Handbook of Applied Cryptography
Handbook of Applied Cryptography
Distinguishing Exponent Digits by Observing Modular Subtractions
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
A Practical Implementation of the Timing Attack
CARDIS '98 Proceedings of the The International Conference on Smart Card Research and Applications
A Combined Timing and Power Attack
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Montgomery's Multiplication Technique: How to Make It Smaller and Faster
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Enhanced Montgomery Multiplication
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Improving Brumley and Boneh timing attack on unprotected SSL implementations
Proceedings of the 12th ACM conference on Computer and communications security
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
On the power of simple branch prediction analysis
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Cheap Hardware Parallelism Implies Cheap Security
FDTC '07 Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography
Yet another MicroArchitectural Attack:: exploiting I-Cache
Proceedings of the 2007 ACM workshop on Computer security architecture
Advances on access-driven cache attacks on AES
SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
Cache attacks and countermeasures: the case of AES
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
On the optimization of side-channel attacks by advanced stochastic methods
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Cache based remote timing attack on the AES
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Side Channels in the McEliece PKC
PQCrypto '08 Proceedings of the 2nd International Workshop on Post-Quantum Cryptography
New results on instruction cache attacks
CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
Exponent blinding does not always lift (partial) spa resistance to higher-level security
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Improvement of trace-driven I-Cache timing attack on the RSA algorithm
Journal of Systems and Software
| Hi-index | 0.00 |
MicroArchitectural Analysis (MA) techniques, more specifically Simple Branch Prediction Analysis (SBPA) and Instruction Cache Analysis, have the potential of disclosing the entire execution flow of a software-implemented cryptosystem ([5,2]). In this paper we will show that one can completely break RSA in the original unpatched OpenSSL version (v.0.9.8e) even if the most secure configuration is in place, including all countermeasures against side-channel and MicroArchitectural analysis (in particular, base blinding). We also discuss (known) countermeasures that prevent this attack. In a first step we apply an instruction cache attack to reveal which Montgomery operations require extra reductions. To exploit this information we model the timing behavior of the modular exponentiation algorithm by a stochastic process. Its analysis provides the optimal guessing strategy, which reveals the secret key (mod p1) and finally the factorization of the RSA modulus n = p1p2. For the instruction cache attack we applied a spy process that was embedded in the target process (OpenSSL), which clearly facilitates the experimental part. This simplification yet does not nullify our results since in cache attacks empirical results from embedded spy processes and (suitably implemented) standalone spy processes are very close to each other [16] and, moreover, our guessing strategy is fault-tolerant. Interestingly, the second step of our attack is related to that of a particular combined power and timing attack on smart cards [23] (see also [27,22]). Before we published our result [1] we informed the OpenSSL development team who included a patch into the stable branch of v.0.9.7e ([31,32]) and CERT which informed software vendors ([33,34,35]). In particular, this countermeasure is included in the current version 0.9.8f. We have only analyzed OpenSSL, thus we currently do not know the strength of other cryptographic libraries.