Presentation is loading. Please wait.

Presentation is loading. Please wait.

Remote Timing Attacks are Practical David Brumley Dan Boneh [Modified by Somesh.

Published byHerbert Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "Remote Timing Attacks are Practical David Brumley Dan Boneh [Modified by Somesh."— Presentation transcript:

1 Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh Jha]

2 Various Types of Attacks Cryptanalysis –Look at carefully chosen plaintext/ciphertexts –Differential and linear cryptanalysis Side channel attacks –Timing attacks –Differential power analysis –Look at characteristics such as time for decryption and power consumption

3 Overview Main result: RSA in OpenSSL is vulnerable to a new timing attack: –Attacker can extract RSA private key by measuring web server response time. Exploiting OpenSSL’s timing vulnerability: –One process can extract keys from another. –Insecure VM can attack secure VM. Breaks VM isolation. –Extract web server key remotely. Our attack works across Stanford campus.

4 Why are timing attacks against OpenSSL interesting? Many OpenSSL Applications –mod_SSL (Apache+mod_SSL has 28% of HTTPS market) –stunnel (Secure TCP/IP servers) –sNFS (Secure NFS) –Many more Timing attacks mostly applied to smartcards [K’96 ] –Never applied to complex systems –Most crypto libraries do not defend: libgcrypt, cryptlib,... Mozilla NSS only one we found to explicitly defend by default OpenSSL uses well-known algorithms

5 Outline  RSA Overview and data dependencies Present timing attack Results against OpenSSL 0.9.7 Defenses

6 RSA Algorithm RSA decryption: g d mod N = m –d is private decryption exponent, N is public modulus Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = g d1 mod q 2. m2 = g d2 mod p 3. combine m1 and m2 to yield m (mod N) Goal: learn factors of N. –Kocher’s [K’96] attack fails when CRT is used.

7 RSA Decryption Time Variance Two reasons for decryption time variance: 1. Multiplication algorithm used OpenSSL uses two different mult. algorithms 2. Modular reduction steps modular reduction goal: given u, compute u mod q Occasional extra steps in OpenSSL’s reduction alg. There are MANY: –multiplications by input g –modular reductions by factor q (and p)

8 Reduction Timing Dependency Modular reduction: given u, compute u mod q. –OpenSSL uses Montgomery reductions [M’85]. Time variance in Montgomery reduction: –One extra step at end of reduction algorithm with probability Pr[extra step]  (g mod q) [S’00] 2q

9 Pr[extra step]  (g mod q) 2q Value of ciphertext Decryption Time q 2q p

10 Multiplication Timing Dependency Two algorithms in OpenSSL: –Karatsuba (fast): Multiplying two numbers of equal length –Normal (slow): Multiplying two numbers of different length To calc x  g mod q OpenSSL does: –When x is the same length as (g mod q), use Karatsuba mult. –Otherwise, use Normal mult.

11 OpenSSL Multiplication Summary g < q Decryption Time q Normal Multiplication Karatsuba Multiplication g g > q Value of ciphertext

12 Data Dependency Summary Decryption value g < q –Montgomery effect: longer decryption time –Multiplication effect: shorter decryption time Decryption value g > q –Montgomery effect: shorter decryption time –Multiplication effect: longer decryption time Opposite effects! But one will always dominate

13 Previous Timing Attacks Kocher’s attack does not apply to RSA-CRT. Schindler’s attack does not work directly on OpenSSL for two reasons: –OpenSSL uses sliding windows instead of square and multiply –OpenSSL uses two mult. algorithms.  Both known timing attacks do not work on OpenSSL.

14 Outline RSA Overview and data dependencies during decryption  Present timing attack Results against OpenSSL 0.9.7 Defenses

15 Attack is binary search Decryption Time # Reductions Mult routine Value of ciphertext q 0-1 Gap

16 Timing Attack High Level Attack: 1)Suppose g=q for the top i-1 bits, and 0 elsewhere. 2)g hi = g, but with the i th bit 1. Then g < g hi Goal: decide if g<q<g hi or g<g hi <q 3)Sample decryption time for g and g hi : t 1 = DecryptTime(g) t 2 = DecryptTime(g hi ) 4)If |t 1 - t 2 | is large   bit i is 0 (g < q < g hi ) else   bit i is 1 (g < g hi < q) don’t straddle q large vs. small creates 0-1 gap g and g hi straddle q

17 Timing Attack: High Level Assume we have i-1 top bits of q. Goal: find i’th bit of q. 1)Set g=q for the top i-1 bits, and 0 elsewhere. 2)g hi = g, but with the i th bit 1. Then g < g hi - g <q <g hi  i’th bit of q is 0. - g <g hi <q  i’th bit of q is 1. Goal: decide if g<q<g hi or g<g hi <q

18 2 cases for g hi Decryption Time # Reductions Mult routine Value of ciphertext q gg hi ?

