remote timing attacks are practical david brumley [email protected] dan boneh...
TRANSCRIPT
![Page 2: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/2.jpg)
Various Types of Attacks
• Cryptanalysis– Look at carefully chosen plaintext/ciphertexts– Differential and linear cryptanalysis– Differential Cryptanalysis of the Data Encryption
Standard by Eli Biham and Adi Shamir
• Side channel attacks– Timing attacks– Differential power analysis– Look at characteristics, such as time for
decryption and power consumption
![Page 3: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/3.jpg)
Overview
• Main result: RSA in OpenSSL is vulnerable to a new timing attack:– Attacker can extract RSA private key by
measuring web server response time.
• Exploiting OpenSSL’s timing vulnerability: – One process can extract keys from another.– Insecure VM can attack secure VM.
• Breaks VM isolation.
– Extract web server key remotely.• Our attack works across Stanford campus.
![Page 4: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/4.jpg)
Why are timing attacks against OpenSSL interesting?
• Many OpenSSL Applications– mod_SSL (Apache+mod_SSL has 28% of HTTPS market)– stunnel (Secure TCP/IP servers)– sNFS (Secure NFS)– Many more
• Timing attacks mostly applied to smartcards [K’96]– K’96: Paul Kocher, Timing Attacks on Implementations of Diffie-Hellman,
RSA, DSS, and Other Systems, Advances in Cryptology, 1996.
– Never applied to complex systems– Most crypto libraries do not defend:
• libgcrypt, cryptlib, ...• Mozilla NSS only one we found to explicitly defend by default
• OpenSSL uses well-known algorithms
![Page 5: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/5.jpg)
Outline
RSA Overview and data dependencies
• Present timing attack
• Results against OpenSSL 0.9.7
• Defenses
![Page 6: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/6.jpg)
RSA Algorithm
• RSA decryption: gd mod N = m– d is private decryption exponent, N is public modulus
• Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = gd1 mod q 2. m2 = gd2 mod p 3. combine m1 and m2 to yield m (mod N)
• Goal: learn factors of N.– Kocher’s [K’96] attack fails when CRT is used.
![Page 7: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/7.jpg)
RSA Decryption Time Variance
• Two reasons for decryption time variance:1. Multiplication algorithm used
• OpenSSL uses two different mult. algorithms2. Modular reduction steps
• modular reduction goal: given u, compute u mod q• Occasional extra steps in OpenSSL’s reduction
algorithm
• There are MANY:– multiplications by input g– modular reductions by factor q (and p)
![Page 8: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/8.jpg)
Reduction Timing Dependency
• Modular reduction: given u, compute u mod q.
– OpenSSL uses Montgomery reductions [M’85] .– M’85: Peter Montgomery, Modular Multiplication
without Trial Division, Mathematics of Computation, 44(170), 1985.
• Time variance in Montgomery reduction:– One extra step at end of reduction algorithm
with probability
Pr[extra step] (g mod q) [S’00]
2q
![Page 9: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/9.jpg)
Pr[extra step] (g mod q) 2q
Value of ciphertext
Decryption Time
q 2q p
![Page 10: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/10.jpg)
Multiplication Timing Dependency
• Two algorithms in OpenSSL:– Karatsuba (fast): Multiplying two numbers of equal
length– Normal (slow): Multiplying two numbers of different
length
• To calc xg mod q OpenSSL does:– When x is the same length as (g mod q), use
Karatsuba mult.– Otherwise, use Normal multiplication
![Page 11: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/11.jpg)
OpenSSL Multiplication Summary
g < q
Decryption Time
q
Normal MultiplicationKaratsuba Multiplication
gg > q
Value of ciphertext
![Page 12: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/12.jpg)
Data Dependency Summary
• Decryption value g < q– Montgomery effect: longer decryption time– Multiplication effect: shorter decryption time
• Decryption value g > q– Montgomery effect: shorter decryption time– Multiplication effect: longer decryption time
Opposite effects! But one will always dominate
![Page 13: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/13.jpg)
Previous Timing Attacks
• Kocher’s attack does not apply to RSA-CRT.
• Schindler’s attack does not work directly on OpenSSL for two reasons:– OpenSSL uses sliding windows instead of square and
multiply– OpenSSL uses two mult. algorithms.
Both known timing attacks do not work on OpenSSL.
![Page 14: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/14.jpg)
Outline
• RSA Overview and data dependencies during decryption
Present timing attack
• Results against OpenSSL 0.9.7
• Defenses
![Page 15: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/15.jpg)
Timing Attack: High Level
Assume we have i-1 top bits of q. Goal: find i-th bit of q.
1) Set g=q for the top i-1 bits, and 0 elsewhere.
2) ghi = g, but with the ith bit 1. Then g < ghi
- g <q <ghi i’th bit of q is 0.
- g <ghi <q i’th bit of q is 1.
Goal: decide if g<q<ghi or g<ghi<q
![Page 16: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/16.jpg)
2 cases for ghi
Decryption Time
# ReductionsMult routine
Value of ciphertext q
g ghi?
ghi?
![Page 17: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/17.jpg)
Timing Attack
High Level Attack:1) Suppose g=q for the top i-1 bits, and 0 elsewhere.
2) ghi = g, but with the ith bit 1. Then g < ghi
Goal: decide if g<q<ghi or g<ghi<q
3) Sample decryption time for g and ghi:t1 = DecryptTime(g)
t2 = DecryptTime(ghi)
4) If |t1 - t2| is large bit i is 0 (g < q < ghi)
else bit i is 1 (g < ghi < q)g and ghi don’t
straddle q
Time diff
creates 0-1 gap
g and ghi straddle q
![Page 18: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/18.jpg)
Small time differenceg < ghi < q
Decryption Time
# ReductionsMult routine
Value of ciphertext q
ghi
|t1 – t2|0-1 gap small
g
![Page 19: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/19.jpg)
Large time differenceg < q < ghi
Decryption Time
# ReductionsMult routine
Value of ciphertext q
ghi
|t1 – t2|0-1 gap
large
g
![Page 20: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/20.jpg)
Timing Attack Details
• We know what is “large” and “small” from attack on previous bits.
• Decrypting just g does not work because of sliding windows– Decrypt a neighborhood of values near g– Will increase diff. between large and small values
larger 0-1 gap
• Only need to recover top half bits of q [C’97]
• Attack requires only 2 hours, about 1.4 million queries to recover server’s private key.
![Page 21: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/21.jpg)
The Zero-One Gap
Zero-one gap
![Page 22: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/22.jpg)
How does this work with SSL?
How do we get the server to decrypt our g?
![Page 23: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/23.jpg)
Normal SSL Session Startup
Regular ClientUSENIX
SSL Server 1. ClientHello
2. ServerHello (send public key)
3. ClientKeyExchange (re mod N)
Result: Encrypted with computed shared master secret
![Page 24: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/24.jpg)
Attacking Session Startup
Attack ClientUSENIX
SSL Server
1. ClientHello
2. ServerHello (send public key)
3. Record time t1
Send guess g or ghi
4. Alert
5. Record time t2
Compute t2 –t1
![Page 25: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/25.jpg)
Outline
• RSA Overview and data dependencies during decryption
• Present timing attack
Results against OpenSSL 0.9.7
• Defenses
![Page 26: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/26.jpg)
Attack extract RSA private key
Montgomery reductionsdominates
Multiplication routine dominates
zero-one gap
![Page 27: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/27.jpg)
Attack extract RSA private key
Montgomery reductionsdominates
Multiplication routine dominates
zero-one gap
![Page 28: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/28.jpg)
Attack works on the network
Similar timing onWAN vs. LAN
![Page 29: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/29.jpg)
Attack Summary
• Attack successful, even on a WAN
• Attack requires only 350,000 – 1,400,000 decryption queries.
• Attack requires only 2 hours to extract server’s private key.
![Page 30: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/30.jpg)
Outline
• RSA Overview and data dependencies during decryption
• Present timing attack
• Results against OpenSSL 0.9.7
Defenses
![Page 31: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/31.jpg)
RSA Blinding
• Decrypt random number related to g:1. Compute x’ = g*re mod N, r is random2. Decrypt x’ = m’3. Calculate m = m’/r mod N
• Since r is random, the decryption time should be random
• 2-10% performance penalty
![Page 32: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/32.jpg)
Blinding Works!
![Page 33: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/33.jpg)
Conclusion
• We developed a timing attack based on multiplication and reduction timings
• Attack works against real OpenSSL-based servers on regular PC’s.
• Lesson: Crypto libraries should always defend against timing attacks.– OpenSSL 0.9.7b enables blinding by default.
![Page 34: Remote Timing Attacks are Practical David Brumley dbrumley@stanford.edu Dan Boneh dabo@crypto.stanford.edu dabo@crypto.stanford.edu [Modified by Somesh](https://reader035.vdocuments.us/reader035/viewer/2022062300/56649f525503460f94c76b19/html5/thumbnails/34.jpg)
Questions?
Thanks for listening!