Fault-Based Attack of RSA Authentication, Valeria Bertacco and Todd Austin 1
Cryptography: Applications 2
Value of Cryptography $2.1 billions 1,300 employees $1.5 billions 4,000 employees $8.7 billions 15,500 employees $24.5 billions 24,300 employees From Bloomberg News 3
Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 4
What is Secure Communication? m Insecure medium How do we enable authenticated communication? 5
Asymmetric Cryptography Insecure medium 6
Asymmetric Cryptography m s Insecure medium m 7
Asymmetric Cryptography Insecure medium m m s 8
RSA Keys The protocol is based on two number pairs, called keys 1. Chooses two large prime numbers p & q 2. Computes n = p*q 3. Chooses two numbers, d & e such that: d*e = 1 mod ((p-1)(q-1)) Effect: m de mod n = m mod n 4. Keeps (d,n) as his secret private key 5. Advertises (e,n) as his public key Private key (d,n) Insecure medium Public key (e,n) 9
RSA Authentication Correct Authentication: Server challenge: s = m d mod n Client verifies: m = s e mod n m Private Key (d,n) Public Key (e,n) s m 10
Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 11
Are These Algorithms Secure? (i.e., cryptanalysis) Attack the algorithm by guessing key 13506641086599522334960 32162788059699388814756 05667027524485143851526 51060485953383394028715 05719094417982072821644 71551373680419703964191 74304649658927425623934 10208643832021103729587 25762358509643110564073 50150818751067659462920 55636855294. Attack the implementation Side-channel by monitoring side effects Fault-Based a faulty processor may leak secrets time consuming: > age of Universe 12
Attack the Algorithm In 2009 Thorsten Kleinjung et al., factorized a 768- bit RSA key: 1230186684530117755130494958384962720772853569595334792197 3224521517264005072636575187452021997864693899564749427740 6384592519255732630345373154826850791702612214291346167042 Factoring a 1024-bit RSA modulus would be about a 9214311602221240479274737794080665351419597459856902143413 thousand times harder = 3347807169895689878604416984821269081770479498371376856891 2431388982883793878002287614711652531743087737814467999489 we will not be able to factor a 1024-bit RSA modulus within the next five years * 3674604366679959042824463379962795263227915816434308764267 6032283815739666511279233373417143396810270092798736308917 From Factorization of a 768-bit RSA modulus, Kleinjung et al. 13
Side-Channel Attacks Gain information from the implementation of a cryptosystem Measure computation time to extract information about algorithm s inputs: 1024-bit RSA key extracted in 2 hours From Remote timing attacks are practical, Brumley and Boneh Monitor dynamic power of a cryptosystem to extract secrets From Differential Power Analysis, Kocher et al. 14
Fault-Based Attacks Cause errors in the system: a faulty computer may leak secrets Theoretical on some RSA implementations Chinese Remainder Theorem Left-to-right exponentiation Demonstrated on simple components Smart Cards & Microcontrollers From On the Importance of Checking Computations, Boneh et al. From Fault attacks on RSA with CRT: Concrete results and practical countermeasures, Aumuller et al. and 15 A practical fault attack on square and multiply, Schmidt et al.
Our Contribution First fault-based attack on a complete unmodified system Discovered vulnerability in OpenSSL 1024-bit secret key extracted in 100 hours Faults manifest on the multiplier of the CPU 16
Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 17
Faulty RSA Authentication Correct Authentication: Server challenge: Private Key (d,n) m Public Key (e,n) s = m d mod n Client verifies: m = s e mod n s m Faulty Server: ŝ!= m d mod n Private Key (d,n) m Public Key (e,n) ŝ 18
Computing: s=m d mod n Fixed Window Exponentiation, used in OpenSSL The algorithm partitions the exponent into windows: d =110110110001 110110010101 s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s 19
Computing: s=m d mod n s=1 for each window: d=214= 1101 0110 for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s s=1 window 1 window 2 s=1 ( (m 1101 ) 2 ) 2 ) 2 ) 2 s= m 1101 s= ( (m 1101 ) 2 ) 2 ) 2 ) 2 )m 0110 s = ( (m 1101 ) 2 ) 2 ) 2 ) 2 )m 0110 20
Faulty Signature: ŝ!=m d mod n s=1 for each window: for each bit in window: //4times s = (s * s) mod n s = (s * mˆd[window]) mod n return s d=214= 1101 0110 s=1 window 1 window 2 ŝ s=1 = ( (m 1101 ) 2 ) 2 ) ±2 f ) 2 ) 2 s= m 1101 ŝ = ( (m 1101 ) 2 ) 2 ) ±2 f ) 2 ) 2 )m 0110 ŝ = ( (m 1101 ) 2 ) 2 )±2 f ) 2 ) 2 )m 0110 21
Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 22
Retrieving the Private Key The attacker collects the faulty signatures Private Key m ŝ ŝ ŝ ŝ Public Key The private key is recovered one window at the time ŝ ŝ ŝ ŝ d= d3 X X d2 X d1 X d0 The attacker checks its guess against the collected signatures 23
Reconstructing the Signature The private key is recovered one window at the time, guessing where and when the fault hits ` d= dk X dk-1 X X Which multiplication? ŝ = ( (m d k ) 64 )m d k-1 )2 ) 2 ) 2 ±2 f ) 2 ) 2 ) 2 ) m d k-2 ) 64 m d 0 Already known Value? Which bit? Extend the window if no signature can confirm the value of the guess 24
Offline Analysis With a sufficient number of corrupted signatures the attack is polynomial respect the length of the key Already known ŝ = ( (m d k ) 64 )m d k-1 )2 ) 2 ) 2 ±2 f ) 2 ) 2 ) 2 ) m d k-2 ) 64 m d 0 For each window value guessed and signature we test: 1024 error positions 2 error values (0 1 or 1 0) 6 squaring iterations Performing this check takes about 100 seconds In the worst case we have 2 6 values to check! Value? Which multiplication? Which bit? 25
Outline Cryptography Introduction RSA authentication Attacks to RSA authentication OpenSSL implementation Private key extraction Fault injection Conclusions 26
Correct Sequential Circuit How can we inject faults in a digital system? Vdd Register Combinational logic Register 27
Faulty Sequential Circuit How can we inject faults in a digital system? Vdd Register Combinational logic Register The lower the voltage, the less energy the electric signals in traversing the logic cloud 28
Fault Injection Mechanisms How to make hardware fail: Lower voltage causes signals to slow down, thus missing the deadline imposed by the system clock High temperatures increase signal propagation delays Over-clocking shortens the allowed time for traversing the logic cloud Natural particles cause internal signals to change value, causing errors All these sources of errors can be controlled to tune the fault injection rate and target some units in the design 29
Experimental Platform Leon3 30
Physical Attack 8,800 corrupted signatures collected in 10 hours RSA 1024-bit private key, 6-bit window Distributed application with 81 machines for offline analysis Private key recovered in 100 hours 31
Attacked Hardware: Leon3 Register file 7-stage integer pipeline Caches Memory Management Unit AMBA-BUS Serial port Ethernet We attacked a System-on-Chip on an FPGA The Leon3 is used for a variety of applications (from small embedded system to airplanes) The critical path of the Leon3 is through the multiplier 32
Fault Rate A corrupted signature leaks data only if one multiplication is corrupted by a single bit flip 60 16.50 Single bit faults (%) 50 40 30 20 10 Single bit faults Faulty multiplications 13.75 11.00 8.25 5.50 2.75 Faulty products (%) 0 1.30 1.29 1.28 1.27 1.26 1.25 1.24 1.23 Voltage [V] 0 33
Fault Distribution The attacked algorithm uses 6-bit windows: any of the 6 squaring iterations has the same probability to fail 250 200 Occurrences 150 100 50 0 0 1 2 3 4 5 Squaring Iteration 34
Fault Position The faults affects some bit positions more than others, proving that the critical path of the multiplier is failing 80 70 Occurrences 60 50 40 30 20 10 0 0 32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 512 544 576 608 640 672 704 736 768 800 832 864 896 928 960 992 Bit position [0-1023] 35
Offline Analysis In practice 40 bit positions typically affected by faults the computation time is reduced to 2.5 seconds Analyzing 8,800 corrupted signatures requires 1 CPU-year ŝ ŝ ŝ ŝ ŝ ŝ Signatures can be checked in parallel Using 80 servers the 1024-bit key was retrieved in 104 hours 36
Conclusions Faults can leak vital private key data Never assume that an attack is impossible Fault-based attack devised for OpenSSL Fixed Window Exponentiation algorithm Patch for OpenSSL is coming Attack demonstrated on a complete physical Leon3 SPARC system 37
Take Away for the Security Conscious Always keep OpenSSL and all cryptographic libraries updated Always make sure that the HW is working in proper conditions Do not overclock Cool the system properly Avoid power fluctuations A computer system operating outside its nominal conditions might not fail dramatically: however, silent data corruptions are even more dangerous 38
Questions? For more information: apellegrini@umich.edu Prof. Valeria Bertacco valeria@umich.edu Prof. Todd Austin austin@umich.edu 39
RSA Authentication in OpenSSL OpenSSL 0.9.8i, crypto/rsa/rsa_eay.c :... /* First compute the signature I of r0 with the * Chinese Remainder Theorem. */ crt_mod_exp(r0,i,d,n))... bn_mod_exp(vrfy,r0,e,n);... BN_sub(vrfy, vrfy, I);... if (!BN_is_zero(vrfy)) { /* I and vrfy aren t congruent mod n. Don t leak * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */... bn_mod_exp(r0,i,d,n); return 1; 40