one done a single decryption em based attack on openssl s
play

One&Done: A Single-Decryption EM-Based Attack on OpenSSLs - PowerPoint PPT Presentation

Nov 26, 2022 •140 likes •363 views

One&Done: A Single-Decryption EM-Based Attack on OpenSSLs Constant-Time Blinded RSA Monjur Alam, Haider Adnan Khan, Moumita Dey, Nishith Sinha, Robert Callan, Alenka Zajic, and Milos Prvulovic 1 1 v Motivation Public key crypto is

  1. One&Done: A Single-Decryption EM-Based Attack on OpenSSL’s Constant-Time Blinded RSA Monjur Alam, Haider Adnan Khan, Moumita Dey, Nishith Sinha, Robert Callan, Alenka Zajic, and Milos Prvulovic 1 1

  2. v Motivation Ø Public key crypto is essential for modern security Ø Secure exchange of session keys Ø Verifying identity of systems and users Ø And a lot more Ø Private keys are a highly valuable asset Ø So attackers want them Ø And we don’t want attackers to get them 2 2

  3. v Public Key Crypto Ø Good public key crypto (e.g. RSA) Ø Designed to make private keys very, very hard to recover key RSA 3 3

  4. v Analog Side-Channel Attacks Ø But cryptographic implementation runs on real hardware Ø Logic gates switch, causing current flow Ø Currents flowing create changes in surrounding EM field key RSA Side-channel information helps recover the private key 4 4

  5. v Analog Side-Channel Attacks Ø Message randomization (blinding) Ø Prevents chosen-plaintext and other message-dependent attacks Ø But… when message-independent operations use the key key RSA Side-channel information, alone, eventually enables efficient recovery of the private key 5 5

  6. v Analog Side-Channel Attacks Ø One&Done Ø Message does not matter (message blinding does not help) Ø Multiple “traces” not needed (exponent blinding does not help) key RSA Side-channel information alone , in a single encryption/signing, enables efficient recovery of the entire private key 6 6

  7. v OpenSSL’s RSA Implementation Ø BN_mod_exp_montgomery_consttime() Ø Computes x d mod m , where d is the secret exponent For each fixed-size “window” For each bit in the window Square the result ( v=v 2 ) Look up one bit of d and add to wval Multiply result with x wval Look up precomputed x wval 7 7

  8. v Side-Channel Attacks on OpenSSL’s RSA Ø BN_mod_exp_montgomery_consttime() Ø Computes x d mod m , where d is the secret exponent For each fixed-size “window” For each bit in the window Square the result ( v=v 2 ) One&Done (new) Mitigation (new) Get bit from d, add to wval Genkin et al., CHES’15 Message Blinding Multiply result with x wval Look up precomputed x wval Cache (e.g. Percival) Scatter-Gather 8 8

  9. v Measurement Setup Samsung Alcatel Ideal A13-OLinuXino Galaxy Centura SCH-S738C 9 9

  10. v Side Channel Analysis Ø Recent advances in side-channel-based program monitoring Ø Camelia, our DARPA LADS project • Uses analog signals to monitor computational activity to detect control flow deviation and/or execution of unknown code • Found that even a single-instruction control-flow can be detected • But… Ø Constant-time implementation – no key-dependent CF Ø Every encryption has the same CF sequence • Can’t use CF differences for attack • But can use the (very stable and predictable) signal features and timing to tell us exactly where in the signal BN_is_bit_set is executing 10 10

  11. v Attack Approach Constant-time Montgomery Multiplication Another Constant-time to square the result Montgomery Multiplication Const-Time Easy to Find Window-value update 11 11

  12. v Relevant Part Zoom-In Window Value Update 0 -A 1 -A 0 -B 1 -B 12 12

  13. How well does this recover bits of <d p ,d q >? Ø Training on 15 private-key RSA decryptions Ø Recover bits of secret exponents using only one decryption 100% 99% 98% Max 97% Median 96% Min 95% Samsung Alcatel Ideal OLinuXino Galaxy Phone Board Centura Phone 13 13

  14. v Full RSA Key Recovery Ø We have dp and dq but with Ø Erasures – could not find where the bit’s signal is Ø Errors – found the bit’s signal, but misclassified it (0 vs. 1) Ø Existing branch-and-prune algorithms Ø Prune partial solutions when group of bits has too many errors • Assumes errors are uniformly distributed • Our errors often occur in bursts • Does not explicitly handle erasures Ø Prune partial solutions that disagree with known bits of <d p ,d q > • Can’t handle errors (no bits truly “known”) 14 14

