8/3/2019 Hon An

1/12

Cryptographic Timing Attacks

Brian Honan

CS498 Senior Seminar

Dr. YehApril 12, 2007

8/3/2019 Hon An

2/12

What is a timing attack?

Timing attacks enable an attacker to extract secrets

maintained in a security system by observing the

time it takes the system to respond to variousqueries. -David Brumley (Stanford University)

Timing attacks can be classified as both a covert

channel and side channel attack scheme. Covert channel: parasitic leaking (or signaling) of information to another process.

Side channel: exploiting physical attribs, power consumption, timing, electromagnetic pulses.

8/3/2019 Hon An

3/12

Key people in timing attack theory

Paul Kocher designed timing attacks for RSA, DSA and Diffie-

Hellman. One of the original architects of SSL. Currently, he is the

founder and chief scientist of Cryptography Research Inc.

David Brumley Doctoral student at Carnegie Mellon.P

ublishednumerous papers with Dan Boneh while studying for a MSCS from

Stanford.

Dan Boneh professor at Stanford, developed a timing attack for

SSL.

Werner Schindler developed timing attack for RSA with CRT

. Alejandro Hevia discovered vulnerability in DES crypto system

using timing attacks.

Jean-Pierre Seifert demonstrated timing attack on RSA signatures.

8/3/2019 Hon An

4/12

Other Attacks on RSA

As studied in Crypto I and II

Fermats Attack(primes are close together)

Pollards Attack(one prime is small)

Initial Segment Attack(one prime has many 0s)

Directory Attack(requires many public keys)

Exhaustive search (direct modulus factoring)

8/3/2019 Hon An

5/12

Timing attacks and RSAwait a sec, first some math

Before we get into timing attacks against RSA we

need to take a look at the mathematical algorithms

used by RSA cryptosystems.T

his will give us agood understanding of where to exploit the RSA

schema.

8/3/2019 Hon An

6/12

Square and Multiply AlgorithmThis algorithm dates back to 200BC!

RSA decryption: ciphertextprivate key mod modulus

Compute: 420 mod 35

P

rivate key = 2010 = 101002

41 = (40)2 * 41 = 1 * 4 = 4 mod 35

42 = (41)2 * 40 = 42 * 1 = 16 mod 35

45 = (42)2 * 41 = 162 * 4 = 1024 = 9 mod 35

410 = (45)2 * 40 = 92 * 1 = 81 = 11 mod 35

420 = (410)2 * 40 = 112 * 1 = 121 = 16 mod 35

8/3/2019 Hon An

7/12

Montgomerys Algorithm

Extensively used by RSA modular exponentiation.

This algorithm is beyond the scope of this presentation! - I would have to provide tylenol

But I wanted to mention it since there are timing attacks against this algorithm as

well.

The basic idea is that the algorithm selects a larger modulus (based on HW

limitations) for square and multiply algorithms to reduce the number of steps.

The attack exploits the fact that the algorithm also have an conditional IF statement

to compute an extra reduction. This step requires additional time and is based on

the binary representation of the modulus (similar to square and multiply).

8/3/2019 Hon An

8/12

Timing Attack requirements

A timing attack is a chosen input attack. So there are

a few requirements:

Access to the hardware device.

Ability to measure calculation time precisely.

Attacker knows the security system (RSA, etc)

Attacker knows the modulus.

Running times are reproducible.

8/3/2019 Hon An

9/12

Now the main ideaI wrote this and had to re-read it 3 times to understand it.

If the computation takes a predictable interval to

compute based on a set of inputs, and we know the

steps of the algorithm, we can conversely use this

information to discover other inputs by observing the

time interval in a given computation.

8/3/2019 Hon An

10/12

Timing attack prevention (1/2)

We have seen attacks against poorly selected criteria.

- this is the users responsibility

A timing attack can determine the two co-prime

factors of a 1024-bit RSA modulus in 300-570 time

measurements. All attacks were successful.

Werner Schlinder

So how can we stop a timing attack?

- the technique is called blinding

8/3/2019 Hon An

11/12

Timing attack prevention (2/2)

Blinding: provide a service for a client without

knowing the real input or output.

Blinding techniques:

1. instead of doing nothing when not computing the

extra reduction, perform a dummy computation.

2.P

ad the cipher with random data, then remove thedata after the computation.

E(x) = xre mod n f(x) = E(x)d mod n D(x) = f(x)e/rmod n

r = random number

8/3/2019 Hon An

12/12

Any Questions?

Presentation References:

Fast Exponentiation in Practice. M.B. Tandrup, M.H. Jensen, R.N. Andersen, T.F. Hansen. Dec. 6, 2004

D. Brumley, D. Boneh: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security

P.C. Kocher. Timing Attacks on Implementations of DH, RSA, DSS and other systems. Proceedings of Cryptography

1996. Springer, 1996.

JP. Seifert. On Authenticated Computing and RSA-Based Authentication. ACM Press, 2005.

Wikipedia Blinding Technique

More available in Report

Thank you