Timing Attacks to RSA

1
Timing Attacks to RSA

• Presented by Zhanxiang

2
Agenda

• Background of Timing Attack
• Case study
• David Brumley and Dan Boneh, Remote Timing
  Attacks are Practical (UC Berkeley)

3
What is Timing Attack?

• Timing attacks Expose private information, such
  as RSA keys, by measuring the amount of time
  required to perform private key operations
  (Decryptions).
• Side-channel attacks
• Power analysis
• Electromagnetic radiation analysis
• Timing attacks

4
Some Timing Attacks on RSA

• Kochers attack 1996 2
• reported on page A1 of Monday's New York Times
  ("Secure Digital Transactions Just Got a Little
  Less Secure" by John Markoff).
• Not apply to RSA-CRT.
• Schindlers attack 2001
• Not work for implementation using (e.g. OpenSSL)
• Sliding windows instead of square and multiply
  (exponentiation)
• Two multiplication algorithms.
• Brumley-Bonehs attack 2003 1
• Attack on RSA of OpenSSL
• 1 won the best paper of UsenixSecure03.

5
Why people care?

• Security of RSA depends on the difficulty to
  factor the public key N
• OpenSSL applications are popular
• Since it can hack simple devices, e.g.
  smartcards, how about complex environments, such
  network?

6
Implementation of OpenSSL

• RSA with CRT speedup
• Computation library
• How are exponentiation, modular reduction and
  multiplication operations implemented

7
RSA quick review

• Multiple prime RSA key generating algorithm
• 1. Select k primes p1, p2, , pk
• 2. Let n?pi, i1,2,,k
• 3. Let f(n)?(pi-1)
• 4. Choose e, s.t. gcd(e,f(n))1
• 5. Calculate de-1(mod f(n))6. Public Key
  (e,n) and Private key (d,n)
• Encryption cme mod nDecryption mcd mod n

8
Chinese Remainder Theorem

• n n1n2nk with gcd (ni nj ) 1 when i ! j
• The system of congruencies
• xx1(mod n1)xk(mod nk)
• has a simultaneous solution x to all of the
  congruencies, and there exists exactly one
  solution x between 0 and n-1.

9
Speedup RSA with CRT

• Any message MltN is uniquely represented by the
  tuple MPMQ , where
• MP M(mod P) and MQ M(mod Q).
• CP C(mod P) and CQ C(mod Q).
• DP D(mod (P-1)) and DQ D(mod (Q-1))
• RP QP-1(mod N) and RQ PQ-1(mod N)
• MP CPDP(mod P) and MQ CQDQ(mod Q)
• SP MPRP(mod N) and SQ MQRQ(mod N)
• M SP SQ. If MgtN then calc MM-N.
• 3

10
Operations needed for Decryption

• Computing cd(mod p) and xy(mod p) requires
• Multiplication routines
• Normal (unequal len)
• Karatsuba (equal len) faster
• Exponentiation
• Sliding windows
• Modular reduction
• Montgomery
• The key relevant fact is the extra reduction

11
What causes time variance?

• Montgomery reduction
• Given g calc g (mod q)
• Probability for and extra reduction is
• Pextra step ? (g mod q)/2q
• Choice of multiplication routine
• To calc xg mod q, if x is the same length as (g
  mod q), use Karatsuba.
• O(nlog23)
• Otherwise, use Normal. O(nm)

12
Summary of time variance
gltq ggtq
Montgomery effect Longer Shorter
Multiplication effect Shorter Longer
g is the decryption value. Each is dominant at a different phase. g is the decryption value. Each is dominant at a different phase. g is the decryption value. Each is dominant at a different phase.
13
Time Attack on OpenSSL(1/4)

• Assume Npq with qltp.
• Goal approximations approaching q
• Idea Make initial guess and refine it by
  learning bits one at a time, from the most
  significant.

