Fault-Based Attack of RSA Authentication

Transcription

1 Fault-Based Attack of RSA Authentication, Valeria Bertacco and Todd Austin 1

2 Cryptography: Applications 2

3 Value of Cryptography $2.1 billions 1,300 employees $1.5 billions 4,000 employees $8.7 billions 15,500 employees $24.5 billions 24,300 employees From Bloomberg News 3

4 Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 4

5 What is Secure Communication? m Insecure medium How do we enable authenticated communication? 5

6 Asymmetric Cryptography Insecure medium 6

7 Asymmetric Cryptography m s Insecure medium m 7

8 Asymmetric Cryptography Insecure medium m m s 8

9 RSA Keys The protocol is based on two number pairs, called keys 1. Chooses two large prime numbers p & q 2. Computes n = p*q 3. Chooses two numbers, d & e such that: d*e = 1 mod ((p-1)(q-1)) Effect: m de mod n = m mod n 4. Keeps (d,n) as his secret private key 5. Advertises (e,n) as his public key Private key (d,n) Insecure medium Public key (e,n) 9

10 RSA Authentication Correct Authentication: Server challenge: s = m d mod n Client verifies: m = s e mod n m Private Key (d,n) Public Key (e,n) s m 10

11 Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 11

12 Are These Algorithms Secure? (i.e., cryptanalysis) Attack the algorithm by guessing key Attack the implementation Side-channel by monitoring side effects Fault-Based a faulty processor may leak secrets time consuming: > age of Universe 12

13 Attack the Algorithm In 2009 Thorsten Kleinjung et al., factorized a 768- bit RSA key: Factoring a 1024-bit RSA modulus would be about a thousand times harder = we will not be able to factor a 1024-bit RSA modulus within the next five years * From Factorization of a 768-bit RSA modulus, Kleinjung et al. 13

14 Side-Channel Attacks Gain information from the implementation of a cryptosystem Measure computation time to extract information about algorithm s inputs: 1024-bit RSA key extracted in 2 hours From Remote timing attacks are practical, Brumley and Boneh Monitor dynamic power of a cryptosystem to extract secrets From Differential Power Analysis, Kocher et al. 14

15 Fault-Based Attacks Cause errors in the system: a faulty computer may leak secrets Theoretical on some RSA implementations Chinese Remainder Theorem Left-to-right exponentiation Demonstrated on simple components Smart Cards & Microcontrollers From On the Importance of Checking Computations, Boneh et al. From Fault attacks on RSA with CRT: Concrete results and practical countermeasures, Aumuller et al. and 15 A practical fault attack on square and multiply, Schmidt et al.

16 Our Contribution First fault-based attack on a complete unmodified system Discovered vulnerability in OpenSSL 1024-bit secret key extracted in 100 hours Faults manifest on the multiplier of the CPU 16

17 Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 17

18 Faulty RSA Authentication Correct Authentication: Server challenge: Private Key (d,n) m Public Key (e,n) s = m d mod n Client verifies: m = s e mod n s m Faulty Server: ŝ!= m d mod n Private Key (d,n) m Public Key (e,n) ŝ 18

19 Computing: s=m d mod n Fixed Window Exponentiation, used in OpenSSL The algorithm partitions the exponent into windows: d = s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s 19

20 Computing: s=m d mod n s=1 for each window: d=214= for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s s=1 window 1 window 2 s=1 ( (m 1101 ) 2 ) 2 ) 2 ) 2 s= m 1101 s= ( (m 1101 ) 2 ) 2 ) 2 ) 2 )m 0110 s = ( (m 1101 ) 2 ) 2 ) 2 ) 2 )m

21 Faulty Signature: ŝ!=m d mod n s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s d=214= s=1 window 1 window 2 ŝ s=1 = ( (m 1101 ) 2 ) 2 ) ±2 f ) 2 ) 2 s= m 1101 ŝ = ( (m 1101 ) 2 ) 2 ) ±2 f ) 2 ) 2 )m 0110 ŝ = ( (m 1101 ) 2 ) 2 )±2 f ) 2 ) 2 )m

22 Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 22

23 Retrieving the Private Key The attacker collects the faulty signatures Private Key m ŝ ŝ ŝ ŝ Public Key The private key is recovered one window at the time ŝ ŝ ŝ ŝ d= d3 X X d2 X d1 X d0 The attacker checks its guess against the collected signatures 23

24 Reconstructing the Signature The private key is recovered one window at the time, guessing where and when the fault hits ` d= dk X dk-1 X X Which multiplication? ŝ = ( (m d k ) 64 )m d k-1 )2 ) 2 ) 2 ±2 f ) 2 ) 2 ) 2 ) m d k-2 ) 64 m d 0 Already known Value? Which bit? Extend the window if no signature can confirm the value of the guess 24

25 Offline Analysis With a sufficient number of corrupted signatures the attack is polynomial respect the length of the key Already known ŝ = ( (m d k ) 64 )m d k-1 )2 ) 2 ) 2 ±2 f ) 2 ) 2 ) 2 ) m d k-2 ) 64 m d 0 For each window value guessed and signature we test: 1024 error positions 2 error values (0 1 or 1 0) 6 squaring iterations Performing this check takes about 100 seconds In the worst case we have 2 6 values to check! Value? Which multiplication? Which bit? 25

26 Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 26

27 Correct Sequential Circuit How can we inject faults in a digital system? Vdd Register Combinational logic Register 27

28 Faulty Sequential Circuit How can we inject faults in a digital system? Vdd Register Combinational logic Register The lower the voltage, the less energy the electric signals in traversing the logic cloud 28

29 Fault Injection Mechanisms How to make hardware fail: Lower voltage causes signals to slow down, thus missing the deadline imposed by the system clock High temperatures increase signal propagation delays Over-clocking shortens the allowed time for traversing the logic cloud Natural particles cause internal signals to change value, causing errors All these sources of errors can be controlled to tune the fault injection rate and target some units in the design 29

30 Experimental Platform Leon3 30

31 Physical Attack 8,800 corrupted signatures collected in 10 hours RSA 1024-bit private key, 6-bit window Distributed application with 81 machines for offline analysis Private key recovered in 100 hours 31

32 Attacked Hardware: Leon3 Register file 7-stage integer pipeline Caches Memory Management Unit AMBA-BUS Serial port Ethernet We attacked a System-on-Chip on an FPGA The Leon3 is used for a variety of applications (from small embedded system to airplanes) The critical path of the Leon3 is through the multiplier 32

33 Fault Rate A corrupted signature leaks data only if one multiplication is corrupted by a single bit flip Single bit faults (%) Single bit faults Faulty multiplications Faulty products (%) Voltage [V] 0 33

34 Fault Distribution The attacked algorithm uses 6-bit windows: any of the 6 squaring iterations has the same probability to fail Occurrences Squaring Iteration 34

35 Fault Position The faults affects some bit positions more than others, proving that the critical path of the multiplier is failing Occurrences Bit position [0-1023] 35

36 Offline Analysis In practice 40 bit positions typically affected by faults the computation time is reduced to 2.5 seconds Analyzing 8,800 corrupted signatures requires 1 CPU-year ŝ ŝ ŝ ŝ ŝ ŝ Signatures can be checked in parallel Using 80 servers the 1024-bit key was retrieved in 104 hours 36

37 Conclusions Faults can leak vital private key data Never assume that an attack is impossible Fault-based attack devised for OpenSSL Fixed Window Exponentiation algorithm Patch for OpenSSL is coming Attack demonstrated on a complete physical Leon3 SPARC system 37

38 Take Away for the Security Conscious Always keep OpenSSL and all cryptographic libraries updated Always make sure that the HW is working in proper conditions Do not overclock Cool the system properly Avoid power fluctuations A computer system operating outside its nominal conditions might not fail dramatically: however, silent data corruptions are even more dangerous 38

39 Questions? For more information: Prof. Valeria Bertacco Prof. Todd Austin 39

40 RSA Authentication in OpenSSL OpenSSL 0.9.8i, crypto/rsa/rsa_eay.c :... /* First compute the signature I of r0 with the * Chinese Remainder Theorem. */ crt_mod_exp(r0,i,d,n))... bn_mod_exp(vrfy,r0,e,n);... BN_sub(vrfy, vrfy, I);... if (!BN_is_zero(vrfy)) { /* I and vrfy aren t congruent mod n. Don t leak * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */... bn_mod_exp(r0,i,d,n); return 1; 40