timing attacks and countermeasures
play

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 - PowerPoint PPT Presentation

Feb 28, 2023 •175 likes •1.04k views

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world crypto and privacy ibenik, Croatia Secure Crypto Research over the past decades has produced several secure crypto algorithms: AES-256 block

  1. Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world crypto and privacy Šibenik, Croatia

  2. Secure Crypto Research over the past decades has produced several secure crypto algorithms: ◮ AES-256 block cipher Timing Attacks and Countermeasures 2

  3. Secure Crypto Research over the past decades has produced several secure crypto algorithms: ◮ AES-256 block cipher ◮ AES-CBC + HMAC-SHA256 authenticated encryption Timing Attacks and Countermeasures 2

  4. Secure Crypto Research over the past decades has produced several secure crypto algorithms: ◮ AES-256 block cipher ◮ AES-CBC + HMAC-SHA256 authenticated encryption ◮ RSA-2048 public-key encryption Timing Attacks and Countermeasures 2

  5. Secure Crypto Research over the past decades has produced several secure crypto algorithms: ◮ AES-256 block cipher ◮ AES-CBC + HMAC-SHA256 authenticated encryption ◮ RSA-2048 public-key encryption ◮ ECDSA signatures with the secp256k1 curve (used in Bitcoin) Timing Attacks and Countermeasures 2

  6. Secure Crypto? ◮ Osvik, Shamir, Tromer, 2006: Recover AES-256 secret key of Linux’s dmcrypt in just 65 ms Timing Attacks and Countermeasures 3

  7. Secure Crypto? ◮ Osvik, Shamir, Tromer, 2006: Recover AES-256 secret key of Linux’s dmcrypt in just 65 ms ◮ AlFardan, Paterson, 2013: “Lucky13” recovers plaintext of CBC-mode encryption in pretty much all TLS implementations Timing Attacks and Countermeasures 3

  8. Secure Crypto? ◮ Osvik, Shamir, Tromer, 2006: Recover AES-256 secret key of Linux’s dmcrypt in just 65 ms ◮ AlFardan, Paterson, 2013: “Lucky13” recovers plaintext of CBC-mode encryption in pretty much all TLS implementations ◮ Yarom, Falkner, 2014: Attack against RSA-2048 in GnuPG 1.4.13: “On average, the attack is able to recover 96.7% of the bits of the secret key by observing a single signature or decryption round.” Timing Attacks and Countermeasures 3

  9. Secure Crypto? ◮ Osvik, Shamir, Tromer, 2006: Recover AES-256 secret key of Linux’s dmcrypt in just 65 ms ◮ AlFardan, Paterson, 2013: “Lucky13” recovers plaintext of CBC-mode encryption in pretty much all TLS implementations ◮ Yarom, Falkner, 2014: Attack against RSA-2048 in GnuPG 1.4.13: “On average, the attack is able to recover 96.7% of the bits of the secret key by observing a single signature or decryption round.” ◮ Benger, van de Pol, Smart, Yarom, 2014: “reasonable level of success in recovering the secret key” for OpenSSL ECDSA using secp256k1 “with as little as 200 signatures” Timing Attacks and Countermeasures 3

  10. Secure Crypto? ◮ Osvik, Shamir, Tromer, 2006: Recover AES-256 secret key of Linux’s dmcrypt in just 65 ms ◮ AlFardan, Paterson, 2013: “Lucky13” recovers plaintext of CBC-mode encryption in pretty much all TLS implementations ◮ Yarom, Falkner, 2014: Attack against RSA-2048 in GnuPG 1.4.13: “On average, the attack is able to recover 96.7% of the bits of the secret key by observing a single signature or decryption round.” ◮ Benger, van de Pol, Smart, Yarom, 2014: “reasonable level of success in recovering the secret key” for OpenSSL ECDSA using secp256k1 “with as little as 200 signatures” Those attacks all don’t break the math! Timing Attacks and Countermeasures 3

  11. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Timing Attacks and Countermeasures 4

  12. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) Timing Attacks and Countermeasures 4

  13. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) ◮ Some attacks work by measuring network delays ◮ Attacker does not even need an account on the target machine Timing Attacks and Countermeasures 4

  14. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) ◮ Some attacks work by measuring network delays ◮ Attacker does not even need an account on the target machine ◮ Can’t protect against timing attacks by locking a room Timing Attacks and Countermeasures 4

  15. Problem No. 1 if(secret) { do_A(); } else { do_B(); } Timing Attacks and Countermeasures 5

  16. Square-and-multiply ◮ Core operation in RSA decryption: a d mod n with secret key d ◮ Very similar operation involved in ElGamal, DSA, and ECC typedef unsigned long long uint64; typedef uint32_t uint32; /* This really wants to be done with long integers */ uint32 modexp(uint32 a, uint32 mod, const unsigned char exp[4]) int i,j; uint32 r = 1; for(i=3;i>=0;i--) { for(j=7;j>=0;j--) { r = ((uint64)r*r) % mod; if((exp[i] >> j) & 1) r = ((uint64)a*r) % mod; } } return r; } Timing Attacks and Countermeasures 6

  17. Square-and-multiply-always /* This really wants to be done with long integers */ uint32 modexp(uint32 a, uint32 mod, const unsigned char exp[4]) { int i,j; uint32 r = 1,t; for(i=3;i>=0;i--) { for(j=7;j>=0;j--) { r = ((uint64)r*r) % mod; if((exp[i] >> j) & 1) r = ((uint64)a*r) % mod; else t = ((uint64)a*r) % mod; } } return r; } Timing Attacks and Countermeasures 7

  18. Square-and-multiply-always /* This really wants to be done with long integers */ uint32 modexp(uint32 a, uint32 mod, const unsigned char exp[4]) { int i,j; uint32 r = 1,t; for(i=3;i>=0;i--) { for(j=7;j>=0;j--) { r = ((uint64)r*r) % mod; if((exp[i] >> j) & 1) r = ((uint64)a*r) % mod; else t = ((uint64)a*r) % mod; } } return r; } ◮ Compiler may optimize else clause away, but can avoid that Timing Attacks and Countermeasures 7

  19. Square-and-multiply-always /* This really wants to be done with long integers */ uint32 modexp(uint32 a, uint32 mod, const unsigned char exp[4]) { int i,j; uint32 r = 1,t; for(i=3;i>=0;i--) { for(j=7;j>=0;j--) { r = ((uint64)r*r) % mod; if((exp[i] >> j) & 1) r = ((uint64)a*r) % mod; else t = ((uint64)a*r) % mod; } } return r; } ◮ Compiler may optimize else clause away, but can avoid that ◮ Still not constant time, reasons: ◮ Branch prediction ◮ Instruction cache Timing Attacks and Countermeasures 7

  20. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if Timing Attacks and Countermeasures 8

  21. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B Timing Attacks and Countermeasures 8

  22. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B ◮ Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication Timing Attacks and Countermeasures 8

  23. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B ◮ Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication ◮ For very fast A and B this can even be faster Timing Attacks and Countermeasures 8

  24. Fixing Square-and-multiply-always uint32 modexp(uint32 a, uint32 mod, const unsigned char exp[4]) int i,j; uint32 r = 1,t; for(i=3;i>=0;i--) { for(j=7;j>=0;j--) { r = ((uint64)r*r) % mod; t = ((uint64)a*r) % mod; cmov(&r, &t, (exp[i] >> j) & 1); } } return r; } Timing Attacks and Countermeasures 9

  25. cmov /* decision bit b has to be either 0 or 1 */ void cmov(uint32 *r, const uint32 *a, uint32 b) { uint32 t; b = -b; /* Now b is either 0 or 0xffffffff */ t = (*r ^ *a) & b; *r ^= t; } Timing Attacks and Countermeasures 10

  26. Problem No. 2 table[secret] Timing Attacks and Countermeasures 11

  27. The Advanced Encryption Standard (AES) ◮ Block cipher Rijndael proposed by Rijmen, Daemen in 1998 ◮ Selected as AES by NIST in October 2000 Timing Attacks and Countermeasures 12

  28. The Advanced Encryption Standard (AES) ◮ Block cipher Rijndael proposed by Rijmen, Daemen in 1998 ◮ Selected as AES by NIST in October 2000 ◮ Block size: 128 bits (AES state: 4 × 4 matrix of 16 bytes) ◮ Key size 128 / 192 / 256 bits (resp. 10 / 12 / 14 rounds) Timing Attacks and Countermeasures 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen, Nick Nikiforakis Background: Timing attacks Introduced by Felten et al. in 2000. A side-channel attack analyzing the time that it takes to a

642 views • 21 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
CMSC427 Parametric curves: Hermite, Catmull-Rom, Bezier Modeling Creating 3D objects

CMSC427 Parametric curves: Hermite, Catmull-Rom, Bezier Modeling Creating 3D objects

CMSC427 Parametric curves: Hermite, Catmull-Rom, Bezier Modeling Creating 3D objects How to construct complicated surfaces? Goal Specify objects with few control points Resulting object should be visually pleasing (smooth)

1.34k views • 86 slides
CAS CS 460/660 Introduction to Database Systems Transactions and Concurrency Control 1.1

CAS CS 460/660 Introduction to Database Systems Transactions and Concurrency Control 1.1

CAS CS 460/660 Introduction to Database Systems Transactions and Concurrency Control 1.1 Recall: Structure of a DBMS Query in: e.g. Select min(account balance) Data out: e.g. 2000 Database app Query Optimization and Execution

759 views • 62 slides
Advanced Computer Graphics Advanced Computer Graphics CS 563: Curves and Curved Surfaces William

Advanced Computer Graphics Advanced Computer Graphics CS 563: Curves and Curved Surfaces William

Advanced Computer Graphics Advanced Computer Graphics CS 563: Curves and Curved Surfaces William DiSanto Computer Science Dept. Worcester Polytechnic Institute (WPI) O Overview i Advantages/Disadvantages / Implicit Surfaces

802 views • 40 slides
Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for

Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for

Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for Cryptography on Hardware Roscoff, April 16, 2019 Overview Introduction and motivation Classification of random number generators (RNGs)

779 views • 49 slides
Double Stranded RNA as a Specific Biological Effector December 8, 2006 Karolinska Institute,

Double Stranded RNA as a Specific Biological Effector December 8, 2006 Karolinska Institute,

(J. American Chemical Association, 78, 3458-3459) The Secondary Structure of Complementary RNA E. Peter Geiduschek, John W. Moohr, and Smauel B. Weiss, Proceedings of The National Academy of Sciences, 48, 1078-1086, 1962. R.H. DOI RH, and S.

590 views • 48 slides
Optimal Estimation of a Nonsmooth Functional T. Tony Cai Department of Statistics The Wharton

Optimal Estimation of a Nonsmooth Functional T. Tony Cai Department of Statistics The Wharton

Optimal Estimation of a Nonsmooth Functional T. Tony Cai Department of Statistics The Wharton School University of Pennsylvania http://stat.wharton.upenn.edu/tcai Joint work with Mark Low 1 Question Suppose we observe X N ( , 1) .

720 views • 46 slides
How does Disagreement Help Generalization against Label Corruption? Center for Advanced

How does Disagreement Help Generalization against Label Corruption? Center for Advanced

Introduction Related works Co-teaching Co-teaching+ Experiments Summary References How does Disagreement Help Generalization against Label Corruption? Center for Advanced Intelligence Project, RIKEN, Japan Centre for Artificial

316 views • 30 slides
CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck Nadia Heninger Frank Piessens Berk Sunar Trusted Execution Environment (TEE) Intel SGX Intel Software Guard eXtensions (SGX) App

894 views • 42 slides

More recommend