away? uWorse: dynamically make all decryptions the same or multiples of the same time “quantum” Now all decryptions have to be as slow as the slowest decryption

27 slide 27 RSA Blinding uInstead of decrypting ciphertext c, decrypt a random ciphertext related to c Compute x’ = c*r e mod n, r is random Decrypt x’ to obtain m’ Calculate original plaintext m = m’/r mod n uSince r is random, decryption time is random u2-10% performance penalty

28 slide 28 Blinding Works

Download ppt "Slide 1 Vitaly Shmatikov CS 380S Timing Attacks. slide 2 Reading uKocher. “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems”"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.

Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1.

Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.

RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.
Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Similar presentations

Ads by Google