Timing Cryptanalysis Final Report Kevin Magee, ECE 646, Fall 2003, Prof. Kris Gaj

Transcription

1 Timing Cryptanalysis Final Report Kevin Magee, ECE 646, Fall 2003, Prof. Kris Gaj Abstract - Accurate timing measurements of modular exponentiations used in public key cryptography can reveal the secret key exponent. Using nothing more than a common personal computer the author was able to successfully crack a modern cryptographic library routine that performed modular exponentiations with a 64-bit key. Paul Kocher first proposed the timing attack in his famous 1995 paper, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. Any public-key implementation where an attacker can make accurate timing measurements is potentially at risk. This purpose of this paper is to explain how a timing attack works and to add to an increasing list of public-key implementations that are vulnerable to Paul Kocher s brilliant idea. 1. INTRODUCTION Searching for an algorithmic flaw in mathematical functions will almost certainly not prove to be a successful strategy for breaking modern ciphers. The increasing importance of cryptography is encouraging experts from around the world to collaboratively work together to produce algorithmically secure encryption techniques. However, attackers will always go after the weakest link in a security chain. If the mathematical algorithm is not the weakest link, attackers will look elsewhere. The elsewhere types of attacks are grouped into a new category of cryptanalysis called Side Channel attacks. Side Channel attacks focus on the implementations of cryptographic algorithms instead of on the algorithms themselves. Side Channel attacks use implementation vulnerabilities such as fluctuations in power consumption, changes in electromagnetic radiation, and unprotected memory spaces to crack ciphers. The demonstrated success of these attacks has show that any mechanism that carries information from a secure area to an insecure area should be viewed as a potential vulnerability. This paper is to focus on a specific instance of these Side Channel attacks the Timing Attack. 2. THE VULNERABILITY Modular exponentiation in public key cryptography is often implemented with the following pseudo code: Algorithm 1. Modular Exponentiation Calculating M Secret Key mod N Result = 1 for ( every bit of the secret key- from right to left ) if ( the secret key bit = 1 ) Result = Result * M % N M = M * M % N; return Result Where M is the message being encrypted/decrypted and N is the modulus. The bolded line Result = Result * M % N in the Algorithm 1 above is only executed when the secret key bit equals 1. Therefore, execution time is dependent not only on the message (all calculations containing M) but also on the secret key. 1

2 Mathematically speaking, Time = f(key, Message). The threat of the timing attack is that if an attacker is given a series of messages and their corresponding encryption times he may be able to derive the secret key. We will see that armed only with these encryption times and the capability to accurately time the modular exponentiation algorithm at the bit level, an attacker can indeed recover the key. The figure below illustrates what the attacker needs to know. Message Encryption Times Tenc(M1) Tenc(M2) Tenc(M3) Tenc(M n) Time to encrypt T enc (M i ) = Time to encrypt/decrypt Message #i Figure 1. Aggregating all the message times produces a distribution that is measurable by a standard deviation. If encryption times for the messages are relatively similar, the standard deviation will be smaller than if the encryption times are relatively disparate. Figure 2 illustrates a typical distribution profile. Time Messages Figure 2. Example timing distribution for a set of messages The vulnerability exploited by the timing attack is that processing times for modular exponentiations vary and that this time variance is partly dependent on the content of the secret key. Carefully measuring message encryption/decryption times can leak the content of the key to a determined attacker. 3. THE ATTACK The attack begins with the attacker going after the first bit of the key. This paper will assume a right to left attack so the first bit will be the least significant bit of the key. The attacker will take two sets of measurements: one set will measure how much time each message takes to encrypt a single bit key of 0 and the other set will measure how much time each message takes to encrypt a single bit key of 1. These two timing sets are then subtracted from the known total encryption times to produce two distinct distributions. One distribution reflects the total time minus the time for the 0 single bit key, the other distribution reflects the total time minus the time for the 1 single bit key. For reasons to be explained shortly, the distribution having the smallest standard deviation is most likely to be the accurate value for the key. The attack proceeds to the second bit. Given the first bit guess (assume the guess is 1 ), another set of 0/1 bit times are calculated to guess the second bit. These times are added to the time for the previous guess of two timings: one timing for 01 and another timing for 11 (remember we are proceeding right to left). These 2-bit distributions are subtracted from the known total encryption times. Again the two distributions are examined: one distribution is the total time minus the 01 value for the first two bits and the other distribution is the total time minus the 11 value for the first two bits. The distribution with the smallest standard deviation is chosen as the most likely candidate for the first two bits. 2

