Download Side-Channel Attacks on RSA with CRT

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Document related concepts
no text concepts found
Transcript 
Side-Channel
Attacks on RSA
with CRT
Weakness of RSA
Alexander Kozak
Jared Vanderbeck
What is RSA?



As we all know, RSA (Rivest Shamir
Adleman) is a really secure algorithm for
public-key cryptography.
RSA is known to be suitable for signing as
well as encryption.
RSA is believed to be secure given
sufficiently long keys and the use of up-todate implementations.
What is CRT?


The Chinese Remainder Theorem is a
result about congruences in number theory
and its generalizations in abstract algebra.
The CRT can be used to speed up
calculations of many math-based
cryptosystems, including RSA.
Montgomery Reduction


Provides an efficient way of multiplying two
numbers modulo a number
Makes modulo reduction unnecessary
during multiplications
What are Side-Channel Attacks?



“Side Channel Attacks” are attacks that are
based on Side “Channel Information.”
Side channel information is information that
can be retrieved from the encryption
device.
This information is neither the plaintext or
the ciphertext.
What are Side-Channel Attacks?


In the past, an encryption device was
perceived as a unit that received plaintext
and produces ciphertext and vice versa.
Attacks were based on knowing the
ciphertext or knowing both or on the ability
to define what plaintext is to be encrypted
and then seeing the results of the
encryption.
What are Side-Channel Attacks?


Today, it is known encryption devices have
additional inputs which are not the plaintext
or ciphertext.
Encryption devices produce timing
information that is easily measurable,
radiation of various sorts, power
consumption statistics and more.
What are Side-Channel Attacks?


Often the encryption device also has
additional “unintentional” inputs such as
voltage.
Side channel attacks make use of some or
all of this information, along with other
cryptanalytic techniques, to recover the key
the device is using.
What are Side-Channel Attacks?



Side channel analysis techniques are a
concern because the attacks can be
mounted quickly and cheaply.
Depending on the type of attack, it can take
a short amount of time to attack a card.
For example, with a Simple Power Analysis
attack, attacks on smartcards take a few
seconds per card.
Timing Attacks



Timing attacks are based on measuring the time it
takes for a unit to perform operations.
This information can lead to information about the
secret keys.
For example, by measuring the amount of time
required to perform private key operations, an
attacker might find fixed Diffie-Hellman
exponents, factor RSA keys, and break other
cryptosystems.
Timing Attacks



Cryptosystems take slightly different
amounts of time to process different inputs.
There are various reasons for this,
including performance optimizations,
branching, RAM cache hits, etc.
Attacks exist which can exploit timing
measurements to find the entire key.
Timing Attacks



Computing the variances is easy and
provides a good way to identify correct
exponent bit guesses.
The number of samples needed to gain
enough information are determined by the
properties of the signal and the noise.
The more noise there is, the more noise
there is, the more samples will be required.
Timing Attacks



These kind of attacks generally require a
large amount of samples of timings.
The times are used to perform a statistical
analysis on probabilities of each bit in the
key.
These probabilities are then used to guess
a key.
Timing Attacks



There can be a large amount of error in the
signals retrieved by the eavesdropper.
This can be caused by noise (such as
latency), blinding, or inaccuracies in data
acquisition.
The greater the error, the more samples
that are required to determine a key.
CRT’s Susceptibility to Timing
Attacks

Modular reduction



Modular Exponentiation vs. Multiplication


All arithmetic is performed modulo a number
The computer must compare a value to the modulo
number and reduce when necessary
Modular exponentiations and multiplications take
different amounts of time and are executed under
different circumstances
Any conditional calculations

Calculations executed under certain circumstances,
however not all
Montgomery Reduction’s
Susceptibility

After reduction, there is a final modular
comparison



This may result in an extra reduction
This extra reduction is executed only when
necessary
Causes differences in timing when different
values are used
How to Attack CRT

Very simple




Choose values that are very close to one of the
prime factors of the public key
When a value is greater than a prime factor, an
additional modular reduction will be performed
When the value is less than a prime factor, no
additional modular reductions will be performed
This can directly reveal the factors of the public
key
How to Attack CRT

Optimized RSA implementations use the
Square and Multiply method of computing
modular exponents


Using varying inputs, the number of
exponentiations and multiplications vary
Time differences can be seen between instances
when multiplications are or are not executed
How to Attack Montgomery
Reduction

The probability of an extra reduction has
been found to be easily calculated



Pr[ Extra Re duction]  ( g mod q) / 2 R
The equation is
As the input g approaches one of the prime
factors, the probability of an extra reduction
increases
When the input g is equal to one of the factors,
there is a large drop in frequency of the extra
reduction
Equation and analysis from Brumley and Boneh
Blinding



The key is to ensure that timing signatures
are unusable to attackers
Often times result in reducing performance
and increasing complexity of algorithms
Can make timing attacks infeasible
Blinding Techniques

Eliminate the conditional execution of steps

Example: During steps that may require either
multiplication or exponentiation based on the
value execute both


Ignore the results of the unwanted computation
Makes time differentiation between statements
being executed difficult
Blinding Techniques

Perform data independent calculations that
will be performed between modular
calculations of CRT



Example: calculate ar mod h where r and h are
random numbers
Adds to complexity and slows computations
Can make timing very difficult
Blinding Techniques

Modify the implementations of modular
exponentiation and multiplication



Make both operations take the same amount of
time
Makes it difficult or impossible to differentiate
between either calculation
Highly effective against certain timing attacks
Blinding Techniques

Ensure that all operations take the same
amount of time

Drastically degrades performance


All operations must take an amount of time equal
to that of the slowest operation
Makes timing impossible
References




Remote Timing Attacks are Practical by David Brumley and Dan
Boneh - http://www.ece.cmu.edu/~dbrumley/pubs/jcn_timing.pdf
Introduction to Side Channel Attacks http://www.discretix.com/PDF/Introduction%20to%20Side%20Chan
nel%20Attacks.pdf
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS,
and Other Systems by Paul C. Kocher http://www.cryptography.com/public/pdf/TimingAttacks.pdf
Side-Channel Attacks by Neal Koblitz and Alfred J. Menezes http://www.springerlink.com/content/lln108g514127805/fulltext.pdf
Related documents
CSCI6268L37
CSCI6268L37
No Slide Title
No Slide Title
Honeynet Project
Honeynet Project
Introduction - Computer Science
Introduction - Computer Science
Malicious code, Mobile Code and Denial of Service attacks
Malicious code, Mobile Code and Denial of Service attacks
CS 494/594 Computer and Network Security - UTK-EECS
CS 494/594 Computer and Network Security - UTK-EECS
IIDPS: An Internal Intrusion Detection and
IIDPS: An Internal Intrusion Detection and
Supraventricular Tachycardia (SVT)
Supraventricular Tachycardia (SVT)
heart attack - Meridian Kinesiology
heart attack - Meridian Kinesiology
Attacks and Mitigations
Attacks and Mitigations
E-Commerce and Bank Security
E-Commerce and Bank Security
Heart Attack - Meridian Kinesiology
Heart Attack - Meridian Kinesiology
Responding to Intrusions
Responding to Intrusions
Important Concepts.
Important Concepts.
Forms of Network Attacks
Forms of Network Attacks
Cardiovascular - San Juan College
Cardiovascular - San Juan College
Network Security Network Attacks and Mitigation
Network Security Network Attacks and Mitigation
TreVisor
TreVisor