14
Time Attack on OpenSSL(2/4)

• Init guess g of q lying between 2512 (i.e. N/2)
  and 2511(i.e. N/4)
• Try all the combinations of the top few bits
• Time the decryptions and pick the first peak for
  guess of q (After all we at least know the first
  bit is 1)

15
Time Attack on OpenSSL(3/4)

• Suppose from 1 to i-1 bits gq, elsewhere g0
• Recover ith bit of q as follows
• (1) ghig, but with ith bit 1.
• If ith bit of q is 1 then gltghiltq,
• else gltqltghi.
• (2) uggR-1 mod N, ughighiR-1 mod N
• (3) t1DecrtyptTime(ug), t2DecryptTime(ughi).
• (4) Dt1-t2.
• If D is large then gltqltghi and ith bit of q is
  1,
• otherwise the bit is 0.

16
Time Attack on OpenSSL(4/4)

• We know what is large and small from attack
  on previous bits.
• Decrypting just g does not work because of
  sliding windows
• Decrypt a neighborhood of values near g, and
  Tg?Tgi
• Will increase difference between large and small
  values Thus larger 0-1 gap
• Only need to recover q/2 bits of q
• Attack requires only 2 hours, about 1.4 million
  queries

17
Real World Attack(1/2)

• Discuss an attack on SSL applications such as an
  Apache web server with mod_SSL.
• During the handshake, SSL server performs RSA
  decryption of CLIENT-KEY-EXCHANGE message (sent
  by client) using its private key. The goal is
  getting this key.
• After decryption, the server checks PKCS 1 padded
  random bytes and sends an error message back to
  client in case of an error. The client can send
  another message to the server that will be
  decrypted there.

18
Real World Attack(2/2)
1. ClientHello
Attack Client
SSL Server
2. ServerHello (send public key)
3. Record time t1 Send guess Ug or Ughi
4. Alert
5. Record time t2 Compute DecryptTime(Ughi)t2
t1
19
Experiments (1/5) 1

• Test the effects on increasing the number of
  decryption requests required to recover a single
  bit of q reliably. Two parameters neighborhood
  size (n) and sample size (s). Total number of
  queries is sn.

Using sample size of 7 and neighborhood of 400,
1433600 total queries. Attack time (on 1024-bit
key) is about 2 hours.
20
Experiments (2/5) 1

• Architecture effects compare two versions of a
  program making local calls to OpenSSL regular
  and extra-inst with 6 additional nops before
  decryption.

• Explanation different cache hit rate 0.139 of
  load misses for normal and 0.151 for
  extra-inst.

21
Experiments (3/5) 1

• Compile-time effects
• Optimized (-O3 fomit_frame_pointer
  mcpupentium)
• No Pentium flag (-O3 fomit_frame_pointer)
• Unoptimized (-g).

22
Experiments (4/5) 1

• Source-based optimizations implemented a minor
  patch that improves the efficiency of of CRT
  decryption check.

23
Experiments (5/5) 1

• Attacking SSL applications on the local network

24
Preconditions Defense

• Preconditions
• OpenSSL does not enable defend option
• Not fix response time
• Defense
• Only one multiplication routine and always carry
  out extra reduction in Montgomerys algorithm
• Quantize all RSA computations
• Blinding (Currently preferred)

25
Blinding Defenses 1

• Blinding before decryption compute xreg mod N,
  where r is random. Then decrypt x, then compute
  x/r. Incurs 2-10 penalty.

26
Reference

• 1 David Brumley and Dan Boneh, Remote Timing
  Attacks are Practical, 2003
• 2 Paul C. Kocher, Timing Attacks on
  Implementations of Diffie-Hellman, RSA, DSS, and
  Other Systems 2001
• 3 Johann GroBschadl, The Chinese Remainder
  Theorem and its Application in a High-Speed RSA
  Crypto Chip
• 4http//www.rsasecurity.com/rsalabs/challenges/f
  actoring/numbers.html