Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

DOC - TSYS School of Computer Science

advertisement 
Timing Attacks: A Basic Overview
Daniel B. Dolan
TSYS School of Computer Science
Columbus State University
Columbus, GA
Dolan_daniel@colstate.edu
Abstract— Time is always on Trudy’s side. In theory, any
encryption or password protection can be broken, if the intruder
has an unlimited amount of time and computing resources. Data
security can be considered to be “good” if the time it takes to
break the security is longer than the relevant shelf life of the data,
or the data will have no value by the time the intruder has gotten
to it. On the flip side, any form of data protection Alice may
choose to employ is useless if the operations involved require an
unreasonable amount of time skill and computing power.
Timing attacks are attacks where an intruder uses
timing measurements as a clue to guess protected secrets. They
are particularly insidious in that efforts to introduce efficiencies
into a security method may actually create vulnerabilities in the
very system being protected. This paper will explore timing
attacks, including theoretical and actual examples. We will also
look at basic strategies for defending against these attacks.
Keywords-component; security; timing; attacks (key words)
I.
INTRODUCTION
A timing attack is an attack in which the intruder measures
the responsiveness of a system to known security-related
inputs. If the system’s response time varies in a fixed pattern as
the input is changed, then the attacker may use this information
as a clue to deduce the key, whether it is a password, or a
cryptographic key.
The first simple example of a timing attack is found
on page 290 of Information Security: Principles and Practice,
where it is referred to as a linearization attack. Consider a
password or serial number verification function which checks
one character at a time and exits as soon as an invalid character
is found. A sample program implementing this method in table
1 below is taken from Mark Stamp’s book. A savvy intruder
will find that a more correct password will lead to a longer
processing time within the function. Without this knowledge, a
brute-force attack on an 8-character password would take on
average 3.60x1016 attempts. On the other hand, if the intruder
uses timing measurements to “build up” a valid password one
character at a time, only 512 guesses may be required. This is a
significant win for Trudy, as it makes a monumental endeavor
into an achievable reality.
We can find a more intricate, yet related, example in
modern cryptography using RSA and Diffie-Hellman, two of
the most commonly-used encryption algorithms in use today.
RSA, named for its inventors Rivest, Shamir, and Adleman, is
a method for public key cryptography. Diffie-Hellman is a
method by which two users can create a shared key.
int main(int argc, const char *argv[])
{
int i;
char serial[9]=”S123N456\n”;
if(strlen(argv[1]) < 8)
{
printf(“\nError---try again.\n\n”);
exit(0);
}
for(i = 0; i <8; i++)
{
if(argv[1][i] != serial[i]) break;
}
if (i == 8)
{
printf(“\nSerial number is correct!\n\n”);
}
}
Table 1: Serial Number Program with timing vulnerability.
Source: Stamp [3]
A basic formula behind both of these algorithms is R=yx
mod n. In the RSA decryption algorithm, x is the private key
which the attacker wants to learn, n is a part of the public key,
and y is the encrypted value. In Diffie-Hellman, x is a shared
symmetric key, which is again the attacker’s goal. With a 512bit key, this x may be a value up to 1.34x10154, which makes
the formula yx a very lengthy calculation. This makes
implementation of either RSA or Diffie-Hellman a difficult
proposition for Alice, unless she has a mathematical shortcut to
keep the numbers small.
Repeated Squaring is a mathematical technique that is
commonly used to overcome this challenge. The trick is that
the formula is broken into several cycles of square-andmultiply operations, applying the modulus operation each time.
The result is that the process never has to deal with a number
that is significantly larger than the modulus. The side-effect is
that, as in the password program described above, we have two
branches of code (square-and-multiply on the one hand, and
square-and-multiply-and-modulus on the other), and the second
branch will always take significantly longer than the first. With
repeated testing, the time differences between these
calculations can be clues to help Trudy guess the key.
II.
RELATED WORK
Timing attacks against RSA encryption have been known
since 1996, when Kocher demonstrated a basic method for
deciphering a private key, starting with a set of plain text inputs
and measuring the time required encrypt each input. Kocher
treated it as a signal generation problem, with “noise” resulting
from measurement inaccuracies. As a result, the attack could be
performed over networks as well as locally. Also as in the
password linearization attack described above, Kocher attacked
the key one bit at a time, “guessing” the timing result from
setting that bit as a 1 or as a 0, and selecting the bit that most
accurately reflected the actual time.
int main(int argc, const char *argv[])
{
int i;
int passed=1;
char serial[9]=”S123N456\n”;
if(strlen(argv[1]) < 8)
{
printf(“\nError---try again.\n\n”);
exit(0);
}
for(i = 0; i <8; i++)
if(argv[1][i] != serial[i]) passed=0;
if (i == 8 || passed==1)
printf(“\nSerial number is correct!\n\n”);
}
Table 2: Serial Number Program with fixed execution time
III.
