Professional Documents
Culture Documents
W
hen it comes to cryptographic software, seal, measured the beam’s modu-
lation, and recreated the conversa-
side channels are an often-overlooked tions in the room. This listening
method went undetected for years.
threat. A side channel is any observable More recently, side channel
attacks have become a power-
side effect of computation that an attack- ful threat to cryptography. One
of the first papers on side channel
er could measure and possibly influence. Crypto is especially attacks showed how to recover an
RSA private key merely by timing
Nate Lawson vulnerable to side channel attacks its quality. For example, memory how long it took to decrypt a mes-
Root Labs because of its strict requirements allocations by unrelated processes sage.1 This was possible because
for absolute secrecy. In the soft- might skew some measurements, RSA and other public-key crypto-
ware world, side channel attacks so a particularly busy system systems work with large numbers
have sometimes been dismissed as might have a low S/N ratio. Error (for example, 2,048 bits), whereas
impractical. However, new system correction methods can assist with modern CPUs have a smaller word
architecture features, such as larger this case. size. Crypto implementations
cache sizes and multicore proces- Whereas covert channels in- compensate by using multipreci-
sors, have increased the prevalence volve the problem of preventing sion arithmetic, representing large
of side channels and quality of mea- cooperation, side channel attacks numbers by an array of words and
surement available to an attacker. are a purely adversarial problem. using a loop to carry overflows
Software developers must be aware Side channels emerge because from one word to the next.
of the potential for side channel at- computation occurs on a non-ide- To raise a multiprecision num-
tacks and plan appropriately. al system, composed of transistors, ber to an exponent, systems such
wires, power supplies, memory, as RSA commonly use square-and-
History of and peripherals. Each component multiply. This optimization de-
Side Channel Attacks has characteristics that vary with composes an exponentiation into a
Side channels are a variant of the the instructions and data being series of squarings (x2) and condi-
classic covert-channel problem. processed. When this variance is tional multiplies (* x), which oc-
Covert channels involve two or measurable by an attacker, a side cur if the bit in question is a one.
more processes collaborating to channel is present. This is similar to pencil-and-paper
communicate via a shared re- Intelligence agencies have of- multiplication, in which trailing
source that they can both affect ten relied on side channel attacks zeros mean that you shift the re-
and measure. Attackers can ex- to monitor their foes. In one clev- sult one decimal place to the left
ploit these channels to bypass op- er incident, the Soviet Union pro- while nonzero digits are multi-
erating system protections such as vided a large wooden seal to the plied and added to the result.
mandatory access control that are American consulate in Moscow. Because the multiply step is
intended to keep the processes The US ambassador proudly hung conditional, an attacker gains in-
separate. For example, one process it in his office after it had been formation about the total number
can allocate memory while the examined for covert transmitters. of one bits with each decryption.
other measures the amount of free It appeared to be clean. Unbe- By measuring the total time to
memory. Through repetition of knownst to the ambassador, the perform a multiprecision expo-
this behavior, the first process can seal contained a carefully designed nentiation with different input
slowly communicate information cavity that vibrated in response messages, the attacker can eventu-
to the second. The channel’s sig- to sounds in the room. The spies ally recover the entire private key
nal-to-noise (S/N) ratio measures transmitted a radio beam at the or enough to brute-force the rest.
72 COPublished by the IEEE Computer and Reliability Societies ■ 1540-7993/09/$26.00 © 2009 IEEE ■ NOVEMBER/DECEMBER 2009
Crypto Corner
www.computer.org/security 73
Crypto Corner
AES process ciative cache, which maps multiple 3. Trigger and time another en-
addresses to the same cache line cryption of the same plaintext.
on the basis of some fraction of
the upper address bits. For exam- The first step ensures that all the
ple, the addresses 0x100, 0x200, AES lookup tables accessed by
Cache
and 0x800 would all use the same the given plaintext and key are
cache line if the cache had 256 cached. The second step forces
lines of one byte each. “Set” refers the CPU to evict part of one AES
Spy process to the number of possible destina- table that the attacker is target-
tion cache lines per address (that ing, on the basis of a guess of the
is, N-way). The CPU evicts older key byte. The final step tests the
entries when data is loaded into an attacker’s hypothesis. If a cache
already-filled cache line. miss occurs and the AES en-
AES (Advanced Encryption cryption takes longer than other
Standard) is a standard block cipher. cases, the guess for the XOR of
It encrypts and decrypts data with the plaintext and key bytes was
Figure 1. In a Prime+Probe attack, a spy process probes a secret key, using a combination correct and caused the CPU to
the cache by monitoring timing of accesses to its of primitives such as MixColumns, reload the table from RAM after
own memory. As the target process encrypts, it evicts ShiftRows, and SubBytes over it had been evicted. If not, the
portions of the attacker’s memory from the cache, many rounds (10 for a 128-bit guess was incorrect. The attacker
resulting in longer access times. The access times key). A common optimization repeats this process to narrow the
for the individual regions of the attacker’s memory technique on 32-bit processors is to possible key values.
correspond to which tables the encryption process precompute a series of tables on the Prime+Probe (see Figure 1) is
accessed, and thus the target’s key. basis of the combination of these more powerful. It’s analogous to
primitives. AES encryption then placing a film negative behind an
becomes a series of table lookups object and measuring the outline
leave a measurable timing differ- and XOR operations. cast by the object’s shadow. Instead
ence. The standard C memcmp() Because the index for these of timing the encryption process,
function is unsafe as well because AES tables is the XOR of a plain- which is subject to noise and jit-
it also terminates early. text byte and a key byte, the in- ter due to surrounding code in
dices themselves must remain the target, the attacker repeatedly
Footprints in the Cache secret. However, a spy process times accesses to its own memory
Like the original RSA timing at- running on the same system can while the target encrypts. Each
tack, the HMAC timing attack observe the variable timing of time an encryption occurs, the
combines many measurements of the AES encryption due to cache CPU evicts one or more lines of
the entire operation to find the behavior, narrowing down the the attacker’s memory from the
target’s secret. However, more possible values for the key.6 Even cache, causing timing variation.
powerful side channel attacks can if running a spy process isn’t pos- Because the cache eviction is local
give insight into an algorithm’s sible, a remote attacker can of- to the attacker, countermeasures
intermediate working values, re- ten trigger changes in the system such as randomizing or normaliz-
vealing the secret more quickly. cache state by interacting with ing the total encryption time have
Modern systems employ a other processes and timing those no effect.
CPU cache to keep frequently ac- unrelated tasks’ behavior. Such an attack isn’t merely a
cessed memory close to where it’s Dag Arne Osvik and his col- timing attack. Although time is
needed. When data for a given ad- leagues have described two useful the method for probing cache be-
dress is in the cache, it’s returned ways to induce variability and ob- havior, this attack could use other
immediately. If not, it’s fetched serve cache behavior: Evict+Time methods to determine the cache
from memory into the cache, and Prime+Probe.6 state. For example, if an instruc-
stalling the CPU for a few more Evict+Time works as follows: tion provided the number of valid
cycles. A cache is often divided cache lines for the current task, it
into blocks called lines. 1. Trigger an encryption in the would directly provide the same
Because a cache is smaller than target process. information obtained from this
the memory it shadows, the CPU 2. Evict memory from chosen timing side channel.
must have a policy for filling and cache lines by accessing the Intel and AMD (and previ-
reusing its space. The most com- appropriate addresses in the ously, Via) introduced AES in-
mon implementation is a set asso- attacker’s process. structions to address this problem
www.computer.org/security 75