  15. v Full RSA Key Recovery Ø We have dp and dq but with Ø Erasures – could not find where the bit’s signal is Ø Errors – found the bit’s signal, but misclassified it (0 vs. 1) Ø Our algorithm Ø Take partial solution with fewest disagreement overall • Known-to-be-unknown bits (erasures) not counted Ø Expand that partial solution by one bit position • Prune expansions that violate relationships between p,q,n,dp,and dq • Efficient implementation, nearly all checks use only scalars (not BNs) Ø Repeat 15 15

  16. v Recover RSA key from <d p ,d q > with errors 1,000,000.00 Key Search Steps Errors Erasures 100,000.00 50 % Mix 10,000.00 1,000.00 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% Our <d p ,d q > results Key search using one i7 core: (errors+erasures) 500K steps / second! 16 16

  17. v More in the paper Ø Train on one device, attack another Ø Only slightly worse than same-device (still 100% key recovery) Ø Similar attack on sliding-window implementation Ø Used in prior versions of OpenSSL • Prior attacks extract enough bits to sometimes allow full-key recovery Ø One&Done recovers nearly all bits in one private-key encryption, recovered full key every time 17 17

  18. v Mitigation Ø Fundamental enabler of the attack Ø Several instructions have very few possibilities for their operands • BN_is_bit_set returns either 0 or 1 Ø No need to get bits one at a time Ø A 5-bit fixed window needs 5 consecutive bits • Don’t have to get them one at a time and shift into wval Ø So we take an entire word’s worth of bits each time, mask to window-size only before wval is needed Ø Takes only a little longer than getting one bit! Ø But done only once per window! 18 18

  19. v Results after mitigation 65% Max 60% Median Min 55% Random 50% Guessing Erasures 45% Counted as Errors 40% Samsung Galaxy Alcatel Ideal Phone OLinuXino Board Centura Phone 19 19

  20. v Conclusions Ø Analog side-channel attack on OpenSSL’s constant-time modular exponentiation implementation Ø Precise timing thanks to constant-timeness of the implementation Ø Highly accurate thanks to one-secret-bit-at-a-time implementation Ø Entire private key recovered from only one use of that key Ø Attack not affected by blinding Ø Attack directly obtains exponent bits, message bits not relevant Ø Exponent blinding does not help agains single-trace attacks Ø Mitigation: look up groups of secret bits, not individual bits 20 20

  21. Thank you! Questions ? 21 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist

SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist

SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist for many languages Can be used for many encryption needs Generating keys Signing certs Validating certs We'll use OpenSSL in the

287 views • 6 slides
OpenSSL is not an oxymoron Rich Salz Akamai Technologies OpenSSL Dev Team

OpenSSL is not an oxymoron Rich Salz Akamai Technologies OpenSSL Dev Team

Software Engineering and OpenSSL is not an oxymoron Rich Salz Akamai Technologies OpenSSL Dev Team rsalz@{akamai.com,openssl.org} Main lesson Its not the crypto that kills you (or your open source project) Rich Salz Real World Crypto

346 views • 23 slides
OpenSSL after HeartBleed Tim Hudson Cryptsoft, OpenSSL Team Rich Salz Akamai Technologies,

OpenSSL after HeartBleed Tim Hudson Cryptsoft, OpenSSL Team Rich Salz Akamai Technologies,

OpenSSL after HeartBleed Tim Hudson Cryptsoft, OpenSSL Team Rich Salz Akamai Technologies, OpenSSL Team The most important date April 3, 2014 LinuxCon/Europe 2016 2 The most important date April 3, 2014 HeartBleed Re-key the

755 views • 34 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie Mellon University May 20 2013 Old: DDoS Attacks against Single Servers typical attack : floods server with HTTP, UDP, SYN, ICMP packets

613 views • 28 slides
Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is

Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is

Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is LibreSSL A fork of OpenSSL 1.0.1g Being worked on extensively by a number of OpenBSD developers What is OpenSSL OpenSSL is an open

830 views • 24 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides
On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul

On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul

On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele , Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013 Outline Distinguishable Decryption Failures The Multiple-Error Setting

893 views • 43 slides
Perfect Secrecy Chester Rebeiro IIT Madras CR STINSON : chapter 2 Encryption K K untrusted

Perfect Secrecy Chester Rebeiro IIT Madras CR STINSON : chapter 2 Encryption K K untrusted

Perfect Secrecy Chester Rebeiro IIT Madras CR STINSON : chapter 2 Encryption K K untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) Plaintext Plaintext Attack at

831 views • 50 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
US/win10/tools/IoTAPIPortingT ool.htm https://www.openssl.org/ GetMemoryStatus

