Remote Timing Attacks are Practical - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Remote Timing Attacks are Practical

Description:

Attacks 1 and 2 require special equipment and physical access to the machine. ... How to compute gd mod q for some g,d, and q. Square and multiply; ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 20
Provided by: bob4110
Category:

less

Transcript and Presenter's Notes

Title: Remote Timing Attacks are Practical


1
Remote Timing Attacks are Practical
David Brumley, Dan Boneh CS Department, Stanford
University USENIX Security Symposium, 2003
2
Introduction
  • Side-channel attacks
  • Power analysis
  • Electromagnetic radiation
  • Timing attacks analyze the dependency of
    response time on input to discover private
    information.
  • Attacks 1 and 2 require special equipment and
    physical access to the machine.

3
Scope of Timing Attacks
  • Timing attacks were used to hack smartcards and
    other simple devices. They are difficult to use
    in a complex environment.
  • This paper shows a way to attack OpenSSL in
    various environments
  • Network 2 machines connected through 3 routers
    and a number of switches
  • Interprocess
  • Virtual Machines

4
OpenSSLs Implementation of RSA
  • Decryption mcd mod N where d is private key, c
    is ciphertext, Npq.
  • Use CRT to compute this m1cd1 mod p and m2cd2
    mod q, then combine m1 and m2.
  • Goal of attack get d. Can be done if we know p
    and q. Therefore, we are looking for a
    factorization of N.

5
Exponentiation
  • How to compute gd mod q for some g,d, and q.
  • Square and multiply
  • Sliding windows process a number of bits of d
    per iteration. Requires some precomputing.
  • Key fact about exponentiation the number of
    times when a multiplication by g occurs depends
    on the bits of q.
  • Timing attack on sliding windows is much harder
    than that on square and multiply.

6
Montgomery Reduction
  • Computing xy mod q is done by first multiplying x
    and y and then reducing the result modulo q.
  • Naïve method divide and take remainder.
  • Montgomery reduction more sophisticated. Key
    fact sometimes it requires and extra reduction.
    Prextra reduction(g mod q)/2R.

7
Multiplication Routines
  • Karatsuba takes O(n1.58), used to multiply two
    numbers of equal number of words.
  • Normal takes O(nm), used to multiply numbers
    with an unequal number of words.

8
Comparison of Timing Differences
  • Two sources of timing differences extra
    reduction in a Montgomery reduction and choice of
    multiplication routine. Unfortunately, they
    compensate each other.
  • As g approaches a multiple of q from below, the
    number of extra reduction increases and
    dramatically drops once ggtq.
  • When g is almost as big as q, Karatsuba is used
    mostly. But when g becomes greater than q, g mod
    q is very small and normal algorithm is used
    mostly.

9
A Timing Attack on OpenSSL (1/2)
  • Basic idea make initial guess and refine it by
    learning bits one at a time, from most
    significant.
  • Initialization make initial guess g of q lying
    between 2512 and 2511. Then try all possible
    combinations of the top few bits. We will get two
    picks one for p, another for q. Pick the first
    peak.

10
A Timing Attack on OpenSSL (2/2)
  • Suppose we have recovered i-1 bits of q. Let us
    set all remaining bits of g to 0. We recover ith
    bit of q as follows
  • ghi same as g with ith bit set to 1. If ith
    bit of q is 1 then gltghiltq, else gltqltghi.
  • uggR-1 mod N, ughighiR-1 mod N
  • Measure t1DecrtyptTime(ug), t2DecryptTime(ughi).
  • Dt1-t2. If D is large then gltqltghi and ith
    bit of q is 1, otherwise the bit is 0.
  • When D is large, it can be either positive or
    negative, depending on whether Montgomery
    reduction or multiplication dominates.

11
Exponentiation Revisited
  • We want tg1-tg2gtgttg3-tg4 when g1ltqltg2 and
    g3ltg4ltq. Multiplication by sliding windows makes
    the difference subtle.
  • Solution query a neighborhood of values g, g1,
    g2. and take sum of the times.

12
Real-world Scenarios
  • We discuss an attack on SSL applications such as
    stunnel and an Apache web server with mod_SSL.
  • During the handshake, SSL server performs RSA
    decryption of CLIENT-KEY-EXCHANGE message (sent
    by client) using its private key. We want to get
    this key.
  • After decryption, the server checks PKCS 1 padded
    random bytes and sends an error message back to
    client in case of an error. The client can send
    another message to the server that will be
    decrypted there.

13
Experiments (1/5)
  • Test the effects on increasing the number of
    decryption requests required to recover a single
    bit of q reliably. Two parameters neighborhood
    size (n) and sample size (s). Total number of
    queries is sn.
  • We used sample size of 7 and neighborhood of 400,
    1433600 total queries. Attack time is about 2
    hours.

14
Experiments (2/5)
  • Architecture effects compare two versions of a
    program making local calls to OpenSSL regular
    and extra-inst with 6 additional nops before
    decryption.
  • Explanation different cache hit rate 0.139 of
    load misses for normal and 0.151 for
    extra-inst.

15
Experiments (3/5)
  • Compile-time effects
  • Optimized (-O3 fomit_frame_pointer
    mcpupentium)
  • No Pentium flag (-O3 fomit_frame_pointer)
  • Unoptimized (-g).

16
Experiments (4/5)
  • Source-based optimizations implemented a minor
    patch that improves the efficiency of of CRT
    decryption check.

17
Experiments (5/5)
  • Attacking SSL applications on the local network

18
Defenses (1/2)
  • Blinding before decryption compute xreg mod N,
    where r is random. Then decrypt x, then compute
    x/r. Incurs 2-10 penalty.

19
Defenses (2/2)
  • Make all RSA decryptions not dependent upon the
    input ciphertext. Use one multiplication routine
    and always carry out extra reduction in
    Montgomerys algorithm.
  • Require all RSA computations to be quantized.
    Matt Blazes quantize library is an example of
    this approach.
  • Currently preferred method blinding.
Write a Comment
User Comments (0)
About PowerShow.com