Handbook of Applied Cryptography
Handbook of Applied Cryptography
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Enhanced Montgomery Multiplication
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Lattice Scheduling and Covert Channels
SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Improving Brumley and Boneh timing attack on unprotected SSL implementations
Proceedings of the 12th ACM conference on Computer and communications security
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
On the power of simple branch prediction analysis
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Advances on access-driven cache attacks on AES
SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
Cache attacks and countermeasures: the case of AES
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
Predicting secret keys via branch prediction
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Cache based remote timing attack on the AES
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Combined implementation attack resistant exponentiation
LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
Software based side-channel attacks allow an unprivileged spy process to extract secret information from a victim (cryptosystem) process by exploiting some indirect leakage of "side-channel" information. It has been realized that some components of modern computer microarchitectures leak certain side-channel information and can create unforeseen security risks. An example of such MicroArchitectural Side-Channel Analysis is the Cache Attack -- a group of attacks that exploit information leaks from cache latencies [4,7,13,15,18]. Public awareness of Cache Attack vulnerabilities lead software writers of OpenSSL (version 0.9.8a and subsequent versions) to incorporate countermeasures for preventing these attacks. In this paper, we present a new and yet unforeseen side channel attack that is enabled by the recently published Simple Branch Prediction Analysis (SBPA) which is another type of MicroArchitectural Analysis, cf. [2,3]. We show that modular inversion -- a critical primitive in public key cryptography -- is a natural target of SBPA attacks because it typically uses the Binary Extended Euclidean algorithm whose nature is an input-centric sequence of conditional branches. Our results show that SBPA can be used to extract secret parameters during the execution of the Binary Extended Euclidean algorithm. This poses a new potential risk to crypto-applications such as OpenSSL, which already employs Cache Attack countermeasures. Thus, it is necessary to develop new software mitigation techniques for BPA and incorporate them with cache analysis countermeasures in security applications. To mitigate this new risk in full generality, we apply a security-aware algorithm design methodology and propose some changes to the CRT-RSA algorithm flow. These changes either avoid some of the steps that require modular inversion, or remove the critical information leak from this procedure. In addition, we also show by example that, independently of the required changes in the algorithms, careful software analysis is also required in order to assure that the software implementation does not inadvertently introduce branches that may expose the application to SBPA attacks. These offer several simple ways for modifying OpenSSL in order to mitigate Branch Prediction Attacks.