0x1A Great Papers in Computer Security

Similar documents
CS Side-Channel Attacks. Vitaly Shmatikov

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

Remote Timing Attacks are Practical

Topics : Analysis of Software Systems. Side channel analysis. Remote Timing Attacks are Practical

Proceedings of the 12th USENIX Security Symposium

RSA (algorithm) History

RSA. Public Key CryptoSystem

Public Key Cryptography and RSA

Other Systems Using Timing Attacks. Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995)

Applied Cryptography and Computer Security CSE 664 Spring 2018

Fault-Based Attack of RSA Authentication

Overview. Public Key Algorithms I

Introduction to Cryptography Lecture 7

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Introduction to Cryptography Lecture 7

CS669 Network Security

Chapter 3 Public Key Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Chapter 9 Public Key Cryptography. WANG YANG

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Public Key Encryption. Modified by: Dr. Ramzi Saifan

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017

Keywords Security, Cryptanalysis, RSA algorithm, Timing Attack

Public Key Algorithms

CS 161 Computer Security

SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

CPSC 467b: Cryptography and Computer Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

CSC 474/574 Information Systems Security

CS408 Cryptography & Internet Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Public Key Cryptography

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Public Key Algorithms

Midterm Exam. CS381-Cryptography. October 30, 2014

Computer Security 3/23/18

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

Workshop Challenges Startup code in PyCharm Projects

Applications of The Montgomery Exponent

Chapter 7 Public Key Cryptography and Digital Signatures

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Public key encryption: definitions and security

RSA Timing Attack. Chen Yang Eric Hsieh Xiaoxi Liu. Advised by: Vinnie Hu

Micro-Architectural Attacks and Countermeasures

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

E-th roots and static Diffie-Hellman using index calculus

Public Key Algorithms

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

Applied Cryptography and Network Security

What did we talk about last time? Public key cryptography A little number theory

- 0 - CryptoLib: Cryptography in Software John B. Lacy 1 Donald P. Mitchell 2 William M. Schell 3 AT&T Bell Laboratories ABSTRACT

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Kurose & Ross, Chapters (5 th ed.)

Side-Channel Attack against RSA Key Generation Algorithms

CS61A Lecture #39: Cryptography

Scalable Montgomery Multiplication Algorithm

Timing Cryptanalysis Final Report Kevin Magee, ECE 646, Fall 2003, Prof. Kris Gaj

Lecture 2 Applied Cryptography (Part 2)

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015

Some Stuff About Crypto

Cryptography and Network Security. Sixth Edition by William Stallings

Chapter 11 : Private-Key Encryption

CS 161 Computer Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

High-Performance Modular Multiplication on the Cell Broadband Engine

Research, Universiti Putra Malaysia, Serdang, 43400, Malaysia. 1,2 Department of Mathematics, Faculty of Sciences, Universiti Putra Malaysia,

Public Key Cryptography and the RSA Cryptosystem

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography

CS Lab 11. Today's Objectives. Prime Number Generation Implement Diffie-Hellman Key Exchange Implement RSA Encryption

Secure Multiparty Computation

Part VI. Public-key cryptography

A New Attack with Side Channel Leakage during Exponent Recoding Computations

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Elliptic Curve Public Key Cryptography

Lecture Note 9 ATTACKS ON CRYPTOSYSTEMS II. Sourav Mukhopadhyay

A nice outline of the RSA algorithm and implementation can be found at:

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Cryptographic Techniques. Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building

VHDL for RSA Public Key System

Advanced Topics in Cryptography

Introduction to Public-Key Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

n-bit Output Feedback

Elementary number theory

Math236 Discrete Maths with Applications

Introduction to Cryptography. Vasil Slavov William Jewell College

Side-Channel Cryptanalysis. Joseph Bonneau Security Group

Crypto meets Web Security: Certificates and SSL/TLS

Introduction to Cryptography Lecture 11

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Encryption. INST 346, Section 0201 April 3, 2018

New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures

Cryptography: Matrices and Encryption

Channel Coding and Cryptography Part II: Introduction to Cryptography

Transcription:

CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/

Attacking Cryptographic Schemes Cryptanalysis Find mathematical weaknesses in constructions Statistical analysis of plaintext / ciphertext pairs Side-channel attacks Exploit characteristics of implementations Power analysis Electromagnetic radiation analysis Acoustic analysis Timing analysis slide 2

Timing Attack Basic idea: learn the system s secret by observing how long it takes to perform various computations Typical goal: extract private key Extremely powerful because isolation doesn t help Victim could be remote Victim could be inside its own virtual machine Keys could be in tamper-proof storage or smartcard Attacker wins simply by measuring response times slide 3

RSA Cryptosystem Key generation: Generate large (say, 512-bit) primes p, q Compute n=pq and (n)=(p-1)(q-1) Choose small e, relatively prime to (n) Typically, e=3 (may be vulnerable) or e=2 16 +1=65537 (why?) Compute unique d such that ed = 1 mod (n) Public key = (e,n); private key = d Security relies on the assumption that it is difficult to compute roots modulo n without knowing p and q Encryption of m (simplified!): c = m e mod n Decryption of c: c d mod n = (m e ) d mod n = m slide 4

How RSA Decryption Works RSA decryption: compute y x mod n This is a modular exponentiation operation Naïve algorithm: square and multiply slide 5

Kocher s Observation Whether iteration takes a long time depends on the k th bit of secret exponent This takes a while to compute This is instantaneous slide 6

Exploiting Timing Information Different timing given operands Assumption / heuristic: timings of subsequent multiplications are independent Given that we know the first k-1 bits of x Given a guess for the k th bit of x Time for remaining bits independent Exact guess Exact timing Given measurement of total time can see whether there is correlation between time for k th bit is long and total time is long slide 7

