SECURING OPENSSL AGAINST MICRO-ARCHITECTURAL ATTACKS

Marc Joye, Michael Tunstall

2007

Abstract

This paper presents a version of the 2k -ary modular exponentiation algorithm that is secure against current methods of side-channel analysis that can be applied to PCs (the so-called micro-architectural attacks). Some optimisations to the basic algorithm are also proposed to improve the efficiency of an implementation. The proposed algorithm is compared to the current implementation of OpenSSL, and it is shown that the proposed algorithm is more robust than the current implementation

References

  1. Aciic¸mez, O. (2007). Private communication.
  2. Aciic¸mez, O. and Koc¸, C. K. (2006). Trace-driven cache attacks on AES. Cryptology ePrint Archive, Report 2006/138. http://eprint.iacr.org/2006/138/.
  3. Aciic¸mez, O., Gueron, S., and Seifert, J.-P. (2007). New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. Cryptology ePrint Archive, Report 2007/039, 2007, http://eprint. iacr.org/.
  4. Aciic¸mez, O., Koc¸, C. K., and Seifert, J.-P. (2007a). On the power of simple branch prediction analysis. Cryptology ePrint Archive, Report 2006/351, 2006, http: //eprint.iacr.org/.
  5. Aciic¸mez, O., Koc¸, C. K., and Seifert, J.-P. (2007b). Predicting secret keys via branch prediction. In Topics in Cryptology - CT-RSA 2007, volume 4377 of Lecture Notes in Computer Science, pages 225-242. SpringerVerlag.
  6. Bao, F., Deng, R. H., Han, Y., Jeng, A., Narasimhalu, A. D., and Ngair, T. (1997). Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In Security Protocols, volume 1361 of Lecture Notes in Computer Science, pages 115-124. Springer-Verlag.
  7. Barrett, P. (1987). Implementing the Rivest-ShamirAdleman public-key encryption algorithm on a standard digital processor. In Advances in Cryptology - CRYPT0 7887, volume 267 of Lecture Notes in Computer Science, pages 311-323. Springer-Verlag.
  8. Bernstein, D. J. (2005). Cache timing attacks on AES. http://cr.yp.to/antiforgery/ cachetiming-20050414.pdf.
  9. Bertoni, G., Zaccaria, V., Breveglieri, L., Monchiero, M., and Palermo, G. (2005). AES power attack based on induced cache miss and countermeasures. In International Symposium on Information Technology: Coding and Computing - ITCC 2005, pages 586-591. IEEE Computer Society.
  10. Brumley, D. and Boneh, D. (2003). Remote timing attacks are practical. In 12th USENIX Security Symposium, pages 1-14.
  11. Chaum, D. (1985). Security without identification: transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030-1044.
  12. Hachez, G. and Quisquater, J.-J. (2000). Montgomery exponentiation with no final subtractions: Improved results. In Cryptographic Hardware and Embedded Systems - CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 293-301. Springer-Verlag.
  13. Joye, M., Quisquater, J.-J., Bao, F., and Deng, R. H. (1997). RSA-type signatures in the presence of transient faults. In Cryptography and Coding, volume 1355 of Lecture Notes in Computer Science, pages 155-160. Springer-Verlag.
  14. Knuth, D. (2001). The Art of Computer Programming, volume 2, Seminumerical Algorithms. Addison-Wesley, third edition.
  15. Kocher, P. (1996). Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Advances in Cryptology - CRYPTO 7896, volume 1109 of Lecture Notes in Computer Science, pages 104- 113. Springer-Verlag.
  16. Kocher, P., Jaffe, J., and Jun, B. (1999). Differential power analysis. In Advances in Cryptology - CRYPTO 7899, volume 1666 of Lecture Notes in Computer Science, pages 388-397. Springer-Verlag.
  17. Montgomery, P. (1985). Modular multiplication without trial division. Mathematics of Computation, 44:519- 521.
  18. OpenSSL (2007). Open source toolkit for SSL/TLS. http: //www.openssl.org.
  19. Osvik, D. A., Shamir, A., and Tromer, E. (2006). Cache attacks and countermeasures: the case of AES. In Topics in Cryptology - CT-RSA 2006, volume 3860 of Lecture Notes in Computer Science, pages 1-20. Springer-Verlag.
  20. Page, D. (2002). Theoretical use of cache memory as a cryptanalytic side-channel. Cryptology ePrint Archive, Report 2002/169. http://eprint.iacr. org/2002/169/.
  21. Quisquater, J.-J. (1992). Encoding system according to the so-called RSA method, by means of a microcontroller and arrangement implementing this system. U.S. Patent Number 5,166,978. Also presented at the rump session of EUROCRYPT 7890.
  22. Rivest, R., Shamir, A., and Adleman, L. M. (1978). Method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120- 126.
  23. Schindler, W. (2000). A timing attack against RSA with the Chinese remainder theorem. In Cryptographic Hardware and Embedded Systems - CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 109-124. Springer-Verlag.
  24. Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H. (2003). Cryptanalysis of DES implemented on computers with cache. In Cryptographic Hardware and Embedded Systems - CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 62-76. Springer-Verlag.
  25. Walter, C. D. (1999a). Montgomery exponentiation needs no final subtractions. Electronic Letters, 35(21):1831- 1832.
  26. Walter, C. D. (1999b). Montgomery's multiplication technique: How to make it smaller and faster. In Cryptographic Hardware and Embedded Systems - CHES 7899, volume 1717 of Lecture Notes in Computer Science, pages 80-93. Springer-Verlag.
  27. where e is the public exponent. A more complex equivalence can be determined where an attacker has set a chosen Mi mod N to M0 mod N, since more digits will be changed than are considered in the above example.
  28. If, for an arbitrary i (for 1 = i < b), Mi mod N is changed to M0 mod N, this will, statistically, be expected to affect ?1024/5?/25 = 6.4 loops, i.e. on average 6.4 b-digits, that are normally equal to i, will be set to zero. In order to determine which groups of five bits an equation similar to Equation (†) can be determined for each of the 205 = 241.3 possible com7
Download


Paper Citation


in Harvard Style

Joye M. and Tunstall M. (2007). SECURING OPENSSL AGAINST MICRO-ARCHITECTURAL ATTACKS . In Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007) ISBN 978-989-8111-12-8, pages 189-196. DOI: 10.5220/0002118801890196


in Bibtex Style

@conference{secrypt07,
author={Marc Joye and Michael Tunstall},
title={SECURING OPENSSL AGAINST MICRO-ARCHITECTURAL ATTACKS},
booktitle={Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)},
year={2007},
pages={189-196},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002118801890196},
isbn={978-989-8111-12-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Second International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2007)
TI - SECURING OPENSSL AGAINST MICRO-ARCHITECTURAL ATTACKS
SN - 978-989-8111-12-8
AU - Joye M.
AU - Tunstall M.
PY - 2007
SP - 189
EP - 196
DO - 10.5220/0002118801890196