Remote Timing Attacks are Practical

1
Remote Timing Attacks are Practical
David Brumley, Dan Boneh CS Department, Stanford
University USENIX Security Symposium, 2003
2
Introduction

• Side-channel attacks
• Power analysis
• Electromagnetic radiation
• Timing attacks analyze the dependency of
  response time on input to discover private
  information.
• Attacks 1 and 2 require special equipment and
  physical access to the machine.

3
Scope of Timing Attacks

• Timing attacks were used to hack smartcards and
  other simple devices. They are difficult to use
  in a complex environment.
• This paper shows a way to attack OpenSSL in
  various environments
• Network 2 machines connected through 3 routers
  and a number of switches
• Interprocess
• Virtual Machines

4
OpenSSLs Implementation of RSA

• Decryption mcd mod N where d is private key, c
  is ciphertext, Npq.
• Use CRT to compute this m1cd1 mod p and m2cd2
  mod q, then combine m1 and m2.
• Goal of attack get d. Can be done if we know p
  and q. Therefore, we are looking for a
  factorization of N.

5
Exponentiation

• How to compute gd mod q for some g,d, and q.
• Square and multiply
• Sliding windows process a number of bits of d
  per iteration. Requires some precomputing.
• Key fact about exponentiation the number of
  times when a multiplication by g occurs depends
  on the bits of q.
• Timing attack on sliding windows is much harder
  than that on square and multiply.

6
Montgomery Reduction

• Computing xy mod q is done by first multiplying x
  and y and then reducing the result modulo q.
• Naïve method divide and take remainder.
• Montgomery reduction more sophisticated. Key
  fact sometimes it requires and extra reduction.
  Prextra reduction(g mod q)/2R.

7
Multiplication Routines

• Karatsuba takes O(n1.58), used to multiply two
  numbers of equal number of words.
• Normal takes O(nm), used to multiply numbers
  with an unequal number of words.

8
Comparison of Timing Differences

• Two sources of timing differences extra
  reduction in a Montgomery reduction and choice of
  multiplication routine. Unfortunately, they
  compensate each other.
• As g approaches a multiple of q from below, the
  number of extra reduction increases and
  dramatically drops once ggtq.
• When g is almost as big as q, Karatsuba is used
  mostly. But when g becomes greater than q, g mod
  q is very small and normal algorithm is used
  mostly.

9
A Timing Attack on OpenSSL (1/2)

• Basic idea make initial guess and refine it by
  learning bits one at a time, from most
  significant.
• Initialization make initial guess g of q lying
  between 2512 and 2511. Then try all possible
  combinations of the top few bits. We will get two
  picks one for p, another for q. Pick the first
  peak.

10
A Timing Attack on OpenSSL (2/2)

• Suppose we have recovered i-1 bits of q. Let us
  set all remaining bits of g to 0. We recover ith
  bit of q as follows
• ghi same as g with ith bit set to 1. If ith
  bit of q is 1 then gltghiltq, else gltqltghi.
• uggR-1 mod N, ughighiR-1 mod N
• Measure t1DecrtyptTime(ug), t2DecryptTime(ughi).
  
• Dt1-t2. If D is large then gltqltghi and ith
  bit of q is 1, otherwise the bit is 0.
• When D is large, it can be either positive or
  negative, depending on whether Montgomery
  reduction or multiplication dominates.

11
Exponentiation Revisited

• We want tg1-tg2gtgttg3-tg4 when g1ltqltg2 and
  g3ltg4ltq. Multiplication by sliding windows makes
  the difference subtle.
• Solution query a neighborhood of values g, g1,
  g2. and take sum of the times.

12
Real-world Scenarios

• We discuss an attack on SSL applications such as
  stunnel and an Apache web server with mod_SSL.
• During the handshake, SSL server performs RSA
  decryption of CLIENT-KEY-EXCHANGE message (sent
  by client) using its private key. We want to get
  this key.
• After decryption, the server checks PKCS 1 padded
  random bytes and sends an error message back to
  client in case of an error. The client can send
  another message to the server that will be
  decrypted there.

13
Experiments (1/5)

• Test the effects on increasing the number of
  decryption requests required to recover a single
  bit of q reliably. Two parameters neighborhood
  size (n) and sample size (s). Total number of
  queries is sn.

• We used sample size of 7 and neighborhood of 400,
  1433600 total queries. Attack time is about 2
  hours.

14
Experiments (2/5)

• Architecture effects compare two versions of a
  program making local calls to OpenSSL regular
  and extra-inst with 6 additional nops before
  decryption.

• Explanation different cache hit rate 0.139 of
  load misses for normal and 0.151 for
  extra-inst.

15
Experiments (3/5)

• Compile-time effects
• Optimized (-O3 fomit_frame_pointer
  mcpupentium)
• No Pentium flag (-O3 fomit_frame_pointer)
• Unoptimized (-g).

16
Experiments (4/5)

• Source-based optimizations implemented a minor
  patch that improves the efficiency of of CRT
  decryption check.

17
Experiments (5/5)

• Attacking SSL applications on the local network

18
Defenses (1/2)

• Blinding before decryption compute xreg mod N,
  where r is random. Then decrypt x, then compute
  x/r. Incurs 2-10 penalty.

19
Defenses (2/2)

• Make all RSA decryptions not dependent upon the
  input ciphertext. Use one multiplication routine
  and always carry out extra reduction in
  Montgomerys algorithm.
• Require all RSA computations to be quantized.
  Matt Blazes quantize library is an example of
  this approach.
• Currently preferred method blinding.