timing attacks to rsa
DESCRIPTION
Timing Attacks to RSA. Presented by Zhanxiang. Agenda. Background of Timing Attack Case study: David Brumley and Dan Boneh, “ Remote Timing Attacks are Practical ” (UC Berkeley). What is Timing Attack?. - PowerPoint PPT PresentationTRANSCRIPT
Timing Attacks to RSATiming Attacks to RSA
Presented by ZhanxiangPresented by Zhanxiang
AgendaAgenda
Background of Timing AttackBackground of Timing Attack
Case study:Case study:
David Brumley and Dan Boneh, “Remote David Brumley and Dan Boneh, “Remote Timing Attacks are Practical” (UC BerkeleTiming Attacks are Practical” (UC Berkeley)y)
What is Timing Attack?What is Timing Attack?
Timing attacks: Expose private information, such as RSA keys, by measuring the amount of time required to perform private key operations (Decryptions).
Side-channel attacks:Power analysisElectromagnetic radiation analysisTiming attacks
Some Timing Attacks on RSASome Timing Attacks on RSA Kocher’s attack 1996 [2]Kocher’s attack 1996 [2]
reported on page A1 of Monday's New York Times ("Secure Digireported on page A1 of Monday's New York Times ("Secure Digital Transactions Just Got a Little Less Secure" by John Markoff). tal Transactions Just Got a Little Less Secure" by John Markoff).
Not apply to RSA-CRT.Not apply to RSA-CRT.
Schindler’s attack 2001Schindler’s attack 2001 Not work for implementation using (e.g. OpenSSL):Not work for implementation using (e.g. OpenSSL):
Sliding windows instead of square and multiply (exponentiation)Sliding windows instead of square and multiply (exponentiation) Two multiplication algorithms.Two multiplication algorithms.
Brumley-Boneh’s attack 2003 [1]Brumley-Boneh’s attack 2003 [1] Attack on RSA of OpenSSLAttack on RSA of OpenSSL [1] won the best paper of UsenixSecure’03.[1] won the best paper of UsenixSecure’03.
Why people care?Why people care?
Security of RSA depends on the difficulty tSecurity of RSA depends on the difficulty to factor the public key No factor the public key N
OpenSSL applications are popularOpenSSL applications are popular
Since it can hack simple devices, e.g. smaSince it can hack simple devices, e.g. smartcards, how about complex environments, rtcards, how about complex environments, such network?such network?
Implementation of OpenSSLImplementation of OpenSSL
RSA with CRT speedupRSA with CRT speedup
Computation libraryComputation libraryHow are exponentiation, modular reduction How are exponentiation, modular reduction
and multiplication operations implementedand multiplication operations implemented
RSA quick reviewRSA quick review
Multiple prime RSA key generating algorithmMultiple prime RSA key generating algorithm
1. Select k primes: p1. Select k primes: p11, p, p22, …, p, …, pkk
2. Let n=∏p2. Let n=∏pii, i=1,2,…,k, i=1,2,…,k
3. Let φ(n)=∏(p3. Let φ(n)=∏(pii-1)-1)
4. Choose e, s.t. gcd(e,φ(n))=14. Choose e, s.t. gcd(e,φ(n))=1
5. Calculate d=e5. Calculate d=e-1-1(mod φ(n))(mod φ(n))6. Public Key = (e,n) and Private key = (d,n)6. Public Key = (e,n) and Private key = (d,n)
Encryption: c=mEncryption: c=mee mod n mod nDecryption: m=cDecryption: m=cdd mod n mod n
Chinese Remainder TheoremChinese Remainder Theorem
n = n1n2…nk with gcd (ni; nj ) = 1 when i != jThe system of congruencies
x=x1(mod n1)=…=xk(mod nk)
has a simultaneous solution x to all of the congruencies, and there exists exactly one solution x between 0 and n-1.
Speedup RSA with CRTSpeedup RSA with CRT Any message M<N is uniquely represented by th
e tuple [MP;MQ ], where MP = M(mod P) and MQ = M(mod Q).CP = C(mod P) and CQ = C(mod Q).DP = D(mod (P-1)) -1)) and DQ = D(mod (Q-1))-1))RP = QP-1(mod N) and RQ = PQ-1(mod N)MP = CP
DP(mod P) and MQ = CQDQ(mod Q)
SP = MPRP(mod N) and SQ = MQRQ(mod N)M = SP + SQ. If M>=N then calc M=M-N.
