• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 4, No. 1, August, 2009
Minimizing Cache Timing Attack UsingDynamic Cache Flushing (DCF) Algorithm
Jalpa Bani
Computer Science and Engineering DepartmentUniversity of BridgeportBridgeport, CT 06601 jbani@bridgeport.edu 
Syed S. Rizvi
Computer Science and Engineering DepartmentUniversity of BridgeportBridgeport, CT 06601srizvi@bridgeport.edu 
 Abstract
—Rijndael algorithm was unanimously chosen asthe Advanced Encryption Standard (AES) by the panel of researchers at National Institute of Standards andTechnology (NIST) in October 2000. Since then, Rijndaelwas destined to be used massively in various software aswell as hardware entities for encrypting data. However, afew years back, Daniel Bernstein [2] devised a cache-timing attack that was capable enough to break Rijndael’sseal that encapsulates the encryption key. In this paper,we propose a new Dynamic Cache Flushing (DCF)algorithm which shows a set of pragmatic softwaremeasures that would make Rijndael impregnable to cachetiming attack. The simulation results demonstrate that theproposed DCF algorithm provides better security byencrypting key at a constant time.Keywords- dynamic cache flushing, Rijndaelalgorithm, timing attack.
I.
 
I
NTRODUCTION
Rijndael is a block cipher adopted as an encryptionstandard by the U.S. government. It has been analyzedextensively and is now used widely worldwide as wasthe case with its predecessor, the Data EncryptionStandard (DES). Rijndael, the AES standard is currentlyused in various fields. Due to its impressive efficiency[8], it’s being used in high-speed optical networks, it’sused in military applications that encrypt top secret data,and it’s used in banking and financial applicationswherein secured and real-time transfer of data is a top-priority.Microsoft has embraced Rijndael and implementedRijndael in its much talked about DotNet (.NET)Framework. DotNet 3.5 has Rijndael implementation inSystem.Security.Cryptography namespace. DotNetframework is used by millions of developers around theworld to develop software applications in numerousfields. In other words, software implementation of Rijndael is touching almost all the fields thatimplements cryptography through the DotNetframework.Wireless Network Security has no exception. WiredEquivalent Privacy (WEP) is the protocol used inwireless networks to ensure secure environment. WhenWEP is turned on in a wireless network, every packet of data that is transmitted from one station to another isfirst encrypted using Rijndael algorithm by taking thepackets’ data payload and a secret encryption key calledWEP key. The encrypted data is then broadcasted tostations registered on that wireless network. At thereceiving end, the “wireless network aware stations”utilize the WEP key to decrypt data using Rijndaelalgorithm. Rijndael supports a larger range of block andkey sizes; AES has a fixed block size of 128 bits and akey size of 128, 192 or 256 bits, whereas Rijndael canbe specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits [6].This algorithm implements the input, output, andcipher key where each of the bit sequences may contain128, 192 or 256 bits with the condition that the input andoutput sequences have the same length. However, thisalgorithm provides the basic framework to make thecode scalable. Look up tables have been used to makeRijndael algorithm faster and operations are performedon a two dimensional array of bytes called states. Stateconsists of 4 rows of bytes, each of which contains Nbbytes, where Nb is the input sequence length divided by32. During the start or end phase of an encryption ordecryption operation, the bytes of the cipher input oroutput are copied from or to this state array.The several operations that are implemented in thisalgorithm are listed below [9]:
 
Key Schedule: It is an array of 32-bit words that isinitialized from the cipher key. The cipher iteratesthrough a number of the cycles or rounds, each of which uses Nk words from the key schedule. This isconsidered as an array of round keys, each containingNk words.
ISSN 1947 5500
110
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol.4, No. August, 2009
 
Finite Field Operations: In this algorithm finite fieldoperations are carried out, which refers to operationsperformed in the finite field resulting in an elementwithin that field. Finite field operations such asaddition and multiplication, inverse multiplication,multiplications using tables and repeated shifts areperformed.
 
Rounds: At the start of the cipher the input is copiedinto the internal state. An initial round key is thenadded and the state is then transformed by iterating around function in a number of cycles. On completionthe final state is copied into the cipher output [1].The round function is parameterized using a keyschedule that consists of a one dimensional array of 32-bit words for which the lowest 4, 6 or 8 words areinitialized with the cipher. There are several stepscarried out during this operation:SubBytes: As shown in Fig. 1, it is a non-linearsubstitution step where each of the byte replaces withanother according to a lookup table.ShiftRows: This is a transposition step where each rowof the state is shifted cyclically a certain number of steps, as shown in Fig. 2.MixColumns: This is a mixing operation whichoperates on the columns of the state, combining the fourbytes in each column, as shown in Fig. 3.AddRoundKey: Here each byte of the state is combinedwith the round key; each round key is derived from thecipher key using a key schedule [1], as shown in Fig. 4.
 
Final Round: The final round consists of the sameoperations as in the Round function except theMixColumns operation.II.
 
R
ELATED
W
ORK
 Parallelism or Parallel Computing has become akey aspect of high performance computing today and itsfundamental advantages have deeply influenced modernprocessor designers. It has become a dominant paradigmin processor architecture in form of multicore processorsavailable in personal computers today. Sharingprocessor resources like cache memory, sharing memorymaps in random access memory (RAM) and sharingcomputational power of the math coprocessors duringexecution of multiple processes in the operatingsystems, has become an inevitable phenomenon. Fewyears back, Intel introduced hyper-threading technologyin its Pentium 4 processors, wherein the sharing of processor resources between process threads is extendedfurther by sharing memory caches. Shared access tomemory cache is a feature that’s available in all thelatest processors from Intel and AMD Athlon.With all the hunky-dory talk about how parallelcomputing has made Central Processing Unit’s (CPUs)very powerful today, the fundamentals of sharingmemory cache across the thread boundary has comealong opening doors for security vulnerabilities. Theshared memory cache can permit malicious threads of aspy process to monitor execution of another thread thatimplements Rijndael, allowing attackers to brute forcethe encryption key [6, 7].III.
 
P
ROBLEM
I
N
R
IJNDAEL
:
 
C
ACHE
T
IMING
A
TTACK
 Cache timing attack – the name speaks for itself. Thisbelongs to a pattern of attacks that concentrates onmonitoring the target cryptosystem, and analyzing thetime taken to execute various steps in the cryptographicalgorithm. In other words, the attack exploits the factsthat every step in the algorithm takes a certain time to
Figure 1. SubBytesFigure 2. ShiftRows
 
Figure 3. MixColumn
ISSN 1947 5500
111
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol.4, No. August, 2009
execute.Although, the cache-timing attack is well-knowntheoretically, but it was only until April 2005 that a stoutresearcher named Daniel Bernstein [2, 4] published thatthe weakness of Rijndael can reveal timing informationthat eventually can be utilized to crack the encryptionkey. In his paper, Daniel announced a successful cachetiming attack by exploiting the timing characteristics of the table lookups.Here is the simplest conceivable timing attack onRijndael. AES software implementations like Rijndaelthat uses look-up tables to perform internal operations of the cipher, such as Sboxes, are the one that are mostvulnerable to this attack. For example, the variable-index array lookup T0[k[0] n[0]] near the beginningof the AES computation. A typical hacker might think that the time for this array lookup depends on the arrayindex and the time for the whole AES computation iswell correlated with the time for this array lookup. As aresult, the AES timings leak information about k[0]n[0] and it can calculate the exact value of k[0] from thedistribution of AES timings as a function of n[0].Similar comments apply to k[1] n[1], k[2] n[2],etc. Assume, that the hacker watches the time taken bythe victim to handle many n's and totals the AES timesfor each possible n[13], and observes that the overallAES time is maximum when n[13] is, say, 147. Supposethat the hacker also observes, by carrying outexperiments with known keys k on a computer with thesame AES software and the same CPU, that the overallAES time is maximum when k[13] n[13] is, say, 8.The hacker concludes that the victim's key k[13] is147 8 = 155. This implies that a hacker can easilyattack a variable time AES algorithm and can crack theencrypted data and eventually key [2].Since in Rijndael algorithm all look up tables arestored in the cache, by putting another thread or somedifferent way, attacker can easily get the encrypted datafrom the cache. Fig.1 shows that AES implementation inOpenSSL which does not take constant time. This wastaken on a Pentium M processor. It is a 128 x 128 arrayof blocks where X axis shows one key for each row of blocks and Y axis shows one input for each column of blocks. Any combination of (key, Input) pair shows theencryption process for that particular pair by indicatingthe fix pattern of colors at that place. We can see thetremendous variability among blocks in Fig. 5. Due tothis variability, attacker can easily determine the weak point, where the encryption took place by just analyzingthe color pattern.The cache timing attack problem has been tackledthrough various approaches [3]. Each solution has itsown pros and cons. For instance, Intel released a set of compilers targeting their latest 64-bit processors. Thesecompilers would take the C++ code as input and outputa set of machine instructions that would not use CPUcache at all. In other words, the resultant code has amachine instruction that does not use CPU cache fortemporary storage of data, in other words the cache isdisabled automatically.The other suggestion was to place all the lookuptables in CPU registers rather than CPU cache, but thiswould affect performance significantly. Hardwareapproaches are also being considered. It has beensuggested to have a parallel Field-Programmable GateArray (FPGA) implementation or Application-SpecificIntegrated Circuits (ASIC) implementation with aseparate coprocessor functioning with the existing CPU.This special coprocessor would contain special logicalcircuitry that would implement Rijndael. Timing attack can thus be avoided by barring other processes fromaccessing the special coprocessor [5].
Figure 5. Open SSL AES timings for 128 keys and 128 inputs on aPentium M processorFigure 4. AddRoundKey
ISSN 1947 5500
112
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...