3 The attack proceeds to the third bit. Given that the first two bits are guessed (assume 01 is guessed for the first two bits), a third sets of 0/1 bit times are calculated: times for 001 and 101 are discovered. These 3- bit distributions are subtracted from the known total encryption times. As with the previous rounds, the distribution with the smallest standard deviation is chosen as the most likely candidate. The attack proceeds through all the bit positions of the key. Tenc(M1) Tenc(M2) Tenc(M3) Tenc(Mn) Remaining Time Partial Key T enc (M i ) = Time to encrypt Message #i after subtracting time for a partial key guess Figure 3. The figure above illustrates the attack process. The partial key area to the right of each message timeline represent the calculated time of the guessed partial key (be it 1,2,3,.. bits). The shaded time to the left of each message timeline is the amount of time that is left after the partial key time is removed. The remaining time for each message timeline is used to calculate the standard deviation for the distribution. If subtracting the 0 partial key guess leaves a smaller standard deviation then a 1 partial key, then a 0 bit is guessed as the key value, and vice versa. 4. WHY IT WORKS The time required to encrypt a message can be thought of as a series of random variables. Each random variable represents the time slice needed to encrypt a message for each bit of the key. n = # bits in the key X i =the random time taken to encrypt the i th bit of the key If the bit value for X n is guessed correctly and the time to process X n for each message is accurately known, the time to encrypt every message is reduced by the time to encrypt/decrypt X n. In effect one of the random variables used to produce the total time is removed. The new distribution after subtracting the correct guess is a result of n- 1 random variables. X 0 + X 1 + X 2 + X n-1 On the other hand, if X n is guessed incorrectly, the time to encrypt every message is reduced by an uncorrelated random variable (X z ). The new distribution is now a result of n+1 random variables. X 0 + X 1 + X 2 + X n X z The theory is that the correct guess is more likely produce a smaller standard deviation than the incorrect guess because a distribution with fewer random variables is more likely to produce a smaller standard deviation than a distribution with more random variables. 5. THE PERFECT TIMING ENVIRONMENT Now let us see if the theory can be put into practice on a PC. Timing on a PC is not very accurate. Preemptive operating system context switches, virtual memory swaps, and varying disk access times make accurate timing difficult. Therefore, to develop the theoretical concepts of the timing attack, I decided to first develop a Perfect Timing scenario to better study the timing attack in a controlled environment free from the imperfections of real-world timings. X 0 + X 1 + X 2 + X n 3

4 To develop a perfect timing environment I had to write my own modular exponentiation routine to perform the encryptions. This routine would have to return identical timing characteristics no matter how many times that attack was run. Here are the design assumptions for my Perfect Timing environment: The unit of time measurement is the Time Slot A Bit Shift costs 1 Time Slot Addition costs 1 Time Slot Multiplication costs 1 Time Slot The modulo operation cost 1 Time Slot Here is the pseudo code for my modular exponentiation routines. Algorithm 2. Modular exponentiation with perfect timing int MyModExp( Key, Message, Modulus) TimeSlots = 0; z = 1; for (each bit of the key ) if( the key bit value = 1 ) determine time for modular multiplication routine MultTime = MyMult(z, Message) Add t ime for multiplication and modulation routine to Timeslots TimeSlots += MultTime + 1; Message = Message * Message % Modulus; increase time for above multiplication and mod operations TimeSlots += 2 return TimeSlots int MyMult ( Mult1, Mult2) answer = 0 MultTime = 0; while (Mult1!= 0) if (Mult1 & 1 ) answer += Mult1; increase time for above addition MultTime++ Mult2 = Mult2<< 1; Mult1 = Mult12 >> 1; increase time for above shifts MultTime += 2; return MultTime; What results is a predictable timing mechanism for exponential modulation in the unit of Time Slots. 6. THE PERFECT TIMING ATTACK The classical timing attack as explained by Paul Kocher in 1995 attacks the key one bit at a time as explained in Section 3. However, the attack can be made in any increments of 2 n bits (2,4,8,16 ). The cost of higher bit groupings is that more tests have to be made in each of the attack s iterations and that recovering from an incorrect guess is more computationally intensive. This phenomenon is more fully explained in Section 10. However, to more efficiently explain the attack with significant key lengths, hex values (4-bits) are used as the increment value. Here are the results for a 10,000 message run (each message 16 bits long) using perfect timing with a 16 bit key of 859A and testing one hex character (4-bits) at a time. The results are presented as a pair of numbers. The left most value is the hex value of the bit pattern and the right most value is the standard deviation (in decimal) of the distribution after the time for the bit pattern has been subtracted from the total encryption time. Iteration 1: Test all combinations for the least significant hex character and compares standard deviations 4