19 Timing Attack High Level Attack: 1)Suppose g=q for the top i-1 bits, and 0 elsewhere. 2)g hi = g, but with the i th bit 1. Then g < g hi Goal: decide if g<q<g hi or g<g hi <q 3)Sample decryption time for g and g hi : t 1 = DecryptTime(g) t 2 = DecryptTime(g hi ) 4)If |t 1 - t 2 | is large   bit i is 0 (g < q < g hi ) else   bit i is 1 (g < g hi < q) g and g hi don’t straddle q Time diff creates 0-1 gap g and g hi straddle q

20 Small time difference g < g hi < q Decryption Time # Reductions Mult routine Value of ciphertext q g hi |t 1 – t 2 | 0-1 gap small g

21 Large time difference g < q < g hi Decryption Time # Reductions Mult routine Value of ciphertext q g hi |t1 – t2| 0-1 gap large g

22 Timing Attack Details We know what is “large” and “small” from attack on previous bits. Decrypting just g does not work because of sliding windows –Decrypt a neighborhood of values near g –Will increase diff. between large and small values  larger 0-1 gap Only need to recover top half bits of q [C’97] Attack requires only 2 hours, about 1.4 million queries to recover server’s private key.

23 The Zero-One Gap Zero-one gap

24 How does this work with SSL? How do we get the server to decrypt our g?

25 Normal SSL Session Startup Regular Client USENIX SSL Server 1. ClientHello 2. ServerHello (send public key) 3. ClientKeyExchange (r e mod N) Result: Encrypted with computed shared master secret

26 Attacking Session Startup Attack Client USENIX SSL Server 1. ClientHello 2. ServerHello (send public key) 3. Record time t 1 Send guess g or g hi 4. Alert 5. Record time t 2 Compute t 2 –t 1

27 Attack requires accurate clock Attack measures 0.05% time difference between g and g hi –Only 0.001 seconds on a P4 We use the CPU cycle counter as fine- resolution clock –“rdtsc” instruction on Intel –“%tick” register on UltraSparc

28 Outline RSA Overview and data dependencies during decryption Present timing attack  Results against OpenSSL 0.9.7 Defenses

29 Attack extract RSA private key Montgomery reductions dominates Multiplication routine dominates zero-one gap

30 Attack extract RSA private key Montgomery reductions dominates Multiplication routine dominates zero-one gap

31 Attack works on the network Similar timing on WAN vs. LAN

32 Attack Summary Attack successful, even on a WAN Attack requires only 350,000 – 1,400,000 decryption queries. Attack requires only 2 hours to extract server’s private key.

33 Outline RSA Overview and data dependencies during decryption Present timing attack Results against OpenSSL 0.9.7  Defenses

34 Defenses Good: Use RSA blinding BAD: Require statically all decryptions to take the same time BAD: Use dynamic methods to make all decryptions take the same time

35 RSA Blinding Decrypt random number related to g: 1.Compute x’ = g*r e mod N, r is random 2.Decrypt x’ = m’ 3.Calculate m = m’/r mod N Since r is random, the decryption time should be random 2-10% performance penalty

36 Blinding Works!

37 Conclusion We developed a timing attack based on multiplication and reduction timings Attack works against real OpenSSL-based servers on regular PC’s. Lesson: Crypto libraries should always defend against timing attacks. –OpenSSL 0.9.7b enables blinding by default.

38 Questions? Thanks for listening!

Download ppt "Remote Timing Attacks are Practical David Brumley Dan Boneh [Modified by Somesh."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.

Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1.

Computer Security: Computer Science with Attackers Usable Privacy and Security Fall 2009 As told by David Brumley 1.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.

RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.
Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Similar presentations

Ads by Google