Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein “This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR–9983950 on another computer. Alfred P. Sloan Foundation The targeted server used its key solely to encrypt data using the OpenSSL AES implementation on a Pentium III.” All code included in paper. Easily reproducible.
attacks Outline of this talk: http://cr.yp.to/papers.html #cachetiming , 2005: 1. How to advertise an AES candidate “This paper reports successful 2. How to leak k extraction of a complete AES key Illinois at Chicago timings: basic from a network server CCR–9983950 3. How to break on another computer. Foundation by forcing cache The targeted server used its key 4. How to skew a solely to encrypt data using the 5. How to leak k OpenSSL AES implementation timings: advanced on a Pentium III.” 6. How to break All code included in paper. without cache Easily reproducible. 7. How to misdesign a cryptographic
Outline of this talk: http://cr.yp.to/papers.html #cachetiming , 2005: 1. How to advertise an AES candidate “This paper reports successful 2. How to leak keys through extraction of a complete AES key timings: basic techniques from a network server 3. How to break AES remotely on another computer. by forcing cache misses The targeted server used its key 4. How to skew a benchmark solely to encrypt data using the 5. How to leak keys through OpenSSL AES implementation timings: advanced techniques on a Pentium III.” 6. How to break AES remotely All code included in paper. without cache misses Easily reproducible. 7. How to misdesign a cryptographic architecture
Outline of this talk: 1. Advertising an http://cr.yp.to/papers.html , 2005: 1. How to advertise 1997: US NIST announces an AES candidate reports successful cipher competition. 2. How to leak keys through complete AES key replacing DES as timings: basic techniques server approved block cipher. 3. How to break AES remotely computer. 1999: NIST announces by forcing cache misses server used its key RC6, Rijndael, Serp 4. How to skew a benchmark encrypt data using the as AES finalists. 5. How to leak keys through implementation timings: advanced techniques 2001: NIST publishes II.” 6. How to break AES remotely the development included in paper. without cache misses Encryption Standa ducible. 7. How to misdesign explaining selection a cryptographic architecture AES.
Outline of this talk: 1. Advertising an AES candidate 1. How to advertise 1997: US NIST announces block- an AES candidate cipher competition. Goal: AES, 2. How to leak keys through replacing DES as US government- timings: basic techniques approved block cipher. 3. How to break AES remotely 1999: NIST announces MARS, by forcing cache misses RC6, Rijndael, Serpent, Twofish 4. How to skew a benchmark as AES finalists. 5. How to leak keys through timings: advanced techniques 2001: NIST publishes “Report on 6. How to break AES remotely the development of the Advanced without cache misses Encryption Standard (AES),” 7. How to misdesign explaining selection of Rijndael as a cryptographic architecture AES.
talk: 1. Advertising an AES candidate 1996: Kocher extracts advertise from timings of a 1997: US NIST announces block- candidate cipher competition. Goal: AES, Clear threat to blo keys through replacing DES as US government- too. As stated in basic techniques approved block cipher. “In some environments, reak AES remotely 1999: NIST announces MARS, timing attacks can cache misses RC6, Rijndael, Serpent, Twofish against operations a benchmark as AES finalists. in different amounts keys through depending on their advanced techniques 2001: NIST publishes “Report on reak AES remotely the development of the Advanced cache misses Encryption Standard (AES),” misdesign explaining selection of Rijndael as cryptographic architecture AES.
1. Advertising an AES candidate 1996: Kocher extracts RSA key from timings of a server. 1997: US NIST announces block- cipher competition. Goal: AES, Clear threat to block-cipher keys replacing DES as US government- too. As stated in NIST’s report: approved block cipher. “In some environments, 1999: NIST announces MARS, timing attacks can be effected RC6, Rijndael, Serpent, Twofish against operations that execute as AES finalists. in different amounts of time, depending on their arguments. 2001: NIST publishes “Report on the development of the Advanced Encryption Standard (AES),” explaining selection of Rijndael as AES.
an AES candidate 1996: Kocher extracts RSA key “A general defense from timings of a server. timing attacks is announces block- each encryption and etition. Goal: AES, Clear threat to block-cipher keys operation runs in as US government- too. As stated in NIST’s report: amount of time. cipher. “In some environments, “Table lookup: not announces MARS, timing attacks can be effected timing attacks : : Serpent, Twofish against operations that execute finalists. in different amounts of time, “Multiplication/division/squa depending on their arguments. or variable shift/rotation: publishes “Report on most difficult to defend development of the Advanced Standard (AES),” selection of Rijndael as
1996: Kocher extracts RSA key “A general defense against from timings of a server. timing attacks is to ensure that each encryption and decryption Clear threat to block-cipher keys operation runs in the same too. As stated in NIST’s report: amount of time. : : : “In some environments, “Table lookup: not vulnerable to timing attacks can be effected timing attacks : : : against operations that execute in different amounts of time, “Multiplication/division/squaring depending on their arguments. or variable shift/rotation: most difficult to defend : : :
extracts RSA key “A general defense against “Rijndael and Serp of a server. timing attacks is to ensure that only Boolean operations, each encryption and decryption table lookups, and block-cipher keys operation runs in the same shifts/rotations. in NIST’s report: amount of time. : : : are the easiest to environments, attacks. : : : “Table lookup: not vulnerable to can be effected timing attacks : : : “Finalist profiles. erations that execute operations used b amounts of time, “Multiplication/division/squaring among the easiest their arguments. or variable shift/rotation: against power and most difficult to defend : : : attacks. : : : Rijndael gain a major speed over its competito protections are considered.
“A general defense against “Rijndael and Serpent use timing attacks is to ensure that only Boolean operations, each encryption and decryption table lookups, and fixed operation runs in the same shifts/rotations. These operations amount of time. : : : are the easiest to defend against attacks. : : : “Table lookup: not vulnerable to timing attacks : : : “Finalist profiles. : : : The operations used by Rijndael are “Multiplication/division/squaring among the easiest to defend or variable shift/rotation: against power and timing most difficult to defend : : : attacks. : : : Rijndael appears to gain a major speed advantage over its competitors when such protections are considered. : : :
defense against “Rijndael and Serpent use “NIST judged Rijndael is to ensure that only Boolean operations, best overall algorithm encryption and decryption table lookups, and fixed AES. Rijndael app in the same shifts/rotations. These operations consistently good time. : : : are the easiest to defend against Its key setup time attacks. : : : and its key agility not vulnerable to Rijndael’s operations “Finalist profiles. : : : The : : : the easiest to defend operations used by Rijndael are “Multiplication/division/squaring power and timing among the easiest to defend shift/rotation: Finally, Rijndael’s against power and timing to defend : : : round structure app attacks. : : : Rijndael appears to good potential to gain a major speed advantage instruction-level pa over its competitors when such (Emphasis added.) protections are considered. : : :
“Rijndael and Serpent use “NIST judged Rijndael to be the only Boolean operations, best overall algorithm for the table lookups, and fixed AES. Rijndael appears to be a shifts/rotations. These operations consistently good performer : : : are the easiest to defend against Its key setup time is excellent, attacks. : : : and its key agility is good. : : : Rijndael’s operations are among “Finalist profiles. : : : The the easiest to defend against operations used by Rijndael are power and timing attacks. : : : among the easiest to defend Finally, Rijndael’s internal against power and timing round structure appears to have attacks. : : : Rijndael appears to good potential to benefit from gain a major speed advantage instruction-level parallelism.” over its competitors when such (Emphasis added.) protections are considered. : : :
Recommend
More recommend