5 a e b f c d A or 1010 has the lowest standard deviation so guess that the least significant hex character of the secret key is A. Iteration 2: Assuming A as the first hex character, tests all combinations for the second hex character and compare standard deviations d b f c a e or 1001 has the lowest standard deviation so guess that the second hex character of the secret key is 9. Iteration 3: Assuming 9A as the first two hex character, tests all combinations for the third hex character and compare standard deviations d c f b e a or 0101 has the lowest standard deviation so guess that the third hex character of the secret key is 5. Iteration 4: Assuming 59A as the first three hex character, tests all combinations for the fourth hex character and compare standard deviations a c d b e f or 1000 has the lowest standard deviation so guess that the fourth hex character is 8. A sixteen bit key has 2 16 or 65,536 possible key combinations. This timing attack determined the key on a single run with no mistakes!! This type of result caught the attention of the leaders of the cryptographic world. It was quickly accepted that this timing attack was indeed a serious sidechannel vulnerability. 7. THE REAL WORLD ENVIRONMENT To do the testing I used the Multiprocessing Integer and Rational Arithmetic C/C++ Library (MIRACL) from Shamus Software to perform the exponential modulations. MIRACL uses a data type called a BIG that can be an arbitrarily large number (5,000 bit numbers are used regularly in the demonstration programs). The BIG data 5

6 type is used to perform public key cryptographic routines. In particular I used MIRACL s powmod function that raises a BIG number to a BIG power modulus another BIG. Armed with the confidence that my implementation of the timing attack works in a controlled environment, I was ready to go after a real world implementation using the MIRACL library. This real world environment has timing inconsistencies and highly optimized modular exponentiation routines that perform complex computations in amazingly fast times. For instance the cryptographic library I am using is able to factor a 64-bit number to a 64-bit exponent against a 64-bit modulus in under 0.1 milliseconds. Even as impressive as the speed is, equally impressive is the alarming lack of timing consistency. The major difference between the perfect and the real worlds proved to be the noisiness of the real-world timings. The best way to calculate time on the PC is to query the CPU tick counter with inline assembly calls. However, even with this low level timing technique, times are not consistent. In the real world, I discovered I had to perform each cryptographic operation five times and then take the fastest time as the recorded value. Taking the average times did not prove useful. Times could swing by as much as 100% in the microsecond world in which I was operating. Taking more than 5 samples did not appreciably increase consistency. Given the noisy timing constraints, incorrect bit guesses were going to be an inevitable part of the timing attack. I had to learn to recover from these incorrect guesses. How do you know when your guess is incorrect? How long will the algorithm have to proceed before it realizes that a wrong guess has been made? 8. ESTABLISH THE BASELINE In order to know that you are off track (continuing the attack after an incorrect guess), you have to know what the correct track is. To help determine the correct track I developed a base lining technique where I encrypted the set of messages with a key made up of alternating 1 s and 0 s. Obviously, this key pattern has nothing to do with the actual key used to encrypt the messages, however, the pattern proves useful in producing an expected slope for how standard deviations should decrease as the timing attack proceeds. Other keys besides a pattern can be used but these keys will produce a more stair-stepped pattern and are not as useful. The timing attack is run against the baseline key standard deviations for each step of the algorithm are plotted. Standard Deviation Baseline Standard Deviation Plots 32-bit key, Hex value increments 0 Start Figure 4. 5 Round # Figure 4 shows the plotted real-world standard deviations for a 32-bit, baseline key against 10, bit messages. The figure shows that the standard deviations should smoothly trend towards zero as the number of bits tested approaches the total key length. The standard deviation slope from an actual production key will not be as smooth as the baseline key. However, the slope from an actual key should

