Remote Timing Attacks are Practical

Transcription

1 Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/ )

2 Outline Traditional threat model in cryptography Side-channel attacks Kocher s timing attack Boneh & Brumley timing attack Experiments Countermeasures

3 Traditional Crypto Brute force attacks large key Mathematical attacks reduction to hard problem RSAP: (m e mod n) m DHP: (g x, g y ) g xy

4 Traditional Crypto Attacker has access to: Ciphertext Algorithm

5 Real-Life Crypto Attacker has access to: Ciphertext Algorithm Physical observables from the device

6 Side Channel Attacks Paul Kocher in 1996 Recovers RSA and DSS signing key Not taken seriously by cryptographers Lot of attention from the press

7 Side Channel Attacks Timing analysis Fault analysis EM analysis Differential fault analysis Simple power analysis Differential power analysis

8 Side Channel Attacks m c time k Power consumption EM radiation

9 Side Channel Attacks m m e mod n e Encryption Side channel

10 Side Channel Attacks m m d mod n d Decryption/ Signing Side channel

11 Kocher Timing Attack RSA signatures: sig(m) = m d mod n Modular exponentiation is computed using square and multiply algorithm Time of modular exponentiation is a function of the bits of the exponent Use time to recover exponent (signing key)

12 Kocher Timing Attack Recovers key bit by bit Uses statistical analysis Guesses key bit then verifies Needs many samples of signing time

13 Kocher Attack Target sig(m) = m d mod n

14 Square and Multiply 1: INPUT: m, n, d 2: OUTPUT: x = m d mod n 3: x := m 4: for i = n 1 downto 0 do 5: x := x 2 6: if d i = 1 then 7: x := x m mod n 8: end if 9: end for 10: return x

15 Kocher Timing Attack Eve T(m 1 ) m 1 s 1 Bob T(m 2 )... d... s 2 m 2...

16 Kocher Timing Attack Eve T 0 (m 1 ) m 1 s 1 Eve T 0 (m 2 )... 0?... s 2 m 2...

17 Kocher Timing Attack Eve T 1 (m 1 ) m 1 s 1 Eve T 1 (m 2 )... 1?... s 2 m 2...

18 Kocher Timing Attack Compare T(m i ) vs T(m i ) vs T(m i ) T 0 (m i ) T 1 (m i ) will be correlated with correct guess

19 Kocher Timing Attack 1998 UCL experimental results: Key size sample size

20 Limit of Kocher Attack Does not work when mod exp is optimized

21 RSA with Sun Ze Th. sig(m) = m d mod n Sun Ze Th. aka CRT m, d and n are order of 1024 bits exponentiation of 1024 bit number by another 1024 bit number taken modulo a third 1024 bit number

22 RSA with Sun Ze Th. exponentiate mod q (512 bits) exponentiate mod p (512 bits) combine using SZT to get mod n (= pq)

23 RSA with Sun Ze Th. sig(m) = m d mod n where m 1 = m mod p m 2 = m mod q d 1 = d mod (p 1) n = pq d 2 = d mod (q 1)

24 RSA with Sun Ze Th. s 1 = m d 1 1 mod p s 2 = m d 2 2 mod q CRT(s 1, s 2 ) = m d mod n

25 RSA with Sun Ze Th. Modular exponentiation: pre-processing exponentiation mod p exponentiation mod q CRT

26 RSA with Sun Ze Th. Kocher s attack does not work Cannot get precise timings Cannot repeat pre-processing without factors Most implementations use CRT OpenSSL

27 OpenSSL SSL establishes encrypted and authenticated channel between client and server 1994 SSL v1 completed but never released SSL v2 released with Navigator 1.1 SSL v2 PRNG broken

28 OpenSSL 1995 SSL v3 released (designed by Kocher) SSL is ubiquitous 1996 IETF standardizes SSL

29 OpenSSL 1998 OpenSSL 0.9.1c is released (based on SSLeay) mod_ssl for Apache is released

30 OpenSSL Most popular open source SSL implementation Most popular crypto library stunnel snfs 18% of all Apache servers use mod_ssl

31 RSA in OpenSSL sig(m) = m d mod n Sun Ze Theorem Modular exponentiation: sliding window Modular reduction: Montgomery Multi-precision multiplication: Karatsuba

32 Sliding Window Extension of square and multiply makes attack more difficult uses multiple bits of the exponent at once

33 Montgomery Reduction Introduced in 1985 by Peter Montgomery Performs modular multiplication efficiently Transforms multiplication mod n to multiplication mod R

34 Algorithm 1 Montgomery Reduction 1: INPUT: x, y and q 2: OUTPUT: x y mod q 3: RR 1 qq = 1 4: Ψ(x) := xr mod q 5: Ψ(y) := yr mod q 6: z := Ψ(x) Ψ(y) = abr 2 mod q 7: r := z q mod R 8: s := z+rq R 9: if s > q then 10: s := s q 11: end if 12: return s Montgomery Reduction extra reduction

35 Montgomery Reduction Pr[extra reduction] = m mod q 2R m = q Pr[reduction] = 0 m q Pr[reduction] m q+ Pr[reduction]

36 Karatsuba Multi-precision multiplication where and Runs in O(n log 2 3 ) As opposed to O(n m) worst case O(n 2 ) x y x = n y = n

37 Karatsuba Used only if inputs have same length OpenSSL: if x = y then Karatsuba O(n if x!= y then normal O(n 2 ) log 3 2 )

38 Biases What is the effect of these optimizations on the exponentiation time?

39 Montgomery Reduction if m approaches q from below then slow if m approaches q from above then fast

40 Montgomery Reduction Decryption time Figure 1 q 2q 3q g

41 Multiplication if x = y then fast if x!= y then slow

42 Multiplication Decryption time Karatsuba Normal g < q g > q g

43 Boneh-Brumley Attack hello Eve e g or g hi Server error

44 Boneh-Brumley Attack Kocher attack recovers signing key Boneh-Brumley attack recovers factor

45 Kocher Attack Target sig(m) = m d mod n

46 Boneh-Brumley Target sig(m) = m d mod p q

47 Boneh-Brumley Target n = pq Knowing q we recover p d = e 1 mod (p 1)(q 1)

48 Boneh-Brumley Attack CRT Square and multiply Montgomery m modq m d mod q m d mod R Multiplication I m

49 Boneh-Brumley Attack Recover sig(m) = m d mod pq bit of q i th i 1 when we already have the top bits

50 Timing Attack q: smallest factor g: same top bits as q (rest is all 0) i 1 : g with bit set to g hi i th 1 : decryption(g) - decryption( ) g hi

51 Timing Attack i = 4 q = 101? g = g = hi

52 Timing Attack i = 4 q = 101 1? g = g hi = if q 4 = 1 then g < g hi < q

53 Timing Attack i = 4 q = 101 0? g = g hi = if q 4 = 0 then g < q < g hi

54 Boneh-Brumley Attack q i = 0 g < q < g hi Montgomery Multiplication T(g) slow (xtra reds) fast (kara) g slow T( hi) fast (normal) large large

55 Boneh-Brumley Attack g < q < g hi Montgomery Multiplication T(g) slow (xtra reds) fast (kara) g slow T( hi) fast (normal) large large

56 Boneh-Brumley Attack q i = 1 g < g hi < q Montgomery Multiplication T(g) slow fast g hi T( ) slow fast small small

57 Boneh-Brumley Attack g < g hi < q Montgomery Multiplication T(g) slow fast g hi T( ) slow fast small small

58 Timing Attack if q 4 = 1 then g < g hi < q and is small if q 4 = 0 then g < q < g hi and is large

59 Experimental Setup RedHat Linux GB of RAM gcc 2.96 OpenSSL GHz Pentium 4

60 Number of Queries Interprocess using TCP Neighborhood size: for each bit measure decryption time of many guesses (sliding window) Sample size: for each guess measure multiple times

61 Number of Queries

62 Number of Queries Delta increases as neighborhood size increases Variance decreases as sample size increases

63 Other Experiments Tested using 3 different keys Deltas are very sensitive to execution environment (cache misses, code offsets etc...) compilation flags

64 Network Experiments Works against Apache+mod_ssl when seperated by: 1 switch 3 routers and a number of switches

65 Network

66 Attack Results Interprocess attack 1024 bit key Unoptimized: queries Optimized: 1.4 million queries 2 hours

67 More Details Lucas will talk more about the experiments

68 Countermeasures Make running time independent of input Montgomery: perform dummy reductions Multiplication: always use Karatsuba (shifts) Make all operations take the same time

69 Countermeasures Blinding (r e m) d (r e m) rm d r R Z n Eve

70 Countermeasures

71 Blinding How do we know it prevents other attacks? Blinding is not provably secure What about template attacks?

72 Impact CERT advisory 56 unknown At least 37 products vulnerable 23 not vulnerable

73 Questions?

74 Montgomery Reduction x y mod q x y mod 2 k 2 k > q and gcd(2 k, q) = 1 Multiplication and division by powers of 2 is efficient

75 Karatsuba A B = A H A L B H B L A B = (2 n 2 AH + A L ) (2 n 2 BH + B L ) A B = 2 n A H B H + 2 n 2 (AH B L + A L B H ) + A L B L

76 Karatsuba A B = 2 n A H B H + 2 n 2 (AH B L + A L B H ) + A L B L A H B L + A L B H = (A H + A L ) (B H + B L ) A H B H A L B L A B = 2 n A H B H + 2 n 2 [(AH + A L ) (B H + B L ) A H B H A L B L ] + A L B L

77 Karatsuba 3 multiplications and 2 shift and 7 additions multiplications fit in registers (no overflows)