remote timing attacks are practical
play

Remote Timing Attacks are Practical by David Brumley and Dan Boneh - PowerPoint PPT Presentation

Dec 16, 2023 •419 likes •1.19k views

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

  1. Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624)

  2. Outline • Traditional threat model in cryptography • Side-channel attacks • Kocher’s timing attack • Boneh & Brumley timing attack • Experiments • Countermeasures S. Kamara (600/650.624) 02/10/05

  3. Traditional Crypto • Brute force attacks • large key • Mathematical attacks • reduction to hard problem • RSAP: ( m e mod n ) → m • DHP: ( g x , g y ) → g xy S. Kamara (600/650.624) 02/10/05

  4. Traditional Crypto • Attacker has access to: • Ciphertext • Algorithm S. Kamara (600/650.624) 02/10/05

  5. Real-Life Crypto • Attacker has access to: • Ciphertext • Algorithm • Physical observables from the device S. Kamara (600/650.624) 02/10/05

  6. Side Channel Attacks • Paul Kocher in 1996 • Recovers RSA and DSS signing key • Not taken seriously by cryptographers • Lot of attention from the press S. Kamara (600/650.624) 02/10/05

  7. Side Channel Attacks • Timing analysis • Fault analysis • Differential fault analysis • Simple power analysis • Differential power analysis • EM analysis S. Kamara (600/650.624) 02/10/05

  8. Side Channel Attacks m k Power time consumption c EM radiation S. Kamara (600/650.624) 02/10/05

  9. Side Channel Attacks m Encryption e m e mod n Side channel S. Kamara (600/650.624) 02/10/05

  10. Side Channel Attacks m Decryption/ d Signing m d mod n Side channel S. Kamara (600/650.624) 02/10/05

  11. Kocher Timing Attack • RSA signatures: sig ( m ) = m d mod n • Modular exponentiation is computed using square and multiply algorithm • Time of modular exponentiation is a function of the bits of the exponent • Use time to recover exponent (signing key) S. Kamara (600/650.624) 02/10/05

  12. Kocher Timing Attack • Recovers key bit by bit • Guesses key bit then verifies • Uses statistical analysis • Needs many samples of signing time S. Kamara (600/650.624) 02/10/05

  13. Kocher Attack Target sig ( m ) = m d mod n S. Kamara (600/650.624) 02/10/05

  14. Square and Multiply 1: INPUT: m, n, d 2: OUTPUT: x = m d mod n 3: x := m 4: for i = n − 1 downto 0 do x := x 2 5: if d i = 1 then 6: x := x · m mod n 7: end if 8: 9: end for 10: return x S. Kamara (600/650.624) 02/10/05

  15. Kocher Timing Attack Eve Bob m 1 T ( m 1 ) s 1 d m 2 ... T ( m 2 ) s 2 ... ... S. Kamara (600/650.624) 02/10/05

  16. Kocher Timing Attack Eve Eve m 1 T 0 ( m 1 ) s 1 0? m 2 ... T 0 ( m 2 ) s 2 ... ... S. Kamara (600/650.624) 02/10/05

  17. Kocher Timing Attack Eve Eve m 1 T 1 ( m 1 ) s 1 1? m 2 ... T 1 ( m 2 ) s 2 ... ... S. Kamara (600/650.624) 02/10/05

  18. Kocher Timing Attack • Compare • vs T 0 ( m i ) T ( m i ) • vs T 1 ( m i ) T ( m i ) • will be correlated with correct guess T ( m i ) S. Kamara (600/650.624) 02/10/05

  19. Kocher Timing Attack • 1998 UCL experimental results: Key size sample size 64 1 500-6 500 128 12 000-20 000 256 70 000-80 000 512 350 000 S. Kamara (600/650.624) 02/10/05

  20. Limit of Kocher Attack • Does not work when mod exp is optimized S. Kamara (600/650.624) 02/10/05

  21. RSA with Sun Ze Th. sig ( m ) = m d mod n • • Sun Ze Th. aka CRT • m, d and n are order of 1024 bits • exponentiation of 1024 bit number by another 1024 bit number taken modulo a third 1024 bit number S. Kamara (600/650.624) 02/10/05

  22. RSA with Sun Ze Th. • exponentiate mod q (512 bits) • exponentiate mod p (512 bits) • combine using SZT to get mod n (= pq) S. Kamara (600/650.624) 02/10/05

  23. RSA with Sun Ze Th. sig ( m ) = m d mod n • where n = pq • m 1 = m mod p • m 2 = m mod q • d 1 = d mod ( p − 1 ) d 2 = d mod ( q − 1 ) S. Kamara (600/650.624) 02/10/05

  24. RSA with Sun Ze Th. • s 1 = m d 1 1 mod p • s 2 = m d 2 2 mod q • CRT ( s 1 , s 2 ) = m d mod n S. Kamara (600/650.624) 02/10/05

  25. RSA with Sun Ze Th. • Modular exponentiation: • pre-processing • exponentiation mod p • exponentiation mod q • CRT S. Kamara (600/650.624) 02/10/05