SOLUTION
There are two commonly accepted solutions that can
be applied to any timing attack. One solution is to “buffer” all
security operations to the point where they take the longest
possible time. Table 2 below demonstrates this method applied
to our Serial Number generator. This would effectively destroy
timing as a side channel for attackers to utilize, by removing
their yard stick and ensuring that every operation equals “one
yard.” The downside of this is performance optimizations are
rendered pointless, and security operations will eat up Alice’s
resources.
The second solution is to insert “noise” into the timing
measurement. Depending on the system being protected, this
may be done by creating additional, throwaway calculations of
random length. This technique has been implemented in RSA
and Diffie-Hellman cryptography by a method known as RSA
blinding. To implement blinding, a random value is inserted
into the exponentiation calculation, along with its Euler
inverse. RSA Blinding in this way has been shown to create a
2% to 10% performance overhead, while creating just enough
noise in the side channel to defeat analysis. Most systems
implementing RSA encryption have been updated to employ
RSA blinding by default. [4] The strategy of adding a random
number of “throwaway” calculations is also demonstrated in
the serial number program as shown in Table 3.
There is a third solution commonly implemented in
password verification systems, and that is to disable login after
repeated failed attempts. Timing attacks rely on the ability to
gather repeated input, and repeated “failed” attempts can be a
warning that a system is under attack. This method is limited to
implementations in which it is feasible to enforce a lockout
policy. In the case of a static program such as our Serial
Number verification routine, this approach is simply not
possible. However, in the case of a business network login, or
internet-based business services, a “three strikes” rule may both
stop an attack in progress, and warn system administrators that
an attack is under way. This may still be foiled by a clever
attacker, but it delays their efforts, and robs them of their easy
attack. The longer Alice can delay Trudy’s victory, the less
relevant or pertinent the data will be, and the more likely it is
that Trudy will take her efforts elsewhere.
int main(int argc, const char *argv[])
{
int i;
int randwait=1;
int toss=1;
char serial[9]=”S123N456\n”;
if(strlen(argv[1]) < 8)
{
printf(“\nError---try again.\n\n”);
exit(0);
}
for(i = 0; i <8; i++)
{
if(argv[1][i] != serial[i]) break;
}
if (i == 8){
printf(“\nSerial number is correct!\n\n”);
} else {
randwait = random(8-i);
for (i=0; i <randwait; i++)
toss++;
}
}
Table 3: Serial Number Program with “noise” in timing
channel
IV.
CONCLUSION
Timing attacks are a plausible, looming threat, and should
be under serious consideration in the realm of modern security
systems. Protocol and system designers need to consider timing
as a side-channel which can be used by a malicious third party
to analyze system behavior. While the solutions of buffering,
random noise, and lockdown policy each have their costs, all
are good viable solutions to this very real security issue.
REFERENCES
[1]
[2]
[3]
[4]
Wong, Wing H., “Timing Attacks on RSA: Revealing Your Secrets
through
the
Fourth
Dimension.”
http://www.cs.sjsu.edu/faculty/stamp/students/article.html
Kocher, Paul C. “Timing Attacks on Implementations of DiffieHellman,
RSA,
DSS,
and
Other
Systems.”
www.cryptography.com/resources/whitepapers/TimingAttacks.pdf
Stamp, Mark. “Information Security: Principles and Practice.” Pp. 290291.
US-CERT
Vulnerability
Note
VU#997481,
at
http://www.kb.cert.org/vuls/id/99748
Related documents
lab14
lab14
How to change network configuration
How to change network configuration
sequence authentication
sequence authentication
Senior Projects 7
Senior Projects 7
RSA Interview Form - Sacred Heart University
RSA Interview Form - Sacred Heart University
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
This is “Halstead`s Software Science”
This is “Halstead`s Software Science”
Problem Session CMPE-553 “Cryptography and Network Security”
Problem Session CMPE-553 “Cryptography and Network Security”
Download
advertisement