Presentation is loading. Please wait.

Presentation is loading. Please wait.

Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)

Published byMarian Day Modified over 8 years ago

Similar presentations

Presentation on theme: "Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)"— Presentation transcript:

1 Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)

2 2 Understanding Side Channel Attacks  Systems leak info about internal computation E.g., safes can be cracked by carefully listening to the tumblers  Clever attackers can utilize leaked info to grain secrets Generally not directly Use statistical methods over time  Attacks implementation, rather than algorithm

3 3 Fault-Based Attack of RSA Correct behavior: Server challenge: s = m d mod n Client verifies: m = s e mod n Faulty Server: ŝ != m d mod n Public Key (e,n) Private Key (d,n) m s Public Key (e,n) Private Key (d,n) m ŝ m Tactical advantage: We have years to implement this attack!

4 4 Injecting Faults in RSA Authentication Making hardware fail: Lower voltage causes signals to slow down, thus missing the deadline imposed by the system clock High temperatures increase signal propagation delays  Over-clocking shortens the allowed time for traversing the logic cloud  Charged particles cause internal signals to change value, causing errors

5 5 Wanted: Single-Bit Errors in Multiplication A corrupted signature leaks data if only one multiplication is corrupted by a single bit flip 0 10 20 30 40 50 60 1.301.291.281.271.261.251.241.23 Voltage [V] Single bit faults (%) 0 2.75 5.50 8.25 11.00 13.75 16.50 Faulty products (%) Single bit faults Faulty multiplications

6 6 Implementing the Fault-Based Attack Fault-Based Attack of RSA Attackers 1. Subject server to potential single-bit faults in multiplications 2. Repeatedly authenticate to collect faulty RSA signatures 3. Offline, analyze RSA signatures to extract private key bits 4. Repeat steps 2 & 3 until entire RSA private key identified

7 7 Extracting the Key with Offline Analysis  The attacker collects the faulty signatures  The private key is recovered one window at the time  The attacker checks its guess against the collected faulty signatures Public Key ŝŝŝŝ Private Key m ŝŝŝŝ d=XXXXd3d3 d2d2 d1d1 d0d0

8 8 Computing (s=m d mod n) in OpenSSL 1101 s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s d=214= 0110 s=1 s= m 1101 s= (∙∙∙(m 1101 ) 2 ) 2 ) 2 ) 2 s= (∙∙∙(m 1101 ) 2 ) 2 ) 2 ) 2 )m 0110 window 1window 2

9 9 Faulty Signature: ŝ!=m d mod n s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s s=1 s= m 1101 ŝ = (∙∙∙(m 1101 ) 2 ) 2 ) ± 2 f ) 2 ) 2 ŝ = (∙∙∙(m 1101 ) 2 ) 2 ) ± 2 f ) 2 ) 2 )m 0110 1101d=214= 0110 window 1window 2

10 10 Reconstructing the Signature The private key is recovered one window at the time, guessing where and when the fault hits ŝ = (∙∙∙(m d k ) 64 )m d k-1 ) 2 ) 2 ) 2 ±2 f ) 2 ) 2 ) 2 ) m d k-2 ) 64 …m d 0 Already known Value? Which multiplication? Which bit? d=XXXdkdk d k-1 … For each window value to be guessed and signature we test: 16 possible key values 2 possible error values (0→1 or 1→0) 4 squaring iterations

11 11 Implementing Offline Analysis  In practice 40 bit positions typically affected by faults → the computation time is reduced to 2.5 seconds  Analyzing 8,800 corrupted signatures requires 1 CPU- year – only ~1,000 are useful  Signatures can be checked in parallel  Performed the analysis with 81 workstations ŝŝŝŝŝŝ

12 12 Fault-Based Attack of Leon3 SPARC RSA 1024-bit private key 8,800 corrupted signatures collected in 10 hours Distributed application with 81 machines for offline analysis Private key recovered in 100 hours

13 13 Exploring Temperature-Induced Faults

14 14 Number of Key Bits Revealed (128-bit RSA) Surprising insight: Attack is easier to implement with more sophisticated cooling systems

15 15 Conclusions  Transient faults can leak vital private key data  Fault-based attack devised for OpenSSL 0.9.8i ’s Fixed Window Exponentiation algorithm  Attack demonstrated on a complete physical Leon3 SPARC system  Software fix using “blind”ing available in OpenSSL to protect against timing attacks  Published: “Fault-based Attack of RSA Authentication” - DATE 2010  Presented: BlackHat 2012

Download ppt "Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Thank you for your introduction.

Thank you for your introduction.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.

RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
1 Error Correction Coding for Flash Memories Eitan Yaakobi, Jing Ma, Adrian Caulfield, Laura Grupp Steven Swanson, Paul H. Siegel, Jack K. Wolf Flash Memory.

1 Error Correction Coding for Flash Memories Eitan Yaakobi, Jing Ma, Adrian Caulfield, Laura Grupp Steven Swanson, Paul H. Siegel, Jack K. Wolf Flash Memory.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.

An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Barcelona, Spain November 13, 2005 WAR-1: Assessing SEU Vulnerability Via Circuit-Level Timing Analysis 1 Assessing SEU Vulnerability via Circuit-Level.

Barcelona, Spain November 13, 2005 WAR-1: Assessing SEU Vulnerability Via Circuit-Level Timing Analysis 1 Assessing SEU Vulnerability via Circuit-Level.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Side-Channel Attack: timing attack Hiroki Morimoto.

Side-Channel Attack: timing attack Hiroki Morimoto.
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 11: Storage Systems Disk, RAID, Dependability Kai Bu

Lecture 11: Storage Systems Disk, RAID, Dependability Kai Bu

Similar presentations

Ads by Google