Timing Attacks to RSA - PowerPoint PPT Presentation

About This Presentation
Title:

Timing Attacks to RSA

Description:

David Brumley and Dan Boneh, 'Remote Timing Attacks are Practical' (UC Berkeley) ... If D is large then g q ghi and i'th bit of q is 1, otherwise the bit is 0. ... – PowerPoint PPT presentation

Number of Views:784
Avg rating:3.0/5.0
Slides: 27
Provided by: zhanxia
Category:
Tags: rsa | attacks | ghi | timing

less

Transcript and Presenter's Notes

Title: Timing Attacks to RSA


1
Timing Attacks to RSA
  • Presented by Zhanxiang

2
Agenda
  • Background of Timing Attack
  • Case study
  • David Brumley and Dan Boneh, Remote Timing
    Attacks are Practical (UC Berkeley)

3
What is Timing Attack?
  • Timing attacks Expose private information, such
    as RSA keys, by measuring the amount of time
    required to perform private key operations
    (Decryptions).
  • Side-channel attacks
  • Power analysis
  • Electromagnetic radiation analysis
  • Timing attacks

4
Some Timing Attacks on RSA
  • Kochers attack 1996 2
  • reported on page A1 of Monday's New York Times
    ("Secure Digital Transactions Just Got a Little
    Less Secure" by John Markoff).
  • Not apply to RSA-CRT.
  • Schindlers attack 2001
  • Not work for implementation using (e.g. OpenSSL)
  • Sliding windows instead of square and multiply
    (exponentiation)
  • Two multiplication algorithms.
  • Brumley-Bonehs attack 2003 1
  • Attack on RSA of OpenSSL
  • 1 won the best paper of UsenixSecure03.

5
Why people care?
  • Security of RSA depends on the difficulty to
    factor the public key N
  • OpenSSL applications are popular
  • Since it can hack simple devices, e.g.
    smartcards, how about complex environments, such
    network?

6
Implementation of OpenSSL
  • RSA with CRT speedup
  • Computation library
  • How are exponentiation, modular reduction and
    multiplication operations implemented

7
RSA quick review
  • Multiple prime RSA key generating algorithm
  • 1. Select k primes p1, p2, , pk
  • 2. Let n?pi, i1,2,,k
  • 3. Let f(n)?(pi-1)
  • 4. Choose e, s.t. gcd(e,f(n))1
  • 5. Calculate de-1(mod f(n))6. Public Key
    (e,n) and Private key (d,n)
  • Encryption cme mod nDecryption mcd mod n

8
Chinese Remainder Theorem
  • n n1n2nk with gcd (ni nj ) 1 when i ! j
  • The system of congruencies
  • xx1(mod n1)xk(mod nk)
  • has a simultaneous solution x to all of the
    congruencies, and there exists exactly one
    solution x between 0 and n-1.

9
Speedup RSA with CRT
  • Any message MltN is uniquely represented by the
    tuple MPMQ , where
  • MP M(mod P) and MQ M(mod Q).
  • CP C(mod P) and CQ C(mod Q).
  • DP D(mod (P-1)) and DQ D(mod (Q-1))
  • RP QP-1(mod N) and RQ PQ-1(mod N)
  • MP CPDP(mod P) and MQ CQDQ(mod Q)
  • SP MPRP(mod N) and SQ MQRQ(mod N)
  • M SP SQ. If MgtN then calc MM-N.
  • 3

10
Operations needed for Decryption
  • Computing cd(mod p) and xy(mod p) requires
  • Multiplication routines
  • Normal (unequal len)
  • Karatsuba (equal len) faster
  • Exponentiation
  • Sliding windows
  • Modular reduction
  • Montgomery
  • The key relevant fact is the extra reduction

11
What causes time variance?
  • Montgomery reduction
  • Given g calc g (mod q)
  • Probability for and extra reduction is
  • Pextra step ? (g mod q)/2q
  • Choice of multiplication routine
  • To calc xg mod q, if x is the same length as (g
    mod q), use Karatsuba.
  • O(nlog23)
  • Otherwise, use Normal. O(nm)

12
Summary of time variance
gltq ggtq
Montgomery effect Longer Shorter
Multiplication effect Shorter Longer
g is the decryption value. Each is dominant at a different phase. g is the decryption value. Each is dominant at a different phase. g is the decryption value. Each is dominant at a different phase.
13
Time Attack on OpenSSL(1/4)
  • Assume Npq with qltp.
  • Goal approximations approaching q
  • Idea Make initial guess and refine it by
    learning bits one at a time, from the most
    significant.

