nach oben

Erschienen in:

2016 | OriginalPaper | Buchkapitel

CacheBleed: A Timing Attack on OpenSSL Constant Time RSA

verfasst von : Yuval Yarom, Daniel Genkin, Nadia Heninger

Erschienen in: Cryptographic Hardware and Embedded Systems – CHES 2016

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The scatter-gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Flush, Gauss, and Reload – A Cache Attack on the BLISS Lattice-Based Signature Scheme

Nächstes Kapitel Cache Attacks Enable Bulk Key Recovery on the Cloud

https://github.com/openssl/openssl/commit/46a643763de6d8e39ecf6f76fa79b 4d04885aa59.

For clarity, the presented histograms show the envelope of the measured data.

Acıiçmez, O.: Yet another microarchitectural attack: exploiting I-cache. In: CSAW, Fairfax, VA, US (2007)

Acıiçmez, O., Gueron, S., Seifert, J.-P.: New branch prediction vulnerabilities in openSSL and necessary software countermeasures. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007)CrossRef

Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006)CrossRef

Acıiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 110–124. Springer, Heidelberg (2010)CrossRef

Acıiçmez, O., Seifert, J.-P.: Cheap hardware parallelism implies cheap security. In: 4th International Workshop on Fault Diagnosis and Tolerance in Cryptography, Vienna, AT, pp. 80–91 (2007)

Alpert, D.B., Choudhury, M.R., Mills, J.D.: Interleaved cache for multiple accesses per clock cycle in a microprocessor. US Patent 5559986, September 1996

Bernstein, D.J.: Cache-timing attacks on AES (2005). Preprint http://cr.yp.to/papers.html#cachetiming

Bernstein, D.J., Schwabe, P.: A word of warning. In: CHES 2013 Rump Session, August 2013

Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRef

10.

BoringSSL. https://boringssl.googlesource.com/boringssl/

11.

Bos, J.N.E., Coster, M.J.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 400–407. Springer, Heidelberg (1990)

12.

Brickell, E.: Technologies to improve platform security. In: CHES 2011 Invited Talk, September 2011. http://www.iacr.org/workshops/ches/ches2011/presentations/Invited%201/CHES2011_Invited_1.pdf

13.

Brickell, E.: The impact of cryptography on platform security. In: CT-RSA 2012 Invited Talk, February 2012. http://www.rsaconference.com/writable/presentations/file_upload/cryp-106.pdf

14.

Brickell, E., Graunke, G., Seifert, J.-P.: Mitigating cache/timing based side-channels in AES and RSA software implementations. In: RSA Conference 2006 Session DEV-203, February 2006

15.

Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009)CrossRef

16.

Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011)CrossRef

17.

Brumley, D., Boneh, D.: Remote timing attacks are practical. In: 12th USENIX Security, Washington, DC, US, pp. 1–14 (2003)

18.

Fog, A.: How to optimize for the Pentium processor, August 1996. https://notendur.hi.is/hh/kennsla/sti/h96/pentopt.txt

19.

Fog, A.: How to optimize for the Pentium family of microprocessors, April 2004. https://cr.yp.to/2005-590/fog.pdf

20.

Fog, A.: The microarchitecture of Intel, AMD and VIA CPUs: an optimization guide for assembly programmers and compiler makers, January 2016. http://www.agner.org/optimize/microarchitecture.pdf

21.

Garner, H.L.: The residue number system. IRE Trans. Electron. Comput. EC–8(2), 140–147 (1959)CrossRef

22.

Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014)CrossRef

23.

Gopal, V., Guilford, J., Ozturk, E., Feghali, W., Wolrich, G., Dixon, M.: Fast and constant-time implementation of modular exponentiation. In: Embedded Systems and Communications Security, Niagara Falls, NY, US (2009)

24.

Gueron, S.: Efficient software implementations of modular exponentiation. J. Crypt. Eng. 2(1), 31–43 (2012)MathSciNetCrossRef

25.

Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRef

26.

Wei-Ming, H.: Reducing timing channels with fuzzy time. In: 1991 Computer Society Symposium on Research Security and Privacy, Oakland, CA, US, pp. 8–20 (1991)

27.

İnci, M.S., Gülmezoğlu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Seriously, get off my cloud! Cross-VM RSA key recovery in a public cloud. IACR Cryptology ePrint Archive, Report 2015/898, September 2015

28.

Intel 64 & IA-32 AORM: Intel 64 and IA-32 Architectures Optimization Reference Manual. Intel Corporation, April 2012

29.

Irazoqui, G., Eisenbarth, T., Sunar, B.: S$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: S&P, San Jose, CA, US (2015)

30.

Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. IACR Cryptology ePrint Archive, Report 2015/690, July 2015

31.

Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

32.

Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptogr. Eng. 1, 5–27 (2011)CrossRef

33.

Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

34.

Lampson, B.W.: A note on the confinement problem. Commun. ACM 16, 613–615 (1973)CrossRef

35.

LibreSSL Project. https://www.libressl.org

36.

Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: S&P, San Jose, CA, US, pp. 605–622, May 2015

37.

Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: Bos, H., et al. (eds.) RAID 2015. LNCS, vol. 9404, pp. 48–65. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26362-5_3 CrossRef

38.

Mozilla: Network security services. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

39.

OpenSSL Project. https://openssl.org

40.

Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: 2006 CT-RSA (2006)

41.

Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa, CA (2005)

42.

Pessl, P., Gruss, D., Maurice, C., Schwarz, M., Mangard, S.: Reverse engineering Intel DRAM addressing and exploitation (2015). arXiv Preprint arXiv:1511.08756

43.

Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: E-Smart 2001, Cannes, FR, pp. 200–210, September 2001

44.

Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. CACM 21, 120–126 (1978)MathSciNetCrossRefMATH

45.

Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)MathSciNetCrossRefMATH

46.

van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Heidelberg (2015)

47.

Wang, Y., Suh, G.E.: Efficient timing channel protection for on-chip networks. In: 6th NoCS, Lyngby, Denmark, pp. 142–151 (2012)

48.

Zhenyu, W., Zhang, X., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: 21st USENIX Security, Bellevue, WA, US (2012)

49.

Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security, San Diego, CA, US, pp. 719–732 (2014)

50.

Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel last-level cache, September 2015. http://eprint.iacr.org/

51.

Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: 19th CCS, Raleigh, NC, US, pp. 305–316, October 2012

Titel: CacheBleed: A Timing Attack on OpenSSL Constant Time RSA
verfasst von: Yuval Yarom
Daniel Genkin
Nadia Heninger
Verlag: Springer Berlin Heidelberg
Buch: Cryptographic Hardware and Embedded Systems – CHES 2016
Print ISBN: 978-3-662-53139-6

Electronic ISBN: 978-3-662-53140-2

Copyright-Jahr: 2016
DOI: https://doi.org/10.1007/978-3-662-53140-2_17

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner