Skip to main content
SpringerLink
Log in

A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL

  • Conference paper
Topics in Cryptology – CT-RSA 2008 (CT-RSA 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4964))

Included in the following conference series:

Abstract

MicroArchitectural Analysis (MA) techniques, more specifically Simple Branch Prediction Analysis (SBPA) and Instruction Cache Analysis, have the potential of disclosing the entire execution flow of a software-implemented cryptosystem ([5,2]). In this paper we will show that one can completely break RSA in the original unpatched OpenSSL version (v.0.9.8e) even if the most secure configuration is in place, including all countermeasures against side-channel and MicroArchitectural analysis (in particular, base blinding). We also discuss (known) countermeasures that prevent this attack.

In a first step we apply an instruction cache attack to reveal which Montgomery operations require extra reductions. To exploit this information we model the timing behavior of the modular exponentiation algorithm by a stochastic process. Its analysis provides the optimal guessing strategy, which reveals the secret key (modp 1) and finally the factorization of the RSA modulus n = p 1 p 2. For the instruction cache attack we applied a spy process that was embedded in the target process (OpenSSL), which clearly facilitates the experimental part. This simplification yet does not nullify our results since in cache attacks empirical results from embedded spy processes and (suitably implemented) stand-alone spy processes are very close to each other [16] and, moreover, our guessing strategy is fault-tolerant. Interestingly, the second step of our attack is related to that of a particular combined power and timing attack on smart cards [23] (see also [27,22]).

Before we published our result [1] we informed the OpenSSL development team who included a patch into the stable branch of v.0.9.7e ([31,32]) and CERT which informed software vendors ([33,34,35]). In particular, this countermeasure is included in the current version 0.9.8f. We have only analyzed OpenSSL, thus we currently do not know the strength of other cryptographic libraries.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acıiçmez, O., Schindler, W.: A Major Vulnerability in RSA Implementations due to MicroArchitectural Analysis Threat. Cryptology ePrint Archive, Report 2007/336 (August 2007)

    Google Scholar 

  2. Acıiçmez, O.: Yet Another MicroArchitectural Attack: Exploiting I-cache. In: ACM Workshop on Computer Security Architecture, pp. 11–18. ACM Press, New York (2007)

    Chapter  Google Scholar 

  3. Acıiçmez, O., Seifert, J.-P.: Cheap Hardware Parallelism Implies Cheap Security. In: 4th Workshop on Fault Diagnosis and Tolerance in Cryptography — FDTC 2007, pp. 80–91. IEEE Computer Society, Los Alamitos (2007)

    Chapter  Google Scholar 

  4. Acıiçmez, O., Gueron, S., Seifert, J.-P.: New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007), Cryptology ePrint Archive, Report 2007/039, (February 2007)

    Chapter  Google Scholar 

  5. Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: On The Power of Simple Branch Prediction Analysis. In: Deng, R., Samarati, P. (eds.) ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS 2007), pp. 312–320 (2006); Cryptology ePrint Archive, Report 2006/351 (October 2006)

    Google Scholar 

  6. Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting Secret Keys via Branch Prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006), Cryptology ePrint Archive, Report 2006/288, (August 2006)

    Chapter  Google Scholar 

  7. Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache Based Remote Timing Attack on the AES. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 271–286. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  8. Acıiçmez, O., Schindler, W., Koç, Ç.K.: Improving Brumley and Boneh Timing Attack on Unprotected SSL Implementations. In: Meadows, C., Syverson, P. (eds.) Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 139–146. ACM Press, New York (2005)

    Chapter  Google Scholar 

  9. Bernstein, D. J.: Cache-timing attacks on AES. Technical Report, 37 pages, (April 2005), http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  10. Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security Symposium, pp. 1–14 (2003)

    Google Scholar 

  11. Dhem, J.-F., Koeune, F., Leroux, P.-A., Mestré, P.-A., Quisquater, J.-J., Willems, J.-L.: A Practical Implementation of the Timing Attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 175–191. Springer, Heidelberg (2000)

    Google Scholar 

  12. Gueron, S.: Enhanced Montgomery Multiplication. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 46–56. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  13. Hachez, G., Quisquater, J.-J.: Montgomery Exponentiation with no Final Subtractions: Improved Results. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 91–100. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  14. Kocher, P.C., Jaffe, J.M.: Secure Modular Exponentiation with Leak Minimization for Smartcards and other Cryptosystems. United States Patent, Patent No.: US 6,298,442 B1 (October 2001)

    Google Scholar 

  15. Menezes, A.J., van Oorschot, P.C., Vanstone, S.C.: Handbook of Applied Cryptography. CRC Press, New York (1997)

    MATH  Google Scholar 

  16. Neve, M.: Cache-based Vulnerabilities and SPAM Analysis. Ph.D. Thesis, Applied Science, UCL (July 2006)

    Google Scholar 

  17. Neve, M., Seifert, J.-P.: Advances on Access-driven Cache Attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 147–162. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  18. Osvik, D.A., Shamir, A., Tromer, E.: Cache Attacks and Countermeasures: The Case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  19. Page, D.: Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel. Technical Report, Department of Computer Science, University of Bristol (June 2002)

    Google Scholar 

  20. Percival, C.: Cache missing for fun and profit. BSDCan 2005, Ottawa (2005), http://www.daemonology.net/hyperthreading-considered-harmful/

  21. Schindler, W.: On the Optimization of Side-Channel Attacks by Advanced Stochastic Methods. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 85–103. Springer, Heidelberg (2005)

    Google Scholar 

  22. Schindler, W., Walter, C.D.: More Detail for a Combined Timing and Power Attack against Implementations of RSA. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 245–263. Springer, Heidelberg (2003)

    Google Scholar 

  23. Schindler, W.: A Combined Timing and Power Attack. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 263–279. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  24. Schindler, W.: Optimized Timing Attacks against Public Key Cryptosystems. Statistics and Decisions 20, 191–210 (2002)

    MATH  MathSciNet  Google Scholar 

  25. Schindler, W., Koeune, F., Quisquater, J.-J.: Improving Divide and Conquer Attacks Against Cryptosystems by Better Error Detection / Correction Strategies. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 245–267. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  26. Schindler, W.: A Timing Attack against RSA with the Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 110–125. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  27. Walter, C.D., Thompson, S.: Distinguishing Exponent Digits by Observing Modular Subtractions. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 192–207. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  28. Walter, C.D.: Montgomery exponentiation needs no final subtractions. IEE Electronics Letters 35(21), 1831–1832 (1999)

    Article  Google Scholar 

  29. Walter, C.D.: Montgomery’s Multiplication Technique: How to Make It Smaller and Faster. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 80–93. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  30. http://www.ntt.co.jp/news/news06e/0611/061108a.html

  31. http://cvs.openssl.org/chngview?cn=16275

  32. ftp://ftp.openssl.org/snapshot/

  33. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108

  34. http://www.cert.org/

  35. US CERT vulnerability note, http://www.kb.cert.org/vuls/id/724968

Download references

Author information

Authors and Affiliations

  1. Samsung Information Systems America, Samsung Electronics, 95 West Plumeria Drive, San Jose, CA, 95134, USA

    Onur Acıiçmez

  2. Bundesamt für Sicherheit in der Informationstechnik (BSI), Godesberger Allee 185–189, 53175, Bonn, Germany

    Werner Schindler

Authors
  1. Onur Acıiçmez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Werner Schindler
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Tal Malkin

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Acıiçmez, O., Schindler, W. (2008). A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL. In: Malkin, T. (eds) Topics in Cryptology – CT-RSA 2008. CT-RSA 2008. Lecture Notes in Computer Science, vol 4964. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79263-5_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-79263-5_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-79262-8

  • Online ISBN: 978-3-540-79263-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation