hon an
TRANSCRIPT
-
8/3/2019 Hon An
1/12
Cryptographic Timing Attacks
Brian Honan
CS498 Senior Seminar
Dr. YehApril 12, 2007
-
8/3/2019 Hon An
2/12
What is a timing attack?
Timing attacks enable an attacker to extract secrets
maintained in a security system by observing the
time it takes the system to respond to variousqueries. -David Brumley (Stanford University)
Timing attacks can be classified as both a covert
channel and side channel attack scheme. Covert channel: parasitic leaking (or signaling) of information to another process.
Side channel: exploiting physical attribs, power consumption, timing, electromagnetic pulses.
-
8/3/2019 Hon An
3/12
Key people in timing attack theory
Paul Kocher designed timing attacks for RSA, DSA and Diffie-
Hellman. One of the original architects of SSL. Currently, he is the
founder and chief scientist of Cryptography Research Inc.
David Brumley Doctoral student at Carnegie Mellon.P
ublishednumerous papers with Dan Boneh while studying for a MSCS from
Stanford.
Dan Boneh professor at Stanford, developed a timing attack for
SSL.
Werner Schindler developed timing attack for RSA with CRT
. Alejandro Hevia discovered vulnerability in DES crypto system
using timing attacks.
Jean-Pierre Seifert demonstrated timing attack on RSA signatures.
-
8/3/2019 Hon An
4/12
Other Attacks on RSA
As studied in Crypto I and II
Fermats Attack(primes are close together)
Pollards Attack(one prime is small)
Initial Segment Attack(one prime has many 0s)
Directory Attack(requires many public keys)
Exhaustive search (direct modulus factoring)
-
8/3/2019 Hon An
5/12
Timing attacks and RSAwait a sec, first some math
Before we get into timing attacks against RSA we
need to take a look at the mathematical algorithms
used by RSA cryptosystems.T
his will give us agood understanding of where to exploit the RSA
schema.
-
8/3/2019 Hon An
6/12
Square and Multiply AlgorithmThis algorithm dates back to 200BC!
RSA decryption: ciphertextprivate key mod modulus
Compute: 420 mod 35
P
rivate key = 2010 = 101002
41 = (40)2 * 41 = 1 * 4 = 4 mod 35
42 = (41)2 * 40 = 42 * 1 = 16 mod 35
45 = (42)2 * 41 = 162 * 4 = 1024 = 9 mod 35
410 = (45)2 * 40 = 92 * 1 = 81 = 11 mod 35
420 = (410)2 * 40 = 112 * 1 = 121 = 16 mod 35
-
8/3/2019 Hon An
7/12
Montgomerys Algorithm
Extensively used by RSA modular exponentiation.
This algorithm is beyond the scope of this presentation! - I would have to provide tylenol
But I wanted to mention it since there are timing attacks against this algorithm as
well.
The basic idea is that the algorithm selects a larger modulus (based on HW
limitations) for square and multiply algorithms to reduce the number of steps.
The attack exploits the fact that the algorithm also have an conditional IF statement
to compute an extra reduction. This step requires additional time and is based on
the binary representation of the modulus (similar to square and multiply).
-
8/3/2019 Hon An
8/12
Timing Attack requirements
A timing attack is a chosen input attack. So there are
a few requirements:
Access to the hardware device.
Ability to measure calculation time precisely.
Attacker knows the security system (RSA, etc)
Attacker knows the modulus.
Running times are reproducible.
-
8/3/2019 Hon An
9/12
Now the main ideaI wrote this and had to re-read it 3 times to understand it.
If the computation takes a predictable interval to
compute based on a set of inputs, and we know the
steps of the algorithm, we can conversely use this
information to discover other inputs by observing the
time interval in a given computation.
-
8/3/2019 Hon An
10/12
Timing attack prevention (1/2)
We have seen attacks against poorly selected criteria.
- this is the users responsibility
A timing attack can determine the two co-prime
factors of a 1024-bit RSA modulus in 300-570 time
measurements. All attacks were successful.
Werner Schlinder
So how can we stop a timing attack?
- the technique is called blinding
-
8/3/2019 Hon An
11/12
Timing attack prevention (2/2)
Blinding: provide a service for a client without
knowing the real input or output.
Blinding techniques:
1. instead of doing nothing when not computing the
extra reduction, perform a dummy computation.
2.P
ad the cipher with random data, then remove thedata after the computation.
E(x) = xre mod n f(x) = E(x)d mod n D(x) = f(x)e/rmod n
r = random number
-
8/3/2019 Hon An
12/12
Any Questions?
Presentation References:
Fast Exponentiation in Practice. M.B. Tandrup, M.H. Jensen, R.N. Andersen, T.F. Hansen. Dec. 6, 2004
D. Brumley, D. Boneh: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security
P.C. Kocher. Timing Attacks on Implementations of DH, RSA, DSS and other systems. Proceedings of Cryptography
1996. Springer, 1996.
JP. Seifert. On Authenticated Computing and RSA-Based Authentication. ACM Press, 2005.
Wikipedia Blinding Technique
More available in Report
Thank you