Vous êtes sur la page 1sur 26

# Timing Attacks to RSA

Presented by Zhanxiang

Agenda

Background of Timing Attack Case study: David Brumley and Dan Boneh, Remote Timing Attacks are Practical (UC Berkeley)

## What is Timing Attack?

Timing attacks: Expose private information, such as RSA keys, by measuring the amount of time required to perform private key operations (Decryptions). Side-channel attacks:
Power analysis Electromagnetic radiation analysis Timing attacks

## Kochers attack 1996 

reported on page A1 of Monday's New York Times ("Secure Digital Transactions Just Got a Little Less Secure" by John Markoff). Not apply to RSA-CRT.

## Not work for implementation using (e.g. OpenSSL):

Sliding windows instead of square and multiply (exponentiation) Two multiplication algorithms.

## Why people care?

Security of RSA depends on the difficulty to factor the public key N OpenSSL applications are popular Since it can hack simple devices, e.g. smartcards, how about complex environments, such network?

Implementation of OpenSSL

## RSA quick review

Multiple prime RSA key generating algorithm 1. Select k primes: p1, p2, , pk 2. Let n=pi, i=1,2,,k 3. Let (n)=(pi-1) 4. Choose e, s.t. gcd(e,(n))=1 5. Calculate d=e-1(mod (n)) 6. Public Key = (e,n) and Private key = (d,n) Encryption: c=me mod n Decryption: m=cd mod n

## Chinese Remainder Theorem

n = n1n2nk with gcd (ni; nj ) = 1 when i != j The system of congruencies x=x1(mod n1)==xk(mod nk) has a simultaneous solution x to all of the congruencies, and there exists exactly one solution x between 0 and n-1.

## Speedup RSA with CRT

Any message M<N is uniquely represented by the tuple [MP;MQ ], where MP = M(mod P) and MQ = M(mod Q). CP = C(mod P) and CQ = C(mod Q). DP = D(mod (P-1)) and DQ = D(mod (Q-1)) RP = QP-1(mod N) and RQ = PQ-1(mod N) MP = CPDP(mod P) and MQ = CQDQ(mod Q) SP = MPRP(mod N) and SQ = MQRQ(mod N) M = SP + SQ. If M>=N then calc M=M-N. 

## Computing cd(mod p) and xy(mod p) requires:

Multiplication routines

## Normal (unequal len) Karatsuba (equal len): faster

Exponentiation

Sliding windows

Modular reduction

## What causes time variance?

Montgomery reduction
Given g calc g (mod q) Probability for and extra reduction is: P[extra step] (g mod q)/2q

## Choice of multiplication routine

To calc x*g mod q, if x is the same length as (g mod q), use Karatsuba. O(nlog23) Otherwise, use Normal. O(nm)

## Summary of time variance

g<q Montgomer Longer y effect Multiplicati on effect Shorter g>q Shorter Longer

## Time Attack on OpenSSL(1/4)

Assume: N=pq with q<p. Goal: approximations approaching q Idea: Make initial guess and refine it by learning bits one at a time, from the most significant.

## Time Attack on OpenSSL(2/4)

Init guess g of q lying between 2512 (i.e. N/2) and 2511(i.e. N/4) Try all the combinations of the top few bits Time the decryptions and pick the first peak for guess of q; (After all we at least know the first bit is 1)

## Time Attack on OpenSSL(3/4)

Suppose from 1 to i-1 bits g=q, elsewhere g=0 Recover ith bit of q as follows:

(1) ghi=g, but with ith bit 1. If ith bit of q is 1 then g<ghi<q, else g<q<ghi. (2) ug=gR-1 mod N, ughi=ghiR-1 mod N (3) t1=DecrtyptTime(ug), t2=DecryptTime(ughi). (4) D=|t1-t2|. If D is large then g<q<ghi and ith bit of q is 1, otherwise the bit is 0.

## Time Attack on OpenSSL(4/4)

We know what is large and small from attack on previous bits. Decrypting just g does not work because of sliding windows

Decrypt a neighborhood of values near g, and Tg=Tg+i Will increase difference between large and small values Thus larger 0-1 gap

Only need to recover q/2 bits of q Attack requires only 2 hours, about 1.4 million queries

## Real World Attack(1/2)

Discuss an attack on SSL applications such as an Apache web server with mod_SSL. During the handshake, SSL server performs RSA decryption of CLIENT-KEY-EXCHANGE message (sent by client) using its private key. The goal is getting this key. After decryption, the server checks PKCS 1 padded random bytes and sends an error message back to client in case of an error. The client can send another message to the server that will be decrypted there.

## Real World Attack(2/2)

1. ClientHello

Attack Client
2. ServerHello
(send public key)

SSL Server

3. Record time t1 Send guess Ug or Ughi 4. Alert 5. Record time t2 Compute DecryptTime(Ughi)=t2 t1

## Experiments (1/5) 

Test the effects on increasing the number of decryption requests required to recover a single bit of q reliably. Two parameters: neighborhood size (n) and sample size (s). Total number of queries is s*n.

Using sample size of 7 and neighborhood of 400, 1433600 total queries. Attack time (on 1024-bit key) is about 2 hours.

## Experiments (2/5) 

Architecture effects: compare two versions of a program making local calls to OpenSSL: regular and extra-inst with 6 additional nops before decryption.

Explanation: different cache hit rate: 0.139% of load misses for normal and 0.151% for extra-inst.

## Experiments (3/5) 

Compile-time effects:

Optimized (-O3 fomit_frame_pointer mcpu=pentium); No Pentium flag (-O3 fomit_frame_pointer); Unoptimized (-g).

## Experiments (4/5) 

Source-based optimizations: implemented a minor patch that improves the efficiency of of CRT decryption check.

## Preconditions & Defense

Preconditions:

OpenSSL does not enable defend option Not fix response time

Defense:

Only one multiplication routine and always carry out extra reduction in Montgomerys algorithm Quantize all RSA computations Blinding (Currently preferred)

## Blinding Defenses 

Blinding: before decryption compute x=reg mod N, where r is random. Then decrypt x, then compute x/r. Incurs 2%-10% penalty.

Reference
 David Brumley and Dan Boneh, Remote Timing Attacks are Practical, 2003  Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems 2001  Johann GroBschadl, The Chinese Remainder Theorem and its Application in a High-Speed RSA Crypto Chip http://www.rsasecurity.com/rsalabs/challenges/f actoring/numbers.html