Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

Published byBethanie Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology."— Presentation transcript:

1 Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters i.pooters@student.tue.nl March 17, 2008 Seminar Information Security Technology

2 Outline → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion 1.Introduction 2.About Cache 3.AES Primer 4.Cache-timing attacks 5.Countermeasures 6.Conclusion

3 comes your footer  Page 3 Side Channel Attacks → Side Channel Attacks → Cache-Timing Attacks → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Timing Attack Based on the time taken by the device to execute particular operation. Power Analysis Attack Based on analyzing the power consumptions of the device to execute particular operations. Fault Attack Abnormal environmental conditions to generate malfunctions in the processor which provide additional access.  Cache-Timing Attacks

4 Here comes your footer  Page 4 Cache-Timing Attacks Goal: Extract key information The difference in access time for cache and main memory can reveal memory access patterns Idea: Analyze time used for encrypting certain plaintexts to retrieve information of the secret key No special equipment required! → Side Channel Attacks → Cache-Timing Attacks → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

5 Here comes your footer  Page 5 What is Cache? → What is cache? → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Slow! Fast! Figure from [1]

6 Here comes your footer  Page 6 Advanced Encryption Standard Symmetric cipher to replace DES Three modes: AES-128, AES-192, AES-256 16-byte block size, 16-byte key, 16-byte intermediary states Key expanded to 10 Round Keys → Advanced Encryption Standard → AES Algorithm → AES Memory Access → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

7 Here comes your footer  Page 7 AES Algorithm → Advanced Encryption Standard → AES Algorithm → AES Memory Access → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Figure from [3]

8 Here comes your footer  Page 8 AES Memory Access Implementated as series of table lookups 8 Tables precalculated; T 0, …, T 3 and T 0 (10), …, T 3 (10) Each round r calculates intermediary state x (r+1) State X (0) is simply p  k → Advanced Encryption Standard → AES Algorithm → AES Memory Access → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion K i (r) is the i-th 4-byte word of the expanded round key

9 Here comes your footer  Page 9 Known Attacks D.J. Bernstein describes a synchronous attack in [4] Osvik et al describe a more general approach for synchronous attacks ([2]) Applicable to existing systems, e.g. dm-crypt Manipulate the cache to influence delays Asynchronous attacks ([2]) No interaction required with the encryption algorithm Use own program to manipulate cache and analyze the timings → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

10 Here comes your footer  Page 10 The Bernstein Attack Described by D.J. Bernstein in [4] on OpenSSL AES Implementation Synchronous attack: attacker can trigger encryption with known plaintext. Simple server setup: 1.Server started with secret key 2.Server Reads a UDP packet from network. UDP packet have variable length but start with 16-byte nonce 3.Server copies high precision timestamp and nonce to response 4.Server encrypts the packet content 5.Server sends the response: 2 x timestamp, scrambled zero and nonce → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

11 Here comes your footer  Page 11 Attack Summary Special case for r=0 Consider T 0 [x 0 (0) ] = T 0 [k 0  p 0 ] Timing for lookup depends on value of k 0  p 0 → AES Timing leaks information on k 0 This is true for any k i  p i, for i = 0,…,15 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

12 Here comes your footer  Page 12 Attack Summary cont’d Assume the attacker 1.Watches the total time taken by victim to handle many p’s 2.Totals the AES times for each possible p 13 3.Observes the total time is maximum for p 13 = 147 Assume the attacker can experiment in the same environment with known k’s and finds that overall AES maximum when k 13  p 13 = 8. Now, k 13 = 8  147 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

13 Here comes your footer  Page 13 The actual Attack, step 1 Attacker runs server with known key: all zeroes About 2 22 random 400-byte packets encrypted Study the resulting timings for e.g. p 13 : Timing max at p 13 = 8 Since k 13 = 0, Timing max when x 13 (=k 13  p 13 ) = 8 See next slide for results → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

14 Here comes your footer  Page 14 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Results for p 13

15 Here comes your footer  Page 15 The actual Aattack, step 1 cont’d For some key bytes, not all the bits are leaked from this attack run. E.g. p 5 results show stronger correlation between values of p 5 Timings for p 5  {0,1,2,3,4,5,6,7} statistically indistinguishable. This means timing analysis would leak k 5  {0,1,2,3,4,5,6,7}, i.e. top 5 bits of k 5 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

16 Here comes your footer  Page 16 → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion Results for p 5

17 Here comes your footer  Page 17 The actual Attack, step 2 Now send packets to the victims server which uses a secret key Step 1 gives values for x i = k i  p i with max timing. Step 2 gives values for p i with max timing. Combining the results from step 1 with step 2 yields the leaked key-bits. → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

18 Here comes your footer  Page 18 The actual Attack, step 2 cont’d The attacker repeats attack with various packet sizes to pinpoint the keys Most likely not all key-bits are leaked, but enough for brute-force search For the attack described by Bernstein, the brute force < 1 minute! → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

19 Here comes your footer  Page 19 Evaluation Time in order of hours for AES-128 More noise in measurement can be solved with more samples Attacker should be able to trigger encryptions To do experiments, attacker needs the exact same system as victim → Known Attacks → The Bernstein Attack → Attack Summary → The actual Attack → Evaluation → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

20 Here comes your footer  Page 20 Countermeasures Avoid memory access: use bit slice implementation or crude slow arithmetic and logical operations Hide timing: worst-case constant time, slow. Every operation as slow as memory access Static cache: disable cache-sharing and load all tables in cache → Countermeasures → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

21 Here comes your footer  Page 21 Conclusions Input dependant table lookups make AES vulnerable to cache-timing attacks Bernstein has found a feasible cache-timing attack. Osvik et al describe describe even faster and more applicable attacks Countermeasures exist, but hinder performance → Conclusions → References → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

22 Here comes your footer  Page 22 QUESTIONS ? → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

23 Here comes your footer  Page 23 References [1] U. Drepper. Memory Part 2: CPU Caches. http://lwn.net/Articles/252125/ http://lwn.net/Articles/252125/ [2] D. Osvik, A. Shamir, E. Tromer. Cache-attacks and Countermeasures: the Case of AES. November 2005 [3] Specification for the Advanced Encryption Standard. November 2001 [4] D.J. Bernstein. Cache-Timing Attacks on AES. April 2005 → Conclusions → References → Introduction → About Cache → AES Primer → Cache-Timing Attacks → Countermeasures → Conclusion

Download ppt "Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology."

Similar presentations

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
White-Box Cryptography

White-Box Cryptography
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
Full AES key extraction in 65 milliseconds using cache attacks

Full AES key extraction in 65 milliseconds using cache attacks
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Dr Alejandra Flores-Mosri Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the.

Dr Alejandra Flores-Mosri Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Similar presentations

Ads by Google