14
Time Attack on OpenSSL(2/4)
  • Init guess g of q lying between 2512 (i.e. N/2)
    and 2511(i.e. N/4)
  • Try all the combinations of the top few bits
  • Time the decryptions and pick the first peak for
    guess of q (After all we at least know the first
    bit is 1)

15
Time Attack on OpenSSL(3/4)
  • Suppose from 1 to i-1 bits gq, elsewhere g0
  • Recover ith bit of q as follows
  • (1) ghig, but with ith bit 1.
  • If ith bit of q is 1 then gltghiltq,
  • else gltqltghi.
  • (2) uggR-1 mod N, ughighiR-1 mod N
  • (3) t1DecrtyptTime(ug), t2DecryptTime(ughi).
  • (4) Dt1-t2.
  • If D is large then gltqltghi and ith bit of q is
    1,
  • otherwise the bit is 0.

16
Time Attack on OpenSSL(4/4)
  • We know what is large and small from attack
    on previous bits.
  • Decrypting just g does not work because of
    sliding windows
  • Decrypt a neighborhood of values near g, and
    Tg?Tgi
  • Will increase difference between large and small
    values Thus larger 0-1 gap
  • Only need to recover q/2 bits of q
  • Attack requires only 2 hours, about 1.4 million
    queries

17
Real World Attack(1/2)
  • Discuss an attack on SSL applications such as an
    Apache web server with mod_SSL.
  • During the handshake, SSL server performs RSA
    decryption of CLIENT-KEY-EXCHANGE message (sent
    by client) using its private key. The goal is
    getting this key.
  • After decryption, the server checks PKCS 1 padded
    random bytes and sends an error message back to
    client in case of an error. The client can send
    another message to the server that will be
    decrypted there.

18
Real World Attack(2/2)
1. ClientHello
Attack Client
SSL Server
2. ServerHello (send public key)
3. Record time t1 Send guess Ug or Ughi
4. Alert
5. Record time t2 Compute DecryptTime(Ughi)t2
t1
19
Experiments (1/5) 1
  • Test the effects on increasing the number of
    decryption requests required to recover a single
    bit of q reliably. Two parameters neighborhood
    size (n) and sample size (s). Total number of
    queries is sn.

Using sample size of 7 and neighborhood of 400,
1433600 total queries. Attack time (on 1024-bit
key) is about 2 hours.
20
Experiments (2/5) 1
  • Architecture effects compare two versions of a
    program making local calls to OpenSSL regular
    and extra-inst with 6 additional nops before
    decryption.
  • Explanation different cache hit rate 0.139 of
    load misses for normal and 0.151 for
    extra-inst.

21
Experiments (3/5) 1
  • Compile-time effects
  • Optimized (-O3 fomit_frame_pointer
    mcpupentium)
  • No Pentium flag (-O3 fomit_frame_pointer)
  • Unoptimized (-g).

22
Experiments (4/5) 1
  • Source-based optimizations implemented a minor
    patch that improves the efficiency of of CRT
    decryption check.

23
Experiments (5/5) 1
  • Attacking SSL applications on the local network

24
Preconditions Defense
  • Preconditions
  • OpenSSL does not enable defend option
  • Not fix response time
  • Defense
  • Only one multiplication routine and always carry
    out extra reduction in Montgomerys algorithm
  • Quantize all RSA computations
  • Blinding (Currently preferred)

25
Blinding Defenses 1
  • Blinding before decryption compute xreg mod N,
    where r is random. Then decrypt x, then compute
    x/r. Incurs 2-10 penalty.

26
Reference
  • 1 David Brumley and Dan Boneh, Remote Timing
    Attacks are Practical, 2003
  • 2 Paul C. Kocher, Timing Attacks on
    Implementations of Diffie-Hellman, RSA, DSS, and
    Other Systems 2001
  • 3 Johann GroBschadl, The Chinese Remainder
    Theorem and its Application in a High-Speed RSA
    Crypto Chip
  • 4http//www.rsasecurity.com/rsalabs/challenges/f
    actoring/numbers.html
Write a Comment
User Comments (0)
About PowerShow.com