Timing Attacks: A Basic Overview Daniel B. Dolan TSYS School of Computer Science Columbus State University Columbus, GA Dolan_daniel@colstate.edu Abstract— Time is always on Trudy’s side. In theory, any encryption or password protection can be broken, if the intruder has an unlimited amount of time and computing resources. Data security can be considered to be “good” if the time it takes to break the security is longer than the relevant shelf life of the data, or the data will have no value by the time the intruder has gotten to it. On the flip side, any form of data protection Alice may choose to employ is useless if the operations involved require an unreasonable amount of time skill and computing power. Timing attacks are attacks where an intruder uses timing measurements as a clue to guess protected secrets. They are particularly insidious in that efforts to introduce efficiencies into a security method may actually create vulnerabilities in the very system being protected. This paper will explore timing attacks, including theoretical and actual examples. We will also look at basic strategies for defending against these attacks. Keywords-component; security; timing; attacks (key words) I. INTRODUCTION A timing attack is an attack in which the intruder measures the responsiveness of a system to known security-related inputs. If the system’s response time varies in a fixed pattern as the input is changed, then the attacker may use this information as a clue to deduce the key, whether it is a password, or a cryptographic key. The first simple example of a timing attack is found on page 290 of Information Security: Principles and Practice, where it is referred to as a linearization attack. Consider a password or serial number verification function which checks one character at a time and exits as soon as an invalid character is found. A sample program implementing this method in table 1 below is taken from Mark Stamp’s book. A savvy intruder will find that a more correct password will lead to a longer processing time within the function. Without this knowledge, a brute-force attack on an 8-character password would take on average 3.60x1016 attempts. On the other hand, if the intruder uses timing measurements to “build up” a valid password one character at a time, only 512 guesses may be required. This is a significant win for Trudy, as it makes a monumental endeavor into an achievable reality. We can find a more intricate, yet related, example in modern cryptography using RSA and Diffie-Hellman, two of the most commonly-used encryption algorithms in use today. RSA, named for its inventors Rivest, Shamir, and Adleman, is a method for public key cryptography. Diffie-Hellman is a method by which two users can create a shared key. int main(int argc, const char *argv[]) { int i; char serial[9]=”S123N456\n”; if(strlen(argv[1]) < 8) { printf(“\nError---try again.\n\n”); exit(0); } for(i = 0; i <8; i++) { if(argv[1][i] != serial[i]) break; } if (i == 8) { printf(“\nSerial number is correct!\n\n”); } } Table 1: Serial Number Program with timing vulnerability. Source: Stamp [3] A basic formula behind both of these algorithms is R=yx mod n. In the RSA decryption algorithm, x is the private key which the attacker wants to learn, n is a part of the public key, and y is the encrypted value. In Diffie-Hellman, x is a shared symmetric key, which is again the attacker’s goal. With a 512bit key, this x may be a value up to 1.34x10154, which makes the formula yx a very lengthy calculation. This makes implementation of either RSA or Diffie-Hellman a difficult proposition for Alice, unless she has a mathematical shortcut to keep the numbers small. Repeated Squaring is a mathematical technique that is commonly used to overcome this challenge. The trick is that the formula is broken into several cycles of square-andmultiply operations, applying the modulus operation each time. The result is that the process never has to deal with a number that is significantly larger than the modulus. The side-effect is that, as in the password program described above, we have two branches of code (square-and-multiply on the one hand, and square-and-multiply-and-modulus on the other), and the second branch will always take significantly longer than the first. With repeated testing, the time differences between these calculations can be clues to help Trudy guess the key. II. RELATED WORK Timing attacks against RSA encryption have been known since 1996, when Kocher demonstrated a basic method for deciphering a private key, starting with a set of plain text inputs and measuring the time required encrypt each input. Kocher treated it as a signal generation problem, with “noise” resulting from measurement inaccuracies. As a result, the attack could be performed over networks as well as locally. Also as in the password linearization attack described above, Kocher attacked the key one bit at a time, “guessing” the timing result from setting that bit as a 1 or as a 0, and selecting the bit that most accurately reflected the actual time. int main(int argc, const char *argv[]) { int i; int passed=1; char serial[9]=”S123N456\n”; if(strlen(argv[1]) < 8) { printf(“\nError---try again.\n\n”); exit(0); } for(i = 0; i <8; i++) if(argv[1][i] != serial[i]) passed=0; if (i == 8 || passed==1) printf(“\nSerial number is correct!\n\n”); } Table 2: Serial Number Program with fixed execution time III. SOLUTION There are two commonly accepted solutions that can be applied to any timing attack. One solution is to “buffer” all security operations to the point where they take the longest possible time. Table 2 below demonstrates this method applied to our Serial Number generator. This would effectively destroy timing as a side channel for attackers to utilize, by removing their yard stick and ensuring that every operation equals “one yard.” The downside of this is performance optimizations are rendered pointless, and security operations will eat up Alice’s resources. The second solution is to insert “noise” into the timing measurement. Depending on the system being protected, this may be done by creating additional, throwaway calculations of random length. This technique has been implemented in RSA and Diffie-Hellman cryptography by a method known as RSA blinding. To implement blinding, a random value is inserted into the exponentiation calculation, along with its Euler inverse. RSA Blinding in this way has been shown to create a 2% to 10% performance overhead, while creating just enough noise in the side channel to defeat analysis. Most systems implementing RSA encryption have been updated to employ RSA blinding by default. [4] The strategy of adding a random number of “throwaway” calculations is also demonstrated in the serial number program as shown in Table 3. There is a third solution commonly implemented in password verification systems, and that is to disable login after repeated failed attempts. Timing attacks rely on the ability to gather repeated input, and repeated “failed” attempts can be a warning that a system is under attack. This method is limited to implementations in which it is feasible to enforce a lockout policy. In the case of a static program such as our Serial Number verification routine, this approach is simply not possible. However, in the case of a business network login, or internet-based business services, a “three strikes” rule may both stop an attack in progress, and warn system administrators that an attack is under way. This may still be foiled by a clever attacker, but it delays their efforts, and robs them of their easy attack. The longer Alice can delay Trudy’s victory, the less relevant or pertinent the data will be, and the more likely it is that Trudy will take her efforts elsewhere. int main(int argc, const char *argv[]) { int i; int randwait=1; int toss=1; char serial[9]=”S123N456\n”; if(strlen(argv[1]) < 8) { printf(“\nError---try again.\n\n”); exit(0); } for(i = 0; i <8; i++) { if(argv[1][i] != serial[i]) break; } if (i == 8){ printf(“\nSerial number is correct!\n\n”); } else { randwait = random(8-i); for (i=0; i <randwait; i++) toss++; } } Table 3: Serial Number Program with “noise” in timing channel IV. CONCLUSION Timing attacks are a plausible, looming threat, and should be under serious consideration in the realm of modern security systems. Protocol and system designers need to consider timing as a side-channel which can be used by a malicious third party to analyze system behavior. While the solutions of buffering, random noise, and lockdown policy each have their costs, all are good viable solutions to this very real security issue. REFERENCES [1] [2] [3] [4] Wong, Wing H., “Timing Attacks on RSA: Revealing Your Secrets through the Fourth Dimension.” http://www.cs.sjsu.edu/faculty/stamp/students/article.html Kocher, Paul C. “Timing Attacks on Implementations of DiffieHellman, RSA, DSS, and Other Systems.” www.cryptography.com/resources/whitepapers/TimingAttacks.pdf Stamp, Mark. “Information Security: Principles and Practice.” Pp. 290291. US-CERT Vulnerability Note VU#997481, at http://www.kb.cert.org/vuls/id/99748