Remote Timing Attacks are Practical

1
Remote Timing Attacks are Practical

• David Brumleydbrumley_at_stanford.edu
• Dan Bonehdabo_at_crypto.stanford.edu
• Modified by Somesh Jha

2
Various Types of Attacks

• Cryptanalysis
• Look at carefully chosen plaintext/ciphertexts
• Differential and linear cryptanalysis
• Side channel attacks
• Timing attacks
• Differential power analysis
• Look at characteristics such as time for
  decryption and power consumption

3
Overview

• Main result RSA in OpenSSL is vulnerable to a
  new timing attack
• Attacker can extract RSA private key by measuring
  web server response time.
• Exploiting OpenSSLs timing vulnerability
• One process can extract keys from another.
• Insecure VM can attack secure VM.
• Breaks VM isolation.
• Extract web server key remotely.
• Our attack works across Stanford campus.

4
Why are timing attacks against OpenSSL
interesting?

• Many OpenSSL Applications
• mod_SSL (Apachemod_SSL has 28 of HTTPS market)
• stunnel (Secure TCP/IP servers)
• sNFS (Secure NFS)
• Many more
• Timing attacks mostly applied to smartcards
  K96
• Never applied to complex systems
• Most crypto libraries do not defend
• libgcrypt, cryptlib, ...
• Mozilla NSS only one we found to explicitly
  defend by default
• OpenSSL uses well-known algorithms

5
Outline

• RSA Overview and data dependencies
• Present timing attack
• Results against OpenSSL 0.9.7
• Defenses

6
RSA Algorithm

• RSA decryption gd mod N m
• d is private decryption exponent, N is public
  modulus
• Chinese remaindering (CRT) uses factors directly.
  Npq, and d1 and d2 are pre-computed from d
  1. m1 gd1 mod q 2. m2 gd2 mod p 3.
  combine m1 and m2 to yield m (mod N)
• Goal learn factors of N.
• Kochers K96 attack fails when CRT is used.

7
RSA Decryption Time Variance

• Two reasons for decryption time variance
• 1. Multiplication algorithm used
• OpenSSL uses two different mult. algorithms
• 2. Modular reduction steps
• modular reduction goal given u, compute u mod q
• Occasional extra steps in OpenSSLs reduction
  alg.
• There are MANY
• multiplications by input g
• modular reductions by factor q (and p)

8
Reduction Timing Dependency

• Modular reduction given u, compute u mod q.
• OpenSSL uses Montgomery reductions M85 .
• Time variance in Montgomery reduction
• One extra step at end of reduction algorithmwith
  probability
• Prextra step ? (g mod q)
  S00 2q

9
Prextra step ? (g mod q) 2q
Decryption Time
2q
q
p
Value of ciphertext
10
Multiplication Timing Dependency

• Two algorithms in OpenSSL
• Karatsuba (fast) Multiplying two numbers of
  equal length
• Normal (slow) Multiplying two numbers of
  different length
• To calc x?g mod q OpenSSL does
• When x is the same length as (g mod q), use
  Karatsuba mult.
• Otherwise, use Normal mult.

11
OpenSSL Multiplication Summary
Decryption Time
Karatsuba Multiplication
Normal Multiplication
g
g lt q
q
g gt q
Value of ciphertext
12
Data Dependency Summary

• Decryption value g lt q
• Montgomery effect longer decryption time
• Multiplication effect shorter decryption time
• Decryption value g gt q
• Montgomery effect shorter decryption time
• Multiplication effect longer decryption time
• Opposite effects! But one will always dominate

13
Previous Timing Attacks

• Kochers attack does not apply to RSA-CRT.
• Schindlers attack does not work directly on
  OpenSSL for two reasons
• OpenSSL uses sliding windows instead of square
  and multiply
• OpenSSL uses two mult. algorithms.
• Both known timing attacks do not work on OpenSSL.

14
Outline

• RSA Overview and data dependencies during
  decryption
• Present timing attack
• Results against OpenSSL 0.9.7
• Defenses

15
Attack is binary search
16
Timing Attack

• High Level Attack
• Suppose gq for the top i-1 bits, and 0
  elsewhere.
• ghi g, but with the ith bit 1. Then g lt
  ghi
• Goal decide if gltqltghi or
  gltghiltq
• 3) Sample decryption time for g and ghi
• t1 DecryptTime(g)
• t2 DecryptTime(ghi)
• If t1 - t2 is large ?
  ? bit i is 0 (g lt q lt ghi)
  else ? ? bit i is
  1 (g lt ghi lt q)

g and ghi straddle q
dont straddle q
17
Timing Attack High Level

• Assume we have i-1 top bits of q. Goal find
  ith bit of q.
• Set gq for the top i-1 bits, and 0 elsewhere.
• ghi g, but with the ith bit 1. Then g lt
  ghi
• - g ltq ltghi ? ith bit of q is 0.
• - g ltghi ltq ? ith bit of q is 1.
• Goal decide if gltqltghi or gltghiltq

18
2 cases for ghi
19
Timing Attack

• High Level Attack
• Suppose gq for the top i-1 bits, and 0
  elsewhere.
• ghi g, but with the ith bit 1. Then g lt
  ghi
• Goal decide if gltqltghi or
  gltghiltq
• 3) Sample decryption time for g and ghi
• t1 DecryptTime(g)
• t2 DecryptTime(ghi)
• If t1 - t2 is large ?
  ? bit i is 0 (g lt q lt ghi)
  else ? ? bit i is
  1 (g lt ghi lt q)

g and ghi straddle q
g and ghi dont straddle q
20
Small time differenceg lt ghi lt q
ghi
t1 t20-1 gap small
21
Large time differenceg lt q lt ghi
t1 t20-1 gaplarge
22
Timing Attack Details

• We know what is large and small from attack
  on previous bits.
• Decrypting just g does not work because of
  sliding windows
• Decrypt a neighborhood of values near g
• Will increase diff. between large and small
  values ? larger 0-1 gap
• Only need to recover top half bits of q C97
• Attack requires only 2 hours, about 1.4 million
  queries to recover servers private key.

23
The Zero-One Gap
Zero-one gap
24
How does this work with SSL?

• How do we get the server to decrypt our g?

25
Normal SSL Session Startup
USENIXSSL Server
1. ClientHello
Regular Client
2. ServerHello (send public key)
3. ClientKeyExchange (re mod N)
26
Attacking Session Startup
1. ClientHello
USENIXSSL Server
2. ServerHello (send public key)
Attack Client
3. Record time t1 Send guess g or ghi
4. Alert
5. Record time t2 Compute t2 t1
27
Attack requires accurate clock

• Attack measures 0.05 time difference between g
  and ghi
• Only 0.001 seconds on a P4
• We use the CPU cycle counter as fine-resolution
  clock
• rdtsc instruction on Intel
• tick register on UltraSparc

28
Outline

• RSA Overview and data dependencies during
  decryption
• Present timing attack
• Results against OpenSSL 0.9.7
• Defenses

29
Attack extract RSA private key
30
Attack extract RSA private key
Montgomery reductionsdominates
zero-one gap
Multiplication routine dominates
31
Attack works on the network
Similar timing onWAN vs. LAN
32
Attack Summary

• Attack successful, even on a WAN
• Attack requires only 350,000 1,400,000
  decryption queries.
• Attack requires only 2 hours to extract servers
  private key.

33
Outline

• RSA Overview and data dependencies during
  decryption
• Present timing attack
• Results against OpenSSL 0.9.7
• Defenses

34
Defenses

• Good Use RSA blinding
• BAD Require statically all decryptions to take
  the same time
• BAD Use dynamic methods to make all decryptions
  take the same time

35
RSA Blinding

• Decrypt random number related to g
• Compute x gre mod N, r is random
• Decrypt x m
• Calculate m m/r mod N
• Since r is random, the decryption time should be
  random
• 2-10 performance penalty

36
Blinding Works!
37
Conclusion

• We developed a timing attack based on
  multiplication and reduction timings
• Attack works against real OpenSSL-based servers
  on regular PCs.
• Lesson Crypto libraries should always defend
  against timing attacks.
• OpenSSL 0.9.7b enables blinding by default.

38
Questions?

• Thanks for listening!