  26. RSA with Sun Ze Th. • Kocher’s attack does not work • Cannot get precise timings • Cannot repeat pre-processing without factors • Most implementations use CRT • OpenSSL S. Kamara (600/650.624) 02/10/05

  27. OpenSSL • SSL establishes encrypted and authenticated channel between client and server • 1994 • SSL v1 completed but never released • SSL v2 released with Navigator 1.1 • SSL v2 PRNG broken S. Kamara (600/650.624) 02/10/05

  28. OpenSSL • 1995 • SSL v3 released (designed by Kocher) • SSL is ubiquitous • 1996 • IETF standardizes SSL S. Kamara (600/650.624) 02/10/05

  29. OpenSSL • 1998 • OpenSSL 0.9.1c is released (based on SSLeay) • mod_ssl for Apache is released S. Kamara (600/650.624) 02/10/05

  30. OpenSSL • Most popular open source SSL implementation • Most popular crypto library • 18% of all Apache servers use mod_ssl • stunnel • sNFS S. Kamara (600/650.624) 02/10/05

  31. RSA in OpenSSL • sig ( m ) = m d mod n • Sun Ze Theorem • Modular exponentiation: sliding window • Modular reduction: Montgomery • Multi-precision multiplication: Karatsuba S. Kamara (600/650.624) 02/10/05

  32. Sliding Window • Extension of square and multiply • uses multiple bits of the exponent at once • makes attack more difficult S. Kamara (600/650.624) 02/10/05

  33. Montgomery Reduction • Introduced in 1985 by Peter Montgomery • Performs modular multiplication efficiently • Transforms multiplication mod n to multiplication mod R S. Kamara (600/650.624) 02/10/05

  34. Montgomery Reduction Algorithm 1 Montgomery Reduction 1: INPUT: x , y and q 2: OUTPUT: x · y mod q 3: RR − 1 − qq ∗ = 1 4: Ψ ( x ) := xR mod q 5: Ψ ( y ) := yR mod q 6: z := Ψ ( x ) × Ψ ( y ) = abR 2 mod q 7: r := z × q ∗ mod R 8: s := z + rq R 9: if s > q then extra reduction s := s − q 10: 11: end if 12: return s S. Kamara (600/650.624) 02/10/05

  35. Montgomery Reduction Pr [ extra reduction ] = m mod q • 2R • m = q ⇒ Pr [ reduction ] = 0 • m → q ⇒ Pr [ reduction ] � m → q + ⇒ Pr [ reduction ] � S. Kamara (600/650.624) 02/10/05

  36. Karatsuba • Multi-precision multiplication • where and | x | = n | y | = n x · y • Runs in O ( n log 2 3 ) • As opposed to O ( n · m ) • worst case O ( n 2 ) S. Kamara (600/650.624) 02/10/05

  37. Karatsuba • Used only if inputs have same length • OpenSSL: • if |x| = |y| then Karatsuba O ( n log 2 3 ) • if |x| != |y| then normal O ( n 2 ) S. Kamara (600/650.624) 02/10/05

  38. Biases • What is the effect of these optimizations on the exponentiation time? S. Kamara (600/650.624) 02/10/05

  39. Montgomery Reduction • if m approaches q from below then slow • if m approaches q from above then fast S. Kamara (600/650.624) 02/10/05

  40. Montgomery Reduction Decryption time g q 2q 3q Figure 1 S. Kamara (600/650.624) 02/10/05

  41. Multiplication • if |x| = |y| then fast • if |x| != |y| then slow S. Kamara (600/650.624) 02/10/05

  42. Multiplication Decryption time Karatsuba Normal g g < q g > q S. Kamara (600/650.624) 02/10/05

  43. Boneh-Brumley Attack hello e Eve Server g or g hi error S. Kamara (600/650.624) 02/10/05

  44. Boneh-Brumley Attack • Kocher attack recovers signing key • Boneh-Brumley attack recovers factor S. Kamara (600/650.624) 02/10/05

  45. Kocher Attack Target sig ( m ) = m d mod n S. Kamara (600/650.624) 02/10/05

  46. Boneh-Brumley Target sig ( m ) = m d mod p · q S. Kamara (600/650.624) 02/10/05

  47. Boneh-Brumley Target • n = pq • Knowing q we recover p d = e − 1 mod ( p − 1 )( q − 1 ) S. Kamara (600/650.624) 02/10/05

  48. Boneh-Brumley Attack CRT m modq m d mod q Square and multiply m d mod R Montgomery Multiplication I · m S. Kamara (600/650.624) 02/10/05

  49. Boneh-Brumley Attack sig ( m ) = m d mod pq • • Recover bit of q i th • when we already have the top bits i − 1 S. Kamara (600/650.624) 02/10/05

  50. Timing Attack • q: smallest factor • g: same top bits as q (rest is all 0) i − 1 • : g with bit set to i th 1 g hi • : decryption(g) - decryption( ) ∆ g hi S. Kamara (600/650.624) 02/10/05

  51. Timing Attack • i = 4 • q = 101 ? • g = 101 0... • g = 101 10... hi S. Kamara (600/650.624) 02/10/05

  52. Timing Attack • i = 4 • q = 101 1 ? if then q 4 = 1 g < g hi < q • g = 101 0... • g = 101 10... hi S. Kamara (600/650.624) 02/10/05

  53. Timing Attack • i = 4 • q = 101 0 ? • g = 101 0... if then q 4 = 0 g < q < g hi • g = 101 10... hi S. Kamara (600/650.624) 02/10/05

  54. Boneh-Brumley Attack q i = 0 → g < q < g hi Montgomery Multiplication slow fast T(g) (xtra reds) (kara) slow T( ) fast g hi (normal) | ∆ | large large S. Kamara (600/650.624) 02/10/05

  55. Boneh-Brumley Attack g < q < g hi Montgomery Multiplication slow fast T(g) (xtra reds) (kara) slow T( ) fast g hi (normal) | ∆ | large large S. Kamara (600/650.624) 02/10/05

Recommend

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Synopsis New remote timing attack vulnerability in OpenSSLs implementation of Montgomerys

487 views • 25 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen,

The Clock is Still Ticking: Timing Attacks in the Modern Web Tom Van Goethem, Wouter Joosen, Nick Nikiforakis Background: Timing attacks Introduced by Felten et al. in 2000. A side-channel attack analyzing the time that it takes to a

642 views • 21 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&amp;Time vs. MbedTLS AES on STM32

477 views • 20 slides
DISTRIBUTED SYSTEMS Practical Lab Remote Method Invocation 2 A pragmatic Introduction RMI -

DISTRIBUTED SYSTEMS Practical Lab Remote Method Invocation 2 A pragmatic Introduction RMI -

1 DISTRIBUTED SYSTEMS Practical Lab Remote Method Invocation 2 A pragmatic Introduction RMI - Overview 3 Simple idea: In an OO-program objects communicate via methods For remote communication why not allow an object to

343 views • 11 slides
No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

IEEE S&amp;P 2016 No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis May 24, 2016 Wenrui Diao , Xiangyu Liu, Zhou Li, and Kehuan Zhang 2/18 Motivation -- Hardware and Kernel Mobile platform

700 views • 21 slides
Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale

Determinating Timing Channels in Compute Clouds Amittai Aviram, Sen Hu, Bryan Ford Yale University http://dedis.cs.yale.edu/ Ramakrishna Gummadi University of Massechusetts Amherst CCSW, October 8, 2010 Timing Attacks Cooperative attacks

471 views • 30 slides
Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA

Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA

Exclusive Exponent Blinding May Not Suffice to Prevent Timing Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA Werner Schindler Bundesamt f ur Sicherheit in der Werner Schindler

553 views • 23 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

371 views • 21 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side Channel Mohammad A. Islam, Luting Yang, Kiran Ranganath, and Shaolei Ren Acknowledgement: This work was supported in part by NSF under grants

445 views • 31 slides
Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks

Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks

Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks Author: Ralf-Philipp Weinmann University of Luxembourg WOOT, USENIX, 2012. Presenter: Hyuntae Kim Part 1. Introduction - GSM overview - MS-BTS

1.2k views • 42 slides
Reasoning about Aggregation of Information in Timing Attacks Boris Kpf Itsaka Rakotonirina

Reasoning about Aggregation of Information in Timing Attacks Boris Kpf Itsaka Rakotonirina

Reasoning about Aggregation of Information in Timing Attacks Boris Kpf Itsaka Rakotonirina Microsoft Research INRIA Nancy Grand-Est Choose a letter: A or B. Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ?

1.18k views • 65 slides
TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth Nadia Heninger 01/08/2020 Real World Crypto TPM 2 Trusted Platform Module (TPM) Software is Hackers? insecure. Bad Guys? Heartbleed? Rootkits?

437 views • 39 slides
Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek

Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek

Remote IP Protection Using Timing Channels Ariano-Tim Donda 1 , 2 Peter Samarin 1 , 2 Jacek Samotyja 1 Kerstin Lemke-Rust 1 Christof Paar 2 1 Bonn-Rhein-Sieg University of Applied Sciences, Germany 2 Ruhr University Bochum, Germany December 4, 2014

197 views • 18 slides
Software Engineering Large Practical: Accessing remote data and XML parsing Stephen Gilmore

Software Engineering Large Practical: Accessing remote data and XML parsing Stephen Gilmore

Software Engineering Large Practical: Accessing remote data and XML parsing Stephen Gilmore School of Informatics October 8, 2017 Contents 1. Android system permissions 2. Getting a network connection 3. Accessing remote data 4. Parsing XML

627 views • 37 slides
FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES Jonas Krautter,

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES Jonas Krautter,

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES Jonas Krautter, Dennis R.E. Gnad, Mehdi B. Tahoori | 10.09.2018 INSTITUTE OF COMPUTER ENGINEERING CHAIR OF DEPENDABLE NANO COMPUTING www.kit.edu KIT Die

995 views • 61 slides
Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and Shaolei Ren UC Riverside Acknowledgement: This work was supported in part by the U.S. NSF under grants CNS-1551661 and ECCS-1610471. Cloud data

1.15k views • 75 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides

More recommend