US/win10/tools/IoTAPIPortingT ool.htm https://www.openssl.org/ GetMemoryStatus

Any questions please contact winhectpe@microsoft.com http://ms-iot.github.io/content/en- US/win10/tools/IoTAPIPortingT ool.htm https://www.openssl.org/ GetMemoryStatus GetMemoryStatusEx trusted random number generator - readscreen()

734 views • 42 slides
Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Do you care about Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance Enhancement for Encryption and Decryption June 11. &amp; 12. 2007 Amsterdam An ECRYPT/VAMPIRE workshop on software speeds for

300 views • 4 slides
RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering

RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering

Cryptography RSA RSA Algorithm Analysis of RSA RSA Implementations of RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, rsa.tex, r1799 1

522 views • 29 slides
RSA RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering and Technology

RSA RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering and Technology

Cryptography RSA RSA Algorithm Analysis of RSA Implementations of RSA RSA RSA in OpenSSL RSA in Python Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, rsa.tex, r1799

869 views • 29 slides
A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

590 views • 33 slides
A primer on R for the Intermediate Distance Sampling workshop 2 Learning goals Obtain a

A primer on R for the Intermediate Distance Sampling workshop 2 Learning goals Obtain a

A primer on R for the Intermediate Distance Sampling workshop 2 Learning goals Obtain a working knowledge of the R language and environment, to be able to implement analysis for the Intermediate Distance Sampling workshop Learn how to

320 views • 14 slides
Poli 5D Social Science Data Analytics Introduction to R Shane Xinyang Xuan ShaneXuan.com

Poli 5D Social Science Data Analytics Introduction to R Shane Xinyang Xuan ShaneXuan.com

Poli 5D Social Science Data Analytics Introduction to R Shane Xinyang Xuan ShaneXuan.com February 15, 2017 ShaneXuan.com 1 / 9 Contact Information Shane Xinyang Xuan xxuan@ucsd.edu The teaching staff is a team! Professor Roberts M

663 views • 31 slides
Example: Model Train Controller Purposes of example: Follow a design through several levels of

Example: Model Train Controller Purposes of example: Follow a design through several levels of

Example: Model Train Controller Purposes of example: Follow a design through several levels of abstraction. Gain experience with UML. Text: Section 1.4 Model train setup rcvr motor power supply console header address command ECC

313 views • 27 slides
ASYNC PROGRAMMING Wha t doe s thi s prin t ? function getY() { var y; $http.get(/gety,

ASYNC PROGRAMMING Wha t doe s thi s prin t ? function getY() { var y; $http.get(/gety,

CS 498RK SPRING 2020 ASYNC PROGRAMMING Wha t doe s thi s prin t ? function getY() { var y; $http.get(/gety, function(res){ // suppose the value of y on the server is 3 y = res.y; }); return y; } var x = 5; var y = getY();

577 views • 25 slides
You say its only constant? Then something must be hyperfinite! And I say your title is too

You say its only constant? Then something must be hyperfinite! And I say your title is too

You say its only constant? Then something must be hyperfinite! And I say your title is too long. Hendrik Fichtenberger July 20, 2019 Property Testing in a Nutshell planar 1 Property Testing in a Nutshell planar non-planar 1 Property

828 views • 51 slides
Faster Merging Networks with Constant Periods Marek Piotr ow (a join work with Micha

Faster Merging Networks with Constant Periods Marek Piotr ow (a join work with Micha

M. Jaros and M. Piotr ow Faster Merging Networks University of Wroclaw with Constant Periods Faster Merging Networks with Constant Periods Marek Piotr ow (a join work with Micha Jaros) JAF25 CMFBD 2006 Faculty of Mathematics

384 views • 16 slides
Some examples of time-delay systems I. Fluid flow model for a congested router in TCP/AQM

Some examples of time-delay systems I. Fluid flow model for a congested router in TCP/AQM

Some examples of time-delay systems I. Fluid flow model for a congested router in TCP/AQM controlled network Model of collision-avoidance type: Hollot et al., IEEE TAC 2002 W t W t R t 1 1 ( ) ( ( )) = W t p

491 views • 33 slides
Introduction to Computer Graphics Modeling (3) April 30, 2020 Kenshi Takayama Solid

Introduction to Computer Graphics Modeling (3) April 30, 2020 Kenshi Takayama Solid

Introduction to Computer Graphics Modeling (3) April 30, 2020 Kenshi Takayama Solid modeling 2 Thin shapes represented Unorientable Solid models by single polygons Clear definition of inside &amp; outside at any 3D

931 views • 49 slides

More recommend