Timing Attacks to RSA
Presented by Zhanxiang
Agenda

Background of Timing Attack

Case study:
David Brumley and Dan Boneh, “Remote
Timing Attacks are Practical” (UC Berkeley)
What is Timing Attack?

Timing attacks: Expose private information,
such as RSA keys, by measuring the
amount of time required to perform private
key operations (Decryptions).

Side-channel attacks:
Power analysis
 Electromagnetic radiation analysis
 Timing attacks

Some Timing Attacks on RSA

Kocher’s attack 1996 [2]



reported on page A1 of Monday's New York Times ("Secure
Digital Transactions Just Got a Little Less Secure" by John
Markoff).
Not apply to RSA-CRT.
Schindler’s attack 2001

Not work for implementation using (e.g. OpenSSL):



Sliding windows instead of square and multiply (exponentiation)
Two multiplication algorithms.
Brumley-Boneh’s attack 2003 [1]


Attack on RSA of OpenSSL
[1] won the best paper of UsenixSecure’03.
Why people care?

Security of RSA depends on the difficulty
to factor the public key N

OpenSSL applications are popular

Since it can hack simple devices, e.g.
smartcards, how about complex
environments, such network?
Implementation of OpenSSL

RSA with CRT speedup

Computation library

How are exponentiation, modular reduction
and multiplication operations implemented
RSA quick review


Multiple prime RSA key generating algorithm
1. Select k primes: p1, p2, …, pk
2. Let n=∏pi, i=1,2,…,k
3. Let φ(n)=∏(pi-1)
4. Choose e, s.t. gcd(e,φ(n))=1
5. Calculate d=e-1(mod φ(n))
6. Public Key = (e,n) and Private key = (d,n)
Encryption: c=me mod n
Decryption: m=cd mod n
Chinese Remainder Theorem
n = n1n2…nk with gcd (ni; nj ) = 1 when i !=
j
 The system of congruencies
x=x1(mod n1)=…=xk(mod nk)
has a simultaneous solution x to all of the
congruencies, and there exists exactly one
solution x between 0 and n-1.

Speedup RSA with CRT
Any message M<N is uniquely represented by
the tuple [MP;MQ ], where
MP = M(mod P)
and MQ = M(mod Q).
CP = C(mod P)
and CQ = C(mod Q).
DP = D(mod (P-1)) and DQ = D(mod (Q-1))
RP = QP-1(mod N) and RQ = PQ-1(mod N)
MP = CPDP(mod P) and MQ = CQDQ(mod Q)
SP = MPRP(mod N) and SQ = MQRQ(mod N)
M = SP + SQ. If M>=N then calc M=M-N.
[3]

Operations needed for Decryption

Computing cd(mod p) and xy(mod p) requires:

Multiplication routines



Exponentiation


Normal (unequal len)
Karatsuba (equal len): faster
Sliding windows
Modular reduction


Montgomery
The key relevant fact is the extra reduction
What causes time variance?

Montgomery reduction
Given g calc g (mod q)
 Probability for and extra
reduction is:
P[extra step]  (g mod q)/2q


Choice of multiplication
routine


To calc x*g mod q, if x is
the same length as (g mod
q), use Karatsuba.
O(nlog23)
Otherwise, use Normal.
O(nm)
Summary of time variance
g<q
g>q
Montgomer Longer
y effect
Shorter
Multiplicati
on effect
Longer
Shorter
g is the decryption value.
Each is dominant at a different phase.
Time Attack on OpenSSL(1/4)

Assume: N=pq with q<p.
Goal: approximations approaching q

Idea: Make initial guess and refine it by learning bits one
at a time, from the most significant.
Time Attack on OpenSSL(2/4)

Init guess g of q lying between 2512 (i.e.
N/2) and 2511(i.e. N/4)

Try all the combinations of the top few bits
Time the decryptions and pick the first
peak for guess of q; (After all we at least
know the first bit is 1)
Time Attack on OpenSSL(3/4)

Suppose from 1 to i-1 bits g=q, elsewhere g=0

Recover i’th bit of q as follows:
(1) ghi=g, but with i’th bit 1.
If i’th bit of q is 1
then g<ghi<q,
else g<q<ghi.
(2) ug=gR-1 mod N, ughi=ghiR-1 mod N
(3) t1=DecrtyptTime(ug), t2=DecryptTime(ughi).
(4) D=|t1-t2|.
If D is large then g<q<ghi and i’th bit of q is 1,
otherwise the bit is 0.
Time Attack on OpenSSL(4/4)

We know what is “large” and “small” from attack on
previous bits.

Decrypting just g does not work because of sliding
windows


Decrypt a neighborhood of values near g, and Tg=∑Tg+i
Will increase difference between large and small values
Thus larger 0-1 gap

Only need to recover q/2 bits of q

Attack requires only 2 hours, about 1.4 million queries
Real World Attack(1/2)



Discuss an attack on SSL applications such as
an Apache web server with mod_SSL.
During the handshake, SSL server performs
RSA decryption of CLIENT-KEY-EXCHANGE message
(sent by client) using its private key. The goal is
getting this key.
After decryption, the server checks PKCS 1
padded random bytes and sends an error
message back to client in case of an error. The
client can send another message to the server
that will be decrypted there.
Real World Attack(2/2)
1. ClientHello
Attack Client
SSL Server
2. ServerHello
(send public key)
3. Record time t1
Send guess Ug or Ughi
4. Alert
5. Record time t2
Compute DecryptTime(Ughi)=t2 –t1
Experiments (1/5) [1]

Test the effects on increasing the number of
decryption requests required to recover a single bit
of q reliably. Two parameters: neighborhood size (n)
and sample size (s). Total number of queries is s*n.
Using sample size of 7 and neighborhood of 400, 1433600
total queries. Attack time (on 1024-bit key) is about 2
hours.
Experiments (2/5) [1]

•
Architecture effects: compare two versions of a
program making local calls to OpenSSL: “regular”
and “extra-inst” with 6 additional nops before
decryption.
Explanation: different cache hit rate: 0.139% of load
misses for “normal” and 0.151% for “extra-inst”.
Experiments (3/5) [1]
Compile-time effects:




Optimized (-O3 –fomit_frame_pointer –mcpu=pentium);
No Pentium flag (-O3 –fomit_frame_pointer);
Unoptimized (-g).
Experiments (4/5) [1]

Source-based optimizations: implemented a minor
patch that improves the efficiency of of CRT
decryption check.
Experiments (5/5) [1]

Attacking SSL applications on the local
network:
Preconditions & Defense

Preconditions:




OpenSSL does not enable defend option
Not fix response time
…
Defense:



Only one multiplication routine and always carry out
extra reduction in Montgomery’s algorithm
Quantize all RSA computations
Blinding (Currently preferred)
Blinding Defenses [1]

Blinding: before decryption compute x=reg mod N,
where r is random. Then decrypt x, then compute
x/r. Incurs 2%-10% penalty.
Reference
[1] David Brumley and Dan Boneh, “Remote
Timing Attacks are Practical”, 2003
[2] Paul C. Kocher, “Timing Attacks on
Implementations of Diffie-Hellman, RSA, DSS,
and Other Systems” 2001
[3] Johann GroBschadl, “The Chinese Remainder
Theorem and its Application in a High-Speed
RSA Crypto Chip”
[4]http://www.rsasecurity.com/rsalabs/challenges/f
actoring/numbers.html