RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Similar documents
Algorithmic Number Theory and Public-key Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Public Key Cryptography

Hardware Security Side channel attacks

CIS 551 / TCOM 401 Computer and Network Security

Partial Key Exposure: Generalized Framework to Attack RSA

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

RSA. Ramki Thurimella

Remote Timing Attacks are Practical

Attacks on RSA & Using Asymmetric Crypto

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Cryptography. P. Danziger. Transmit...Bob...

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

The security of RSA (part 1) The security of RSA (part 1)

8.1 Principles of Public-Key Cryptosystems

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Elliptic Curve Cryptography and Security of Embedded Devices

10 Public Key Cryptography : RSA

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Cryptography. pieces from work by Gordon Royle

Public Key Cryptography

Introduction to Public-Key Cryptosystems:

Introduction to Modern Cryptography. Benny Chor

Sliding right into disaster - Left-to-right sliding windows leak

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Public Key Algorithms

10 Modular Arithmetic and Cryptography

Implementation Tutorial on RSA

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Cryptography IV: Asymmetric Ciphers

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

1 Number Theory Basics

Introduction to Cybersecurity Cryptography (Part 5)

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Question: Total Points: Score:

An Introduction to Cryptography

Public-Key Cryptosystems CHAPTER 4

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

Math.3336: Discrete Mathematics. Mathematical Induction

A DPA attack on RSA in CRT mode

Carmen s Core Concepts (Math 135)

Introduction to Modern Cryptography. Benny Chor

Exam Security January 19, :30 11:30

ECE 646 Lecture 9. RSA: Genesis, operation & security

RSA RSA public key cryptosystem

Public-Key Encryption: ElGamal, RSA, Rabin

Mathematics of Cryptography

Timing Attacks on Software Implementation of RSA

ASYMMETRIC ENCRYPTION

CRYPTOGRAPHY AND NUMBER THEORY

Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations

Lecture 1: Introduction to Public key cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

basics of security/cryptography

McBits: Fast code-based cryptography

Gurgen Khachatrian Martun Karapetyan

5199/IOC5063 Theory of Cryptology, 2014 Fall

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Chapter 11 : Private-Key Encryption

Other Public-Key Cryptosystems

Fundamentals of Modern Cryptography

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Leakage Resilient ElGamal Encryption

PKCS #1 v2.0 Amendment 1: Multi-Prime RSA

Encryption: The RSA Public Key Cipher

The RSA cryptosystem and primality tests

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Public-key Cryptography and elliptic curves

Solution to Midterm Examination

Number Theory & Modern Cryptography

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

COMP424 Computer Security

Discrete Mathematics GCD, LCM, RSA Algorithm

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Foundations of Network and Computer Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Public Key Cryptography

A DPA Attack against the Modular Reduction within a CRT Implementation of RSA

Lecture V : Public Key Cryptography

Security II: Cryptography exercises

NET 311D INFORMATION SECURITY

Lecture Notes, Week 6

Asymmetric Encryption

CSc 466/566. Computer Security. 5 : Cryptography Basics

Timing Attack against protected RSA-CRT implementation used in PolarSSL

Public Key Algorithms

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Transcription:

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer

Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs and outputs

Side Channel Attacks Input Bad Inputs Crypto Algorithm Device Key Output Errors Goal: recover the key given access to the inputs, and outputs outputs and measurements

ENGULF [Peter Wright, pycatcher, p. 84] In 1956, a couple of Post Office engineers fixed a phone at the Egyptian embassy in London.

ENGULF (cont.) The combined MI5/GCHQ operation enabled us to read the Egyptian ciphers in the London Embassy throughout the Suez Crisis.

Acoustic cryptanalysis on modern CPUs

Distinguishing various CPU operations

Distinguishing various code lengths loops in different lengths of ADD instructions

What is a cipher? Hello! Encryption #!#@ *$^(# Decryption Hello! Symmetric One secret The sender and the receiver must know the secret key Asymmetric Two different secrets private and public The sender needs only the public key

RSA in a nutshell Key Generation: p, q random primes, n = pq d e 1 mod φ n Public key: (n, e) Private key: p, q, d RSA encryption: c m e mod n RSA decryption: c c d mod n

RSA in a nutshell Key Generation: RSA encryption: c m e mod n RSA decryption: c c d mod n m p = c d mod (p 1) mod p m q = c d mod (q 1) mod q Obtain m from m p and m q using the Chinese Remainder Theorem

GnuPG Open source crypto library Supports many cryptographic primitives (e.g., symmetric, asymmetric, signatures) Free implementation of the OpenPGP standard as defined by RFC4880 Commonly used for encrypted emails This talk: GnuPG 1.4.15

RSA decryption long operations that depend on p, q, d p, d q the leakage of either will break security.

RSA key distinguishability and here is the sound of the keys (after signal processing)

Modular exponentiation m = c d n d i mod q m = c d n d i 0 mod q t = c d n d i 1 mod q m = c d n d i 1 mod q This is a side channel countermeasure meant to protect d

Extracting q i (simplified) c i = q 2048 q i+1 01 1 If q i = 1 then c i < q, thus c = c i. That is, c has special structure. If q i = 0 then 2q > c i > q, thus c = c i q. That is, c is random looking. and we now multiply by c causing the bit-dependent leakage. Assume we know q 2048 q i+1 and decrypt c i = q 2048 q i+1 01 1

Extracting q i c i = q 2048 q i+1 01 1 + n If q i = 1 then c i n < q, thus c = c i n. That is, c has special structure. If q i = 0 then 2q > c i n > q, thus c = c i q n. That is, c is random looking. and we now multiply by c causing the bit-dependent leakage. Assume we know q 2048 q i+1 and decrypt c i = q 2048 q i+1 01 1 + n

Extracting q i (problem) Multiplication is repeated 2048 times (0.5 sec of data) Single multiplication is way too fast for us to measure Assume we know q 2048 q i+1 and decrypt c i = q 2048 q i+1 01 1 + n

Game over!

Results Key extraction is possible up to 4 meters away using a parabolic microphone

Results Key extraction is possible up to 1 meter away without a parabolic microphone

Results Key extraction is possible up to 30cm away using a smartphone

Karatsuba multiplication Based on the following identity for multiplication and runs in θ n log 2 3 time uv = 2 2n + 2 n u H v H + 2 n u H u L v L v H + 2 n + 1 u L v L If q i = 1 then b has many 1-valued or 0-valued bits causing the result to have many 0-valued bits. If q i = 0 then b is randomlooking and so is the result.

The recursion tree Number of 0-valued bits in the second operand is depends on the value of q i

Basic multiplication If b i = 0 the algorithm does nothing! Repeated for a total of 8 times in this call and for a total of up to ~129,000 times!, allowing for the leakage to be detectable using low bandwidth means (such as sound).

Power / ground analysis Power analysis: measure device s power consumption. Ground analysis: measure device s leakage relative to the ground.

Timing analysis Measure exact time for decryption: I. Send a server a malformed encrypted message and wait for an error response. II. Compute the elapsed time between sending and receiving an error.

Fault attacks These are attacks that employ faults during computation in order to recover secret information, e.g., cryptographic keys. Fault attacks can break implementations of RSA, DES, AES, and virtually any cipher. There are various kinds of protection techniques, mainly to identify faults and stop computation, or correcting the errors caused from the faults.

Fault attacks (example) RSA decryption using CRT. Let n = pq, and a secret key d Compute m = c d mod n using CRT: 1. m p = c d p mod p 2. m q = c d q mod q 3. m = aqm p + bpm q mod n for some a, b. If a fault occurs only modulo one of the primes, say p, then the result m = m mod q but not mod p. gcd(m m, n) = q.

Cache attacks Consider a multi-core processor, whose all cores use a common cache memory. Each memory access either Find the content in cache, or Fetch content from memory to the cache, throwing some old content from the cache Usually, the cache is divided to smaller parts, say n parts, and each part is in charge of 1/n of the memory bytes, i.e., all bytes with same address mod n. Therefore, a second core can try to access cache in selected areas, and measure time to see if a byte was accessed by the other core.

Modular exponentiation m = c d n d i mod q m = c d n d i 0 mod q t = c d n d i 1 mod q m = c d n d i 1 mod q This is a side channel countermeasure meant to protect d

Cache attacks Example: RSA Measure the access time to the memory locations of the multiply operation and the square operations. Therefore, you can identify the sequence of squaring, and of multiplication, thus revealing the secret exponent. Note: in the case of AES, measurement is made on the data, i.e., inputs to the S boxes.

Even the tin foil won t help us now 1. Play loud music while decrypting (or other kind of noise) 2. Parallel software load

Countermeasures (ciphertext randomization) Given a ciphertext c: 1. Generate a random number r and compute r e 2. Decrypt r e c and obtain m 3. Output m r 1 Works since ed = 1 mod φ(n) thus: r e c d r 1 mod n = r ed r 1 c d mod n = r r 1 c d mod n = c d mod n = m

Thank you! (questions?) http://www.cs.tau.ac.il/~tromer/acoustic

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback