International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Cache-Timing Attacks on RSA Key Generation

Authors:
Alejandro Cabrera Aldaya , Universidad Tecnológica de la Habana (CUJAE), Habana
Cesar Pereida García , Tampere University
Luis Manuel Alvarez Tapia , Universidad Tecnológica de la Habana (CUJAE), Habana
Billy Bob Brumley , Tampere University
Download:
DOI: 10.13154/tches.v2019.i4.213-242
URL: https://tches.iacr.org/index.php/TCHES/article/view/8350
Search ePrint
Search Google
Presentation: Slides
Abstract: During the last decade, constant-time cryptographic software has quickly transitioned from an academic construct to a concrete security requirement for real-world libraries. Most of OpenSSL’s constant-time code paths are driven by cryptosystem implementations enabling a dedicated flag at runtime. This process is perilous, with several examples emerging in the past few years of the flag either not being set or software defects directly mishandling the flag. In this work, we propose a methodology to analyze security-critical software for side-channel insecure code path traversal. Applying our methodology to OpenSSL, we identify three new code paths during RSA key generation that potentially leak critical algorithm state. Exploiting one of these leaks, we design, implement, and mount a single trace cache-timing attack on the GCD computation step. We overcome several hurdles in the process, including but not limited to: (1) granularity issues due to word-size operands to the GCD function; (2) bulk processing of desynchronized trace data; (3) non-trivial error rate during information extraction; and (4) limited high-confidence information on the modulus factors. Formulating lattice problem instances after obtaining and processing this limited information, our attack achieves roughly a 27% success rate for key recovery using the empirical data from 10K trials.
Video from TCHES 2019
BibTeX
@article{tches-2019-29851,
  title={Cache-Timing Attacks on RSA Key Generation},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2019, Issue 4},
  pages={213-242},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8350},
  doi={10.13154/tches.v2019.i4.213-242},
  author={Alejandro Cabrera Aldaya and Cesar Pereida García and Luis Manuel Alvarez Tapia and Billy Bob Brumley},
  year=2019
}