Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

Slides:



Advertisements
Similar presentations
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Advertisements

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
White-Box Cryptography
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
Full AES key extraction in 65 milliseconds using cache attacks
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Dr Alejandra Flores-Mosri Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the.
Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
0x1A Great Papers in Computer Security
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
Day 37 8: Network Security8-1. 8: Network Security8-2 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key:
Cryptographic Attacks on Scrambled LZ-Compression and Arithmetic Coding By: RAJBIR SINGH BIKRAM KAHLON.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
The Latest Attacks on AES Mehrdad Abdi 1 بسم الله الرحمن الرحیم.
Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.
1 Vulnerabilities on high-end processors André Seznec IRISA/INRIA CAPS project-team.
TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.
無線網路安全 WEP. Requirements of Network Security Information Security Confidentiality Integrity Availability Non-repudiation Attack defense Passive Attack.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Lecture 23 Symmetric Encryption
Cache Attacks and Countermeasures:
Fifth Edition by William Stallings
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
Advanced Encryption Standard Dr. Shengli Liu Tel: (O) Cryptography and Information Security Lab. Dept. of Computer.
By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Chapter 2 Symmetric Encryption.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Dr. Lo’ai Tawalbeh summer 2007 Chapter 6: Contemporary Symmetric Ciphers Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.
Thwarting cache-based side- channel attacks Yuval Yarom The University of Adelaide and Data61.
Advanced Information Security 6 Side Channel Attacks
Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser
School of Computer Science and Engineering Pusan National University
New Cache Designs for Thwarting Cache-based Side Channel Attacks
6b. Practical Constructions of Symmetric-Key Primitives.
Cryptography Lecture 17.
Blowfish Encryption Algorithm
Presentation transcript:

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology

Outline → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion 1.Introduction 2.About Cache 3.AES Primer 4.Cache-timing attacks 5.Countermeasures 6.Conclusion

comes your footer  Page 3 Side Channel Attacks → Side Channel Attacks → Cache-Timing Attacks → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Timing Attack Based on the time taken by the device to execute particular operation. Power Analysis Attack Based on analyzing the power consumptions of the device to execute particular operations. Fault Attack Abnormal environmental conditions to generate malfunctions in the processor which provide additional access.  Cache-Timing Attacks

Here comes your footer  Page 4 Cache-Timing Attacks Goal: Extract key information The difference in access time for cache and main memory can reveal memory access patterns Idea: Analyze time used for encrypting certain plaintexts to retrieve information of the secret key No special equipment required! → Side Channel Attacks → Cache-Timing Attacks → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 5 What is Cache? → What is cache? → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Slow! Fast! Figure from [1]

Here comes your footer  Page 6 Advanced Encryption Standard Symmetric cipher to replace DES Three modes: AES-128, AES-192, AES byte block size, 16-byte key, 16-byte intermediary states Key expanded to 10 Round Keys → Advanced Encryption Standard → AES Algorithm → AES Memory Access → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 7 AES Algorithm → Advanced Encryption Standard → AES Algorithm → AES Memory Access → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Figure from [3]

Here comes your footer  Page 8 AES Memory Access Implementated as series of table lookups 8 Tables precalculated; T 0, …, T 3 and T 0 (10), …, T 3 (10) Each round r calculates intermediary state x (r+1) State X (0) is simply p  k → Advanced Encryption Standard → AES Algorithm → AES Memory Access → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion K i (r) is the i-th 4-byte word of the expanded round key

Here comes your footer  Page 9 Known Attacks D.J. Bernstein describes a synchronous attack in [4] Osvik et al describe a more general approach for synchronous attacks ([2]) Applicable to existing systems, e.g. dm-crypt Manipulate the cache to influence delays Asynchronous attacks ([2]) No interaction required with the encryption algorithm Use own program to manipulate cache and analyze the timings → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 10 The Bernstein Attack Described by D.J. Bernstein in [4] on OpenSSL AES Implementation Synchronous attack: attacker can trigger encryption with known plaintext. Simple server setup: 1.Server started with secret key 2.Server Reads a UDP packet from network. UDP packet have variable length but start with 16-byte nonce 3.Server copies high precision timestamp and nonce to response 4.Server encrypts the packet content 5.Server sends the response: 2 x timestamp, scrambled zero and nonce → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 11 Attack Summary Special case for r=0 Consider T 0 [x 0 (0) ] = T 0 [k 0  p 0 ] Timing for lookup depends on value of k 0  p 0 → AES Timing leaks information on k 0 This is true for any k i  p i, for i = 0,…,15 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 12 Attack Summary cont’d Assume the attacker 1.Watches the total time taken by victim to handle many p’s 2.Totals the AES times for each possible p 13 3.Observes the total time is maximum for p 13 = 147 Assume the attacker can experiment in the same environment with known k’s and finds that overall AES maximum when k 13  p 13 = 8. Now, k 13 = 8  147 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 13 The actual Attack, step 1 Attacker runs server with known key: all zeroes About 2 22 random 400-byte packets encrypted Study the resulting timings for e.g. p 13 : Timing max at p 13 = 8 Since k 13 = 0, Timing max when x 13 (=k 13  p 13 ) = 8 See next slide for results → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 14 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Results for p 13

Here comes your footer  Page 15 The actual Aattack, step 1 cont’d For some key bytes, not all the bits are leaked from this attack run. E.g. p 5 results show stronger correlation between values of p 5 Timings for p 5  {0,1,2,3,4,5,6,7} statistically indistinguishable. This means timing analysis would leak k 5  {0,1,2,3,4,5,6,7}, i.e. top 5 bits of k 5 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 16 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Results for p 5

Here comes your footer  Page 17 The actual Attack, step 2 Now send packets to the victims server which uses a secret key Step 1 gives values for x i = k i  p i with max timing. Step 2 gives values for p i with max timing. Combining the results from step 1 with step 2 yields the leaked key-bits. → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 18 The actual Attack, step 2 cont’d The attacker repeats attack with various packet sizes to pinpoint the keys Most likely not all key-bits are leaked, but enough for brute-force search For the attack described by Bernstein, the brute force < 1 minute! → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 19 Evaluation Time in order of hours for AES-128 More noise in measurement can be solved with more samples Attacker should be able to trigger encryptions To do experiments, attacker needs the exact same system as victim → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 20 Countermeasures Avoid memory access: use bit slice implementation or crude slow arithmetic and logical operations Hide timing: worst-case constant time, slow. Every operation as slow as memory access Static cache: disable cache-sharing and load all tables in cache → Countermeasures → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 21 Conclusions Input dependant table lookups make AES vulnerable to cache-timing attacks Bernstein has found a feasible cache-timing attack. Osvik et al describe describe even faster and more applicable attacks Countermeasures exist, but hinder performance → Conclusions → References → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 22 QUESTIONS ? → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Here comes your footer  Page 23 References [1] U. Drepper. Memory Part 2: CPU Caches. [2] D. Osvik, A. Shamir, E. Tromer. Cache-attacks and Countermeasures: the Case of AES. November 2005 [3] Specification for the Advanced Encryption Standard. November 2001 [4] D.J. Bernstein. Cache-Timing Attacks on AES. April 2005 → Conclusions → References → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.