7 generally follow the baseline path. The baseline slope is used to compare the results of an actual attack to help indicate when an incorrect guess is driving the attack down a wrong path. 9. ACTIVATE THE ATTACK AGAINST THE ESTABLISHED BASELINE With the baseline slope as a guide an attacker can determine 6 when an incorrect guesses is leading the attack in the wrong direction. Figure 5 below shows the results of an actual attack. The 32-bit, hex key used was AF90BFC6. The first four rounds of the attack correctly guessed the actual values of the key. The attack works right to left so the hex values 6, C, F, and B were correctly guessed. The reader will notice how the slopes of the standard deviations for the first four rounds generally follow the slopes for the baseline. Standard Deviation Actual Real World Attack e The actual correct hex value for the fifth round is 0. So, all fifteen previous hex values had to be tested and rejected before reaching the correct value. All the previously fifteen values eventually led the standard deviation slopes away from the baseline slope, so the attacker could assume that these guesses were incorrect. The attack had to backtrack back to the fourth round and test the 0 hex value to eventually derive the correct key values for hex values 5 through 8. Notice 0 that correct key path for round 5 shows an anomaly in the slope progression. This anomaly occurs 9 because the key value is 0 which means that the exponential modulation will be performed with an exponent of 0. This operation will occur in practically no time by the cryptographic routine and therefore there will be little change in the overall standard deviation. But after round 5 the standard deviation slope again closely tracks the baseline slope for the hex values 9, F, and A. 10. RECOVERING FROM AN INCORRECT GUESS 5 A Start Round # Figure At the fifth round the standard deviation values presented to the attack were as follows: f b d a c Baseline Incorrect Correct Paul Kocher s experiments with computerbased timings predict that an attack should correctly guess the partial key approximately 84% of the time. These results generally agreed with my findings. This also means, unfortunately, that 16% of the time the attack will guess incorrectly and the attack must recover from this incorrect guess. Assuming the attack is using bit value increments instead of hex value increments, the formula for determining how many tests will be necessary to recover from an incorrect guess is: 2 #Realization Rounds

8 where #Realization Rounds = number of rounds before the mistake is realized. The number of rounds needed to recover from an incorrect guess includes all the tests necessary to return to the point in the attack where the incorrect guess was made. The attack has to explore all the combinations possible for #Realization Rounds from the mistake point. This becomes a wellunderstood discrete mathematics problem for determining the number of nodes in a binary tree. The formula for the number of nodes (tests) is 2 n+1 1 where n is the height of the binary tree. This formula directly applies to the results of the timing attack. 12. ATTACK RESULTS More mistakes (wrong guesses) are likely to be made during the early part of the attack than during the later stages of the attack. This occurs because the percentage drop in the standard deviations is larger as the attack nears the end of the process. Additionally, if an incorrect guess is made, the mistake most often occurs when the correct key bit value is a 0. Zero values have little affect on decreasing the standard deviation slope and are more likely than a one to be guessed as driving the standard deviation slope away from the baseline path. The efficiency of the timing attack using binary increments can be summarized as follows: Number of bits in the key = N #Realization Rounds = R Probability of a correct choice = 85 % Probability of an incorrect choice = 15% Number of iterations needed to recover from an incorrect choice = 2 R+1 1 Total iterations spent recovering from incorrect choices = 0.15 N( 2 R+1 1) Average # of tests for attack = N N (2 R+1 1) It was also discovered that as the length of the bit pattern tested per iteration grows, the efficiency of the attack degrades exponentially. For instance if hex values are used the attack will take on the order of 16 5 or 1,000,000 tests to recover from each incorrect guess instead of 2 5 or 32 tests for binary values. Log scale for # of tests # Tests to Recover from an Incorrect Guess Bit Increments at each iteration Figure 6 Bottom line; the attack should use as small a key increment as possible for the timing attack. Many commercial cryptographic routines will use two or even four bit increments for their modular exponentiation routines, these larger increments will be more difficult to crack than routines that use smaller bit increments. The complexity of the attack is proportional to the length of the key. This fact makes the attack a serious threat. When using a brute force attack, key combinations increases exponentially with the length of the key. The timing attack transforms the key search to a search with a proportional relationship with the key length. This reduction puts the attack into the realm of the possible given the computing power available to attackers today. 8