Outline of Kocher s Attack Idea: guess some bits of the exponent and predict how long decryption will take If guess is correct, will observe correlation; if incorrect, then prediction will look random This is a signal detection problem, where signal is timing variation due to guessed exponent bits The more bits you already know, the stronger the signal, thus easier to detect (error-correction property) Start by guessing a few top bits, look at correlations for each guess, pick the most promising candidate and continue slide 8

D. Brumley and D. Boneh Remote Timing Attacks are Practical (USENIX Security 2003)

RSA in OpenSSL OpenSSL is a popular open-source toolkit mod_ssl (in Apache = 28% of HTTPS market) stunnel (secure TCP/IP servers) snfs (secure NFS) Many more applications Kocher s attack doesn t work against OpenSSL Instead of square-and-multiply, OpenSSL uses CRT, sliding windows and two different multiplication algorithms for modular exponentiation CRT = Chinese Remainder Theorem Secret exponent is processed in chunks, not bit-by-bit slide 10

Chinese Remainder Theorem n = n 1 n 2 n k where gcd(n i,n j )=1 when i j The system of congruences x = x 1 mod n 1 = = x k mod n k Has a simultaneous solution x to all congruences There exists exactly one solution x between 0 and n-1 For RSA modulus n=pq, to compute x mod n it s enough to know x mod p and x mod q slide 11

RSA Decryption With CRT To decrypt c, need to compute m=c d mod n Use Chinese Remainder Theorem (why?) d 1 = d mod (p-1) d 2 = d mod (q-1) qinv = q -1 mod p these are precomputed Compute m 1 = c d 1 mod p; m 2 = c d 2 mod q Compute m = m 2 +(qinv*(m 1 -m 2 ) mod p)*q Attack this computation in order to learn q. This is enough to learn private key (why?) slide 12

Montgomery Reduction Decryption requires computing m 2 = c d 2 mod q This is done by repeated multiplication Simple: square and multiply (process d 2 1 bit at a time) More clever: sliding windows (process d 2 in 5-bit blocks) In either case, many multiplications modulo q Multiplications use Montgomery reduction Pick some R = 2 k To compute x*y mod q, convert x and y into their Montgomery form xr mod q and yr mod q Compute (xr * yr) * R -1 = zr mod q Multiplication by R -1 can be done very efficiently slide 13

Schindler s Observation At the end of Montgomery reduction, if zr > q, then need to subtract q Probability of this extra step is proportional to c mod q If c is close to q, a lot of subtractions will be done If c mod q = 0, very few subtractions Decryption will take longer as c gets closer to q, then become fast as c passes a multiple of q By playing with different values of c and observing how long decryption takes, attacker can guess q! Doesn t work directly against OpenSSL because of sliding windows and two multiplication algorithms slide 14

Reduction Timing Dependency Decryption time q 2q p Value of ciphertext c slide 15

Integer Multiplication Routines 30-40% of OpenSSL running time is spent on integer multiplication If integers have the same number of words n, OpenSSL uses Karatsuba multiplication Takes O(n log 23 ) If integers have unequal number of words n and m, OpenSSL uses normal multiplication Takes O(nm) slide 16

Summary of Time Dependencies g<q g>q Montgomery effect Longer Shorter Multiplication effect Shorter Longer g is the decryption value (same as c) Different effects but one will always dominate! slide 17

Discontinuity in Decryption Time Decryption time #Reductions Mult routine 0-1 Gap q Value of ciphertext slide 18

Normal SSL Handshake Regular client 1. ClientHello 2. ServerHello (send public key) 3. ClientKeyExchange (encrypted under public key) SSL server Exchange data encrypted with new shared key slide 19

Attacking SSL Handshake Attacker 1. ClientHello 2. ServerHello (send public key) 3. Record time t 1 Send guess g or g hi 4. Alert SSL server 5. Record time t 2 Compute t 2 t 1 slide 20

Attack Overview Initial guess g for q between 2 511 and 2 512 (why?) Try all possible guesses for the top few bits Suppose we know i-1 top bits of q. Goal: i th bit. Set g =<known i-1 bits of q>000000 Set g hi =<known i-1 bits of q>100000 - note: g<g hi If g<q<g hi then the i th bit of q is 0 If g<g hi <q then the i th bit of q is 1 Goal: decide whether g<q<g hi or g<g hi <q slide 21

Two Possibilities for g hi Decryption time #Reductions Mult routine g g hi? Difference in decryption times between g and g hi will be small g hi? Difference in decryption times q between g and g hi will be large Value of ciphertext slide 22

Timing Attack Details What is large and small? Know from attacking previous bits Decrypting just g does not work because of sliding windows Decrypt a neighborhood of values near g Will increase difference between large and small values, resulting in larger 0-1 gap Attack requires only 2 hours, about 1.4 million queries to recover the private key Only need to recover most significant half bits of q slide 23

Impact of Neighborhood Size zero-one gap slide 24

Extracting RSA Private Key Montgomery reduction dominates zero-one gap Multiplication routine dominates slide 25

Works On The Internet Similar timing on WAN vs. LAN slide 26

Defenses Bad: require statically that all decryptions take the same time For example, always do the extra dummy reduction but what if compiler optimizes it away? Bad: dynamically make all decryptions the same or multiples of the same time quantum Now all decryptions have to be as slow as the slowest decryption Good: Use RSA blinding slide 27

RSA Blinding Instead of decrypting ciphertext c, decrypt a random ciphertext related to c Compute x = c*r e mod n, r is random Decrypt x to obtain m Calculate original plaintext m = m /r mod n Since r is random, decryption time is random 2-10% performance penalty slide 28

Blinding Works slide 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback