cache timing attacks http cr yp to papers html
play

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , - PowerPoint PPT Presentation

Nov 03, 2022 •362 likes •1.28k views

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

  1. Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein “This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR–9983950 on another computer. Alfred P. Sloan Foundation The targeted server used its key solely to encrypt data using the OpenSSL AES implementation on a Pentium III.” All code included in paper. Easily reproducible.

  2. attacks Outline of this talk: http://cr.yp.to/papers.html #cachetiming , 2005: 1. How to advertise an AES candidate “This paper reports successful 2. How to leak k extraction of a complete AES key Illinois at Chicago timings: basic from a network server CCR–9983950 3. How to break on another computer. Foundation by forcing cache The targeted server used its key 4. How to skew a solely to encrypt data using the 5. How to leak k OpenSSL AES implementation timings: advanced on a Pentium III.” 6. How to break All code included in paper. without cache Easily reproducible. 7. How to misdesign a cryptographic

  3. Outline of this talk: http://cr.yp.to/papers.html #cachetiming , 2005: 1. How to advertise an AES candidate “This paper reports successful 2. How to leak keys through extraction of a complete AES key timings: basic techniques from a network server 3. How to break AES remotely on another computer. by forcing cache misses The targeted server used its key 4. How to skew a benchmark solely to encrypt data using the 5. How to leak keys through OpenSSL AES implementation timings: advanced techniques on a Pentium III.” 6. How to break AES remotely All code included in paper. without cache misses Easily reproducible. 7. How to misdesign a cryptographic architecture

  4. Outline of this talk: 1. Advertising an http://cr.yp.to/papers.html , 2005: 1. How to advertise 1997: US NIST announces an AES candidate reports successful cipher competition. 2. How to leak keys through complete AES key replacing DES as timings: basic techniques server approved block cipher. 3. How to break AES remotely computer. 1999: NIST announces by forcing cache misses server used its key RC6, Rijndael, Serp 4. How to skew a benchmark encrypt data using the as AES finalists. 5. How to leak keys through implementation timings: advanced techniques 2001: NIST publishes II.” 6. How to break AES remotely the development included in paper. without cache misses Encryption Standa ducible. 7. How to misdesign explaining selection a cryptographic architecture AES.

  5. Outline of this talk: 1. Advertising an AES candidate 1. How to advertise 1997: US NIST announces block- an AES candidate cipher competition. Goal: AES, 2. How to leak keys through replacing DES as US government- timings: basic techniques approved block cipher. 3. How to break AES remotely 1999: NIST announces MARS, by forcing cache misses RC6, Rijndael, Serpent, Twofish 4. How to skew a benchmark as AES finalists. 5. How to leak keys through timings: advanced techniques 2001: NIST publishes “Report on 6. How to break AES remotely the development of the Advanced without cache misses Encryption Standard (AES),” 7. How to misdesign explaining selection of Rijndael as a cryptographic architecture AES.

  6. talk: 1. Advertising an AES candidate 1996: Kocher extracts advertise from timings of a 1997: US NIST announces block- candidate cipher competition. Goal: AES, Clear threat to blo keys through replacing DES as US government- too. As stated in basic techniques approved block cipher. “In some environments, reak AES remotely 1999: NIST announces MARS, timing attacks can cache misses RC6, Rijndael, Serpent, Twofish against operations a benchmark as AES finalists. in different amounts keys through depending on their advanced techniques 2001: NIST publishes “Report on reak AES remotely the development of the Advanced cache misses Encryption Standard (AES),” misdesign explaining selection of Rijndael as cryptographic architecture AES.

  7. 1. Advertising an AES candidate 1996: Kocher extracts RSA key from timings of a server. 1997: US NIST announces block- cipher competition. Goal: AES, Clear threat to block-cipher keys replacing DES as US government- too. As stated in NIST’s report: approved block cipher. “In some environments, 1999: NIST announces MARS, timing attacks can be effected RC6, Rijndael, Serpent, Twofish against operations that execute as AES finalists. in different amounts of time, depending on their arguments. 2001: NIST publishes “Report on the development of the Advanced Encryption Standard (AES),” explaining selection of Rijndael as AES.

  8. an AES candidate 1996: Kocher extracts RSA key “A general defense from timings of a server. timing attacks is announces block- each encryption and etition. Goal: AES, Clear threat to block-cipher keys operation runs in as US government- too. As stated in NIST’s report: amount of time. cipher. “In some environments, “Table lookup: not announces MARS, timing attacks can be effected timing attacks : : Serpent, Twofish against operations that execute finalists. in different amounts of time, “Multiplication/division/squa depending on their arguments. or variable shift/rotation: publishes “Report on most difficult to defend development of the Advanced Standard (AES),” selection of Rijndael as

  9. 1996: Kocher extracts RSA key “A general defense against from timings of a server. timing attacks is to ensure that each encryption and decryption Clear threat to block-cipher keys operation runs in the same too. As stated in NIST’s report: amount of time. : : : “In some environments, “Table lookup: not vulnerable to timing attacks can be effected timing attacks : : : against operations that execute in different amounts of time, “Multiplication/division/squaring depending on their arguments. or variable shift/rotation: most difficult to defend : : :

  10. extracts RSA key “A general defense against “Rijndael and Serp of a server. timing attacks is to ensure that only Boolean operations, each encryption and decryption table lookups, and block-cipher keys operation runs in the same shifts/rotations. in NIST’s report: amount of time. : : : are the easiest to environments, attacks. : : : “Table lookup: not vulnerable to can be effected timing attacks : : : “Finalist profiles. erations that execute operations used b amounts of time, “Multiplication/division/squaring among the easiest their arguments. or variable shift/rotation: against power and most difficult to defend : : : attacks. : : : Rijndael gain a major speed over its competito protections are considered.

  11. “A general defense against “Rijndael and Serpent use timing attacks is to ensure that only Boolean operations, each encryption and decryption table lookups, and fixed operation runs in the same shifts/rotations. These operations amount of time. : : : are the easiest to defend against attacks. : : : “Table lookup: not vulnerable to timing attacks : : : “Finalist profiles. : : : The operations used by Rijndael are “Multiplication/division/squaring among the easiest to defend or variable shift/rotation: against power and timing most difficult to defend : : : attacks. : : : Rijndael appears to gain a major speed advantage over its competitors when such protections are considered. : : :

  12. defense against “Rijndael and Serpent use “NIST judged Rijndael is to ensure that only Boolean operations, best overall algorithm encryption and decryption table lookups, and fixed AES. Rijndael app in the same shifts/rotations. These operations consistently good time. : : : are the easiest to defend against Its key setup time attacks. : : : and its key agility not vulnerable to Rijndael’s operations “Finalist profiles. : : : The : : : the easiest to defend operations used by Rijndael are “Multiplication/division/squaring power and timing among the easiest to defend shift/rotation: Finally, Rijndael’s against power and timing to defend : : : round structure app attacks. : : : Rijndael appears to good potential to gain a major speed advantage instruction-level pa over its competitors when such (Emphasis added.) protections are considered. : : :

  13. “Rijndael and Serpent use “NIST judged Rijndael to be the only Boolean operations, best overall algorithm for the table lookups, and fixed AES. Rijndael appears to be a shifts/rotations. These operations consistently good performer : : : are the easiest to defend against Its key setup time is excellent, attacks. : : : and its key agility is good. : : : Rijndael’s operations are among “Finalist profiles. : : : The the easiest to defend against operations used by Rijndael are power and timing attacks. : : : among the easiest to defend Finally, Rijndael’s internal against power and timing round structure appears to have attacks. : : : Rijndael appears to good potential to benefit from gain a major speed advantage instruction-level parallelism.” over its competitors when such (Emphasis added.) protections are considered. : : :

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&Time vs. MbedTLS AES on STM32

477 views • 20 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

371 views • 21 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo

Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo

Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo Buiras, Edward Z. Yang, Amit Levy, David Terei, Alejandro Russo, and David Mazires Motivation: IFC Web platforms Platforms allow 3rd-party developers

936 views • 61 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html

More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html

More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million-

853 views • 36 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen, Nick Nikiforakis Background: Timing attacks Introduced by Felten et al. in 2000. A side-channel attack analyzing the time that it takes to a

642 views • 21 slides
1 HTTP 1.1 Expiration and Validation in HTTP 1.1 HTTP 1.1 Expiration and Validation in HTTP 1.1

1 HTTP 1.1 Expiration and Validation in HTTP 1.1 HTTP 1.1 Expiration and Validation in HTTP 1.1

Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification Web Cache Consistency Web Cache Consistency

280 views • 3 slides
HTML Introduction (02c) Our Plan G HTML background G Unix and other issues G Minimal HTML

HTML Introduction (02c) Our Plan G HTML background G Unix and other issues G Minimal HTML

HTML Introduction (02c) Our Plan G HTML background G Unix and other issues G Minimal HTML documents G Hyperlinks and URLs Web Concepts: Static Design your PC domain.name Client Software HTTP HTML/HTTP HTML /HTTP HTML Server Internet

965 views • 26 slides
Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018 Memory System Cache Memory CPU Typical set-associative cache sets ways cache

640 views • 25 slides
CS6354: Snooping Cache Coherency 7 October 2016 1 To read more This days papers:

CS6354: Snooping Cache Coherency 7 October 2016 1 To read more This days papers:

CS6354: Snooping Cache Coherency 7 October 2016 1 To read more This days papers: Goodman, Using cache memory to reduce processor-memory traffic Archibald and Baer, Cache Coherence Models: Evaluation Using a Multiprocessor

829 views • 56 slides
S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer, Giner, Schwarz, Gruss, Mangard August 15, 2019 Graz University of Technology What is S CATTER C ACHE ? www.tugraz.at Alternative design for n-way

460 views • 27 slides
Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale University http://dedis.cs.yale.edu/ Ramakrishna Gummadi University of Massechusetts Amherst CCSW, October 8, 2010 Timing Attacks Cooperative attacks

471 views • 30 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes part of the users trusted path Attacker can

619 views • 38 slides
Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission

Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission

Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission Introduction to Computer Security Web/crypto/middleboxes combined slides More crypto protocols More causes of crypto failure Stephen McCamant

440 views • 10 slides
Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help

Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help

Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help You Tr Training Overview 1. Why Conversion Rate Optimization (CRO) / Landing Pages Matter 2. 6 Costly Conversion Mistakes Agencies Make 3. 7

1.02k views • 57 slides
Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these attacks are similar to TOCTTOU (Time of Check to Time of Use) vulnerabilities From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al,

376 views • 14 slides
Ethical Considerations Cameron Kidd First social network site SixDegrees.com launched in

Ethical Considerations Cameron Kidd First social network site SixDegrees.com launched in

Ethical Considerations Cameron Kidd First social network site SixDegrees.com launched in 1997 Friendster, the first fairly successful SNS with around 300,000 users, but was plagued by technical issues among other things MySpace was

116 views • 10 slides
How to turn your website into a Kick-Ass, Customer-Winning Marketing Machine! The 3 Ms

How to turn your website into a Kick-Ass, Customer-Winning Marketing Machine! The 3 Ms

How to turn your website into a Kick-Ass, Customer-Winning Marketing Machine! The 3 Ms Market Message Media (In this order) The 3 Ws Who are you? What do you do? Whats in it for me? What is SEO?

441 views • 30 slides
THE DIGITAL REVOLUTION AND BEYOND THE DIGITAL REVOLUTION AND BEYOND Apple Computer: The first

THE DIGITAL REVOLUTION AND BEYOND THE DIGITAL REVOLUTION AND BEYOND Apple Computer: The first

THE DIGITAL REVOLUTION AND BEYOND THE DIGITAL REVOLUTION AND BEYOND Apple Computer: The first computer with a Graphical User Interface (GUI) Apple Computer: The first computer with a Graphical User Interface (GUI) Macintosh 128k,1984 Apple

957 views • 47 slides
1 L Oct-28-05 SMD157, Understanding Users Overview Case studies - 47 fun-filled days of

1 L Oct-28-05 SMD157, Understanding Users Overview Case studies - 47 fun-filled days of

INSTITUTIONEN FR SYSTEMTEKNIK LULE TEKNISKA UNIVERSITET Understanding Users SMD157 Human-Computer Interaction Fall 2005 1 L Oct-28-05 SMD157, Understanding Users Overview Case studies - 47 fun-filled days of e-shopping - Airline

399 views • 19 slides

More recommend