[3]
Operations needed for DecryptionOperations needed for Decryption
Computing cComputing cdd(mod p) and xy(mod p) requires:(mod p) and xy(mod p) requires:
Multiplication routinesMultiplication routines Normal (unequal len)Normal (unequal len) Karatsuba (equal len): fasterKaratsuba (equal len): faster
ExponentiationExponentiation Sliding windowsSliding windows
Modular reductionModular reduction MontgomeryMontgomery The key relevant fact is the extra reductionThe key relevant fact is the extra reduction
What causes time variance?What causes time variance? Montgomery reductionMontgomery reduction
Given g calc g (mod q)Given g calc g (mod q) Probability for and extra reProbability for and extra re
duction is:duction is:P[extra step] P[extra step] (g mod q)/2q (g mod q)/2q
Choice of multiplication roChoice of multiplication routineutine To calc x*g mod q, if x is thTo calc x*g mod q, if x is th
e same length as (g mod q),e same length as (g mod q), use Karatsuba. use Karatsuba. O(nO(nloglog2233))
Otherwise, use Normal. OOtherwise, use Normal. O(nm)(nm)
Summary of time varianceSummary of time varianceg<qg<q g>qg>q
MontgomerMontgomery effecty effect
LongerLonger ShorterShorter
MultiplicatiMultiplication effecton effect
ShorterShorter LongerLonger
g is the decryption value.g is the decryption value.
Each is dominant at a different Each is dominant at a different phase.phase.
Time Attack on OpenSSL(1/4)Time Attack on OpenSSL(1/4)
Assume: N=pq with q<p.Assume: N=pq with q<p.
Goal: approximations approaching qGoal: approximations approaching q
Idea: Make initial guess and refine it by learning bits one Idea: Make initial guess and refine it by learning bits one at a time, from the most significant.at a time, from the most significant.
Time Attack on OpenSSL(2/4)Time Attack on OpenSSL(2/4)
Init guess g of q lying between 2Init guess g of q lying between 2512512 (i.e. (i.e. N/2) and 2N/2) and 2511511(i.e. N/4)(i.e. N/4)
Try all the combinations of the top few bits Try all the combinations of the top few bits
Time the decryptions and pick the first Time the decryptions and pick the first peak for guess of q; (After all we at least peak for guess of q; (After all we at least know the first bit is 1)know the first bit is 1)
Time Attack on OpenSSL(3/4)Time Attack on OpenSSL(3/4) Suppose from 1 to Suppose from 1 to i-1i-1 bits g= bits g=q, elsewhere g=0q, elsewhere g=0
Recover Recover ii’th bit of ’th bit of qq as follows: as follows:
(1) (1) gghihi=g, but with =g, but with ii’th bit 1.’th bit 1.If If ii’th bit of ’th bit of qq is 1 is 1 then then g<gg<ghihi<q<q, ,
else else g<q<gg<q<ghihi..(2)(2) u ugg=gR=gR-1-1 mod N, u mod N, ughighi=g=ghihiRR-1-1 mod N mod N(3) (3) tt11=DecrtyptTime(u=DecrtyptTime(ugg), t), t22=DecryptTime(u=DecryptTime(ughighi))..(4)(4) D=|t1-t2| D=|t1-t2|. . If If DD is large then is large then g<q<gg<q<ghihi and and ii’th bit of ’th bit of qq is 1, is 1, otherwise the bit is 0. otherwise the bit is 0.
Time Attack on OpenSSL(4/4)Time Attack on OpenSSL(4/4) We know what is “large” and “small” from attack on previWe know what is “large” and “small” from attack on previ
ous bits. ous bits.
Decrypting just g does not work because of sliding windoDecrypting just g does not work because of sliding windowsws Decrypt a neighborhood of values near g, and Tg=Decrypt a neighborhood of values near g, and Tg=∑Tg+i∑Tg+i Will increase difference between large and small values Will increase difference between large and small values
Thus larger 0-1 gapThus larger 0-1 gap
Only need to recover q/2 bits of qOnly need to recover q/2 bits of q
Attack requires only 2 hours, about 1.4 million queriesAttack requires only 2 hours, about 1.4 million queries
Real World Attack(1/2)Real World Attack(1/2)
Discuss an attack on SSL applications such as aDiscuss an attack on SSL applications such as an Apache web server with mod_SSL.n Apache web server with mod_SSL.
During the handshake, SSL server performs RSDuring the handshake, SSL server performs RSA decryption of A decryption of CLIENT-KEY-EXCHANGECLIENT-KEY-EXCHANGE message (se message (sent by client) using its private key. The goal is gettnt by client) using its private key. The goal is getting this key.ing this key.
After decryption, the server checks PKCS 1 padAfter decryption, the server checks PKCS 1 padded random bytes and sends an error message ded random bytes and sends an error message back to client in case of an error. The client can back to client in case of an error. The client can send another message to the server that will be send another message to the server that will be decrypted there. decrypted there.
Real World Attack(2/2)Real World Attack(2/2)
Attack Client SSL Server 1. ClientHello
2. ServerHello (send public key)
3. Record time t1
Send guess Ug or Ughi
4. Alert
5. Record time t2
Compute DecryptTime(Ughi)=t2 –t1
Experiments (1/5) [1]Experiments (1/5) [1] Test the effects on increasing the number of decryption Test the effects on increasing the number of decryption
requests required to recover a single bit of requests required to recover a single bit of qq reliably. reliably. Two parameters: neighborhood size (Two parameters: neighborhood size (nn) and sample ) and sample size (size (ss). Total number of queries is ). Total number of queries is s*ns*n..
Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.
Experiments (2/5) [1]Experiments (2/5) [1] Architecture effects: compare two versions of a proArchitecture effects: compare two versions of a pro
gram making local calls to OpenSSL: “regular” and gram making local calls to OpenSSL: “regular” and “extra-inst” with 6 additional nops before decryption.“extra-inst” with 6 additional nops before decryption.
• Explanation: different cache hit rate: 0.139% of load misses for “normal” and 0.151% for “extra-inst”.
Experiments (3/5) [1]Experiments (3/5) [1] Compile-time effects:Compile-time effects:
Optimized (-O3 –fomit_frame_pointer –mcpu=pentium);Optimized (-O3 –fomit_frame_pointer –mcpu=pentium); No Pentium flag (-O3 –fomit_frame_pointer);No Pentium flag (-O3 –fomit_frame_pointer); Unoptimized (-g).Unoptimized (-g).
Experiments (4/5) [1]Experiments (4/5) [1] Source-based optimizations: implemented a minor patch Source-based optimizations: implemented a minor patch
that improves the efficiency of of CRT decryption check.that improves the efficiency of of CRT decryption check.
Experiments (5/5) [1]Experiments (5/5) [1] Attacking SSL applications on the local Attacking SSL applications on the local
network:network:
Preconditions & DefensePreconditions & Defense
Preconditions:Preconditions: OpenSSL does not enable defend optionOpenSSL does not enable defend option Not fix response timeNot fix response time ……
Defense:Defense: Only one multiplication routine and always carry out eOnly one multiplication routine and always carry out e
xtra reduction in Montgomery’s algorithmxtra reduction in Montgomery’s algorithm Quantize all RSA computationsQuantize all RSA computations Blinding (Currently preferred)Blinding (Currently preferred)
Blinding Defenses [1]Blinding Defenses [1] Blinding:Blinding: before decryption compute before decryption compute x=rx=reeg mod Ng mod N, ,
where where rr is random. Then decrypt is random. Then decrypt xx, then compute , then compute x/x/rr. Incurs 2%-10% penalty.. Incurs 2%-10% penalty.
ReferenceReference
[1] David Brumley and Dan Boneh, “Remote Timin[1] David Brumley and Dan Boneh, “Remote Timing Attacks are Practical”, 2003g Attacks are Practical”, 2003
[2] Paul C. Kocher, “Timing Attacks on Implementa[2] Paul C. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Sytions of Diffie-Hellman, RSA, DSS, and Other Systems” 2001stems” 2001
[3] Johann GroBschadl, “The Chinese Remainder [3] Johann GroBschadl, “The Chinese Remainder Theorem and its Application in a High-Speed RSTheorem and its Application in a High-Speed RSA Crypto Chip”A Crypto Chip”
[4][4]http://www.rsasecurity.com/rsalabs/challenges/fahttp://www.rsasecurity.com/rsalabs/challenges/factoring/numbers.htmlctoring/numbers.html