remote timing attacks are practical
play

Remote Timing Attacks are Practical by David Brumley and Dan Boneh - PowerPoint PPT Presentation

Dec 16, 2023 •419 likes •1.19k views

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

  1. Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624)

  2. Outline • Traditional threat model in cryptography • Side-channel attacks • Kocher’s timing attack • Boneh & Brumley timing attack • Experiments • Countermeasures S. Kamara (600/650.624) 02/10/05

  3. Traditional Crypto • Brute force attacks • large key • Mathematical attacks • reduction to hard problem • RSAP: ( m e mod n ) → m • DHP: ( g x , g y ) → g xy S. Kamara (600/650.624) 02/10/05

  4. Traditional Crypto • Attacker has access to: • Ciphertext • Algorithm S. Kamara (600/650.624) 02/10/05

  5. Real-Life Crypto • Attacker has access to: • Ciphertext • Algorithm • Physical observables from the device S. Kamara (600/650.624) 02/10/05

  6. Side Channel Attacks • Paul Kocher in 1996 • Recovers RSA and DSS signing key • Not taken seriously by cryptographers • Lot of attention from the press S. Kamara (600/650.624) 02/10/05

  7. Side Channel Attacks • Timing analysis • Fault analysis • Differential fault analysis • Simple power analysis • Differential power analysis • EM analysis S. Kamara (600/650.624) 02/10/05

  8. Side Channel Attacks m k Power time consumption c EM radiation S. Kamara (600/650.624) 02/10/05

  9. Side Channel Attacks m Encryption e m e mod n Side channel S. Kamara (600/650.624) 02/10/05

  10. Side Channel Attacks m Decryption/ d Signing m d mod n Side channel S. Kamara (600/650.624) 02/10/05

  11. Kocher Timing Attack • RSA signatures: sig ( m ) = m d mod n • Modular exponentiation is computed using square and multiply algorithm • Time of modular exponentiation is a function of the bits of the exponent • Use time to recover exponent (signing key) S. Kamara (600/650.624) 02/10/05

  12. Kocher Timing Attack • Recovers key bit by bit • Guesses key bit then verifies • Uses statistical analysis • Needs many samples of signing time S. Kamara (600/650.624) 02/10/05

  13. Kocher Attack Target sig ( m ) = m d mod n S. Kamara (600/650.624) 02/10/05

  14. Square and Multiply 1: INPUT: m, n, d 2: OUTPUT: x = m d mod n 3: x := m 4: for i = n − 1 downto 0 do x := x 2 5: if d i = 1 then 6: x := x · m mod n 7: end if 8: 9: end for 10: return x S. Kamara (600/650.624) 02/10/05

  15. Kocher Timing Attack Eve Bob m 1 T ( m 1 ) s 1 d m 2 ... T ( m 2 ) s 2 ... ... S. Kamara (600/650.624) 02/10/05

  16. Kocher Timing Attack Eve Eve m 1 T 0 ( m 1 ) s 1 0? m 2 ... T 0 ( m 2 ) s 2 ... ... S. Kamara (600/650.624) 02/10/05

  17. Kocher Timing Attack Eve Eve m 1 T 1 ( m 1 ) s 1 1? m 2 ... T 1 ( m 2 ) s 2 ... ... S. Kamara (600/650.624) 02/10/05

  18. Kocher Timing Attack • Compare • vs T 0 ( m i ) T ( m i ) • vs T 1 ( m i ) T ( m i ) • will be correlated with correct guess T ( m i ) S. Kamara (600/650.624) 02/10/05

  19. Kocher Timing Attack • 1998 UCL experimental results: Key size sample size 64 1 500-6 500 128 12 000-20 000 256 70 000-80 000 512 350 000 S. Kamara (600/650.624) 02/10/05

  20. Limit of Kocher Attack • Does not work when mod exp is optimized S. Kamara (600/650.624) 02/10/05

  21. RSA with Sun Ze Th. sig ( m ) = m d mod n • • Sun Ze Th. aka CRT • m, d and n are order of 1024 bits • exponentiation of 1024 bit number by another 1024 bit number taken modulo a third 1024 bit number S. Kamara (600/650.624) 02/10/05

  22. RSA with Sun Ze Th. • exponentiate mod q (512 bits) • exponentiate mod p (512 bits) • combine using SZT to get mod n (= pq) S. Kamara (600/650.624) 02/10/05

  23. RSA with Sun Ze Th. sig ( m ) = m d mod n • where n = pq • m 1 = m mod p • m 2 = m mod q • d 1 = d mod ( p − 1 ) d 2 = d mod ( q − 1 ) S. Kamara (600/650.624) 02/10/05

  24. RSA with Sun Ze Th. • s 1 = m d 1 1 mod p • s 2 = m d 2 2 mod q • CRT ( s 1 , s 2 ) = m d mod n S. Kamara (600/650.624) 02/10/05

  25. RSA with Sun Ze Th. • Modular exponentiation: • pre-processing • exponentiation mod p • exponentiation mod q • CRT S. Kamara (600/650.624) 02/10/05

  26. RSA with Sun Ze Th. • Kocher’s attack does not work • Cannot get precise timings • Cannot repeat pre-processing without factors • Most implementations use CRT • OpenSSL S. Kamara (600/650.624) 02/10/05

  27. OpenSSL • SSL establishes encrypted and authenticated channel between client and server • 1994 • SSL v1 completed but never released • SSL v2 released with Navigator 1.1 • SSL v2 PRNG broken S. Kamara (600/650.624) 02/10/05

  28. OpenSSL • 1995 • SSL v3 released (designed by Kocher) • SSL is ubiquitous • 1996 • IETF standardizes SSL S. Kamara (600/650.624) 02/10/05

  29. OpenSSL • 1998 • OpenSSL 0.9.1c is released (based on SSLeay) • mod_ssl for Apache is released S. Kamara (600/650.624) 02/10/05

  30. OpenSSL • Most popular open source SSL implementation • Most popular crypto library • 18% of all Apache servers use mod_ssl • stunnel • sNFS S. Kamara (600/650.624) 02/10/05

  31. RSA in OpenSSL • sig ( m ) = m d mod n • Sun Ze Theorem • Modular exponentiation: sliding window • Modular reduction: Montgomery • Multi-precision multiplication: Karatsuba S. Kamara (600/650.624) 02/10/05

  32. Sliding Window • Extension of square and multiply • uses multiple bits of the exponent at once • makes attack more difficult S. Kamara (600/650.624) 02/10/05

  33. Montgomery Reduction • Introduced in 1985 by Peter Montgomery • Performs modular multiplication efficiently • Transforms multiplication mod n to multiplication mod R S. Kamara (600/650.624) 02/10/05

  34. Montgomery Reduction Algorithm 1 Montgomery Reduction 1: INPUT: x , y and q 2: OUTPUT: x · y mod q 3: RR − 1 − qq ∗ = 1 4: Ψ ( x ) := xR mod q 5: Ψ ( y ) := yR mod q 6: z := Ψ ( x ) × Ψ ( y ) = abR 2 mod q 7: r := z × q ∗ mod R 8: s := z + rq R 9: if s > q then extra reduction s := s − q 10: 11: end if 12: return s S. Kamara (600/650.624) 02/10/05

  35. Montgomery Reduction Pr [ extra reduction ] = m mod q • 2R • m = q ⇒ Pr [ reduction ] = 0 • m → q ⇒ Pr [ reduction ] � m → q + ⇒ Pr [ reduction ] � S. Kamara (600/650.624) 02/10/05

  36. Karatsuba • Multi-precision multiplication • where and | x | = n | y | = n x · y • Runs in O ( n log 2 3 ) • As opposed to O ( n · m ) • worst case O ( n 2 ) S. Kamara (600/650.624) 02/10/05

  37. Karatsuba • Used only if inputs have same length • OpenSSL: • if |x| = |y| then Karatsuba O ( n log 2 3 ) • if |x| != |y| then normal O ( n 2 ) S. Kamara (600/650.624) 02/10/05

  38. Biases • What is the effect of these optimizations on the exponentiation time? S. Kamara (600/650.624) 02/10/05

  39. Montgomery Reduction • if m approaches q from below then slow • if m approaches q from above then fast S. Kamara (600/650.624) 02/10/05

  40. Montgomery Reduction Decryption time g q 2q 3q Figure 1 S. Kamara (600/650.624) 02/10/05

  41. Multiplication • if |x| = |y| then fast • if |x| != |y| then slow S. Kamara (600/650.624) 02/10/05

  42. Multiplication Decryption time Karatsuba Normal g g < q g > q S. Kamara (600/650.624) 02/10/05

  43. Boneh-Brumley Attack hello e Eve Server g or g hi error S. Kamara (600/650.624) 02/10/05

  44. Boneh-Brumley Attack • Kocher attack recovers signing key • Boneh-Brumley attack recovers factor S. Kamara (600/650.624) 02/10/05

  45. Kocher Attack Target sig ( m ) = m d mod n S. Kamara (600/650.624) 02/10/05

  46. Boneh-Brumley Target sig ( m ) = m d mod p · q S. Kamara (600/650.624) 02/10/05

  47. Boneh-Brumley Target • n = pq • Knowing q we recover p d = e − 1 mod ( p − 1 )( q − 1 ) S. Kamara (600/650.624) 02/10/05

  48. Boneh-Brumley Attack CRT m modq m d mod q Square and multiply m d mod R Montgomery Multiplication I · m S. Kamara (600/650.624) 02/10/05

  49. Boneh-Brumley Attack sig ( m ) = m d mod pq • • Recover bit of q i th • when we already have the top bits i − 1 S. Kamara (600/650.624) 02/10/05

  50. Timing Attack • q: smallest factor • g: same top bits as q (rest is all 0) i − 1 • : g with bit set to i th 1 g hi • : decryption(g) - decryption( ) ∆ g hi S. Kamara (600/650.624) 02/10/05

  51. Timing Attack • i = 4 • q = 101 ? • g = 101 0... • g = 101 10... hi S. Kamara (600/650.624) 02/10/05

  52. Timing Attack • i = 4 • q = 101 1 ? if then q 4 = 1 g < g hi < q • g = 101 0... • g = 101 10... hi S. Kamara (600/650.624) 02/10/05

  53. Timing Attack • i = 4 • q = 101 0 ? • g = 101 0... if then q 4 = 0 g < q < g hi • g = 101 10... hi S. Kamara (600/650.624) 02/10/05

  54. Boneh-Brumley Attack q i = 0 → g < q < g hi Montgomery Multiplication slow fast T(g) (xtra reds) (kara) slow T( ) fast g hi (normal) | ∆ | large large S. Kamara (600/650.624) 02/10/05

  55. Boneh-Brumley Attack g < q < g hi Montgomery Multiplication slow fast T(g) (xtra reds) (kara) slow T( ) fast g hi (normal) | ∆ | large large S. Kamara (600/650.624) 02/10/05

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Synopsis New remote timing attack vulnerability in OpenSSLs implementation of Montgomerys

487 views • 25 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen, Nick Nikiforakis Background: Timing attacks Introduced by Felten et al. in 2000. A side-channel attack analyzing the time that it takes to a

642 views • 21 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&amp;Time vs. MbedTLS AES on STM32

477 views • 20 slides
DISTRIBUTED SYSTEMS Practical Lab Remote Method Invocation 2 A pragmatic Introduction RMI -

DISTRIBUTED SYSTEMS Practical Lab Remote Method Invocation 2 A pragmatic Introduction RMI -

1 DISTRIBUTED SYSTEMS Practical Lab Remote Method Invocation 2 A pragmatic Introduction RMI - Overview 3 Simple idea: In an OO-program objects communicate via methods For remote communication why not allow an object to

343 views • 11 slides
No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

IEEE S&amp;P 2016 No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis May 24, 2016 Wenrui Diao , Xiangyu Liu, Zhou Li, and Kehuan Zhang 2/18 Motivation -- Hardware and Kernel Mobile platform

700 views • 21 slides
Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale University http://dedis.cs.yale.edu/ Ramakrishna Gummadi University of Massechusetts Amherst CCSW, October 8, 2010 Timing Attacks Cooperative attacks

471 views • 30 slides
Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA

Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA

Exclusive Exponent Blinding May Not Suffice to Prevent Timing Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA Werner Schindler Bundesamt f ur Sicherheit in der Werner Schindler

553 views • 23 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

371 views • 21 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side Channel Mohammad A. Islam, Luting Yang, Kiran Ranganath, and Shaolei Ren Acknowledgement: This work was supported in part by NSF under grants

445 views • 31 slides
CSE 115 Introduction to Computer Science I FINAL EXAM Tuesday, December 11, 2018 7:15 PM -

CSE 115 Introduction to Computer Science I FINAL EXAM Tuesday, December 11, 2018 7:15 PM -

CSE 115 Introduction to Computer Science I FINAL EXAM Tuesday, December 11, 2018 7:15 PM - 10:15 PM SOUTH CAMPUS (Factor in travel time!!) CONFLICT? E-mail documentation to: alphonce@buffalo.edu Subject: CSE115 FINAL EXAM CONFLICT no

898 views • 43 slides
Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University

Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University

Is the Fait Accompli the Primary Challenge for Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University December 12 th , 2018 Why the Fait Accompli Matters Nuclear powers have fought each other twice: China vs.

467 views • 23 slides
DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

380 views • 18 slides
TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TM TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda Background Passwords and configuration files Threats Web applications Keeping up to date Policy and process Operating system

842 views • 28 slides
Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Moving FLASK to BSD Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris Vance Information Systems Security Operation, SPARTA, Inc. Vance_20060301_01 Overview Overview Security Frameworks A

610 views • 22 slides
vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution

vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution

vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution of virtual machines (VMs) on a host. vmd(8) interfaces with vmm(4) in the kernel It handles the VM setup, vCPUs, exists, and device layer

372 views • 8 slides
My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org

My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org

Antoine Jacoutot Baptiste Daroussin My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org bapt@FreeBSD.org ROUND 1 Ports &amp; packages Release model &amp; engineering Binary upgrades SMP &amp; scheduling The

630 views • 24 slides
News from CAIAs NewTCP Project Delay-based TCP and improved instrumentation of FreeBSDs TCP

News from CAIAs NewTCP Project Delay-based TCP and improved instrumentation of FreeBSDs TCP

News from CAIAs NewTCP Project Delay-based TCP and improved instrumentation of FreeBSDs TCP stack Presented by Michael Welzl on behalf of: David Hayes, Lawrence Stewart {dahayes,lastewart}@swin.edu.au Centre for Advanced Internet

570 views • 10 slides

More recommend