9 11. ATTACK PREREQUISITES Here are the prerequisites for a successful timing attack 1) An ability to accurately measure total transformation times 2) An ability to capture many plaintext or ciphertext messages 3) Detailed knowledge of the HW/SW implementation 4) An ability to measure timing characteristics of a single iteration (round). 5) Transformation times must be dependent on the secret key and the message 6) The cryptographic process does not use the Chinese Remainder Theorem. The timing attack is not trivial and the attacker does indeed need intimate knowledge of the cryptographic implementation. It is generally accepted that a timing attack is not a serious threat from the casual hacker. A determined opponent, however, might expend the necessary resources to accomplish a timing attack if the rewards for such an attack were high enough. 12. THE BLINDING DEFENSE The best defense against the timing attack is to introduce a random timing component to the cryptographic process. Introducing a random component makes the timing information unusable to attackers, since the random number obfuscates calculation times. Using randomized values for protection is known as a blinding defense. Here is the unprotected modular exponentiation equation: M = Cd mod N (normal not blinded) Where M = Message; C=Cipher Text; d=secret key; N=modulus Now, here is the modular exponentiation protected with a blinding defense by adding a randomized variable, R, such that R = Red mod N. M = R-1(C*Re)d mod N (blinded) For each decryption the results are the same as the normal modular exponentiation. However, given that R is random, the processing times will become random and consequently will not leak timing information to an attacker. There is a performance cost to blinding of between 2%-10%. It is up to the implementer to determine if the performance cost of blinding is worth the added security. 13. CONCLUSION Timing attacks are hard. Timing attacks are implementation independent. Each timing attack has to be individually tailored to the system being attacked. Timing attacks are possible but not practical unless the rewards to the attacker are very high. Side Channel attacks such as the timing attack described in the report illustrate that the ingenuity of attackers will continually discover new avenues for attack. Not all weaknesses and attacks can be anticipated when delivering a cryptographic product. The best the good guys can do is to stay vigilant and react quickly as new vulnerabilities are exposed. It is up to the cryptographic community to fairly assess vulnerabilities and keep those who depend on cryptographic security aware of the risks. Security is about risk management, not about absolute prevention. The only way to make a system truly secure is to pull the plug. If the benefits of the digital age are to 9

10 be enjoyed, security vulnerabilities will always be a part our lives. REFERENCES 1) Paul C. Kocher, "Cryptanalysis of Diffie- Hellman, RSA, DSS, and Other Systems Using Timing Attacks," extended abstract, December ) J. Markoff, "Secure digital transactions just got a little less secure," New York Times, December 11, ) B. Kaliski, "Timing Attacks on Cryptosystems," RSA Laboratories' Bulletin, no 2, January 23, ) Paul C. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems," Proc. CRYPTO'96, pp ) RSAREF library, available via ftp from ftp://ftp.rsa.com. 6)Handbook of Applied Cryptography, Menezes, Oorschat, Vanstone 7) Cryptography and Network Security, Stallings 8) A Practical Implementation of the Timing Attack, Dehm, Koeune, Leroux, Mestre,Quisquater, Willems. UCL Crypto Group 9) A Timing Attack Against Rinjdael, Koeune, Quisquater. UCL Crypto Group 10) Fast Modular Reduction with Precomputation, Chae Loon Him, Hyo Sun Hwang 11) GSL Reference Manual, version November 2001 Careful Design and Integration of Cryptographic Primitives, Koeune, UCL Crypto Group 12) Timing Attack: What Can be Achieved by a Powerful Adversary?, Hachez, Koeune 13) M.I.R.A.C.L. Users Manual, Shamus Software Ltd. 10