Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
Crypto Corner 
Editors: Peter Gutmann, pgut001@cs.auckland.ac.nzDavid Naccache, david.naccache@ens.fr Charles C. Palmer, ccpalmer@us.ibm.com
72
COPublished by the ieee COmPuter and reliability sOCieties
1540-7993/09/$26.00 © 2009 ieee
nOVember/deCember 2009
seal, measured the beam’s modu-lation, and recreated the conversa-tions in the room. This listeningmethod went undetected or years.More recently, side channelattacks have become a power-ul threat to cryptography. Oneo the rst papers on side channelattacks showed how to recover anRSA private key merely by timinghow long it took to decrypt a mes-sage.
1
This was possible becauseRSA and other public-key crypto-systems work with large numbers(or example, 2,048 bits), whereasmodern CPUs have a smaller wordsize. Crypto implementationscompensate by using multipreci-sion arithmetic, representing largenumbers by an array o words andusing a loop to carry overowsrom one word to the next.To raise a multiprecision num-ber to an exponent, systems suchas RSA commonly use
square-and-multiply
. This optimization de-composes an exponentiation into aseries o squarings (
x
2
) and condi-tional multiplies (
*
 
x
), which oc-cur i the bit in question is a one.This is similar to pencil-and-paper multiplication, in which trailingzeros mean that you shit the re-sult one decimal place to the letwhile nonzero digits are multi-plied and added to the result.Because the multiply step isconditional, an attacker gains in-ormation about the total number o one bits with each decryption.By measuring the total time toperorm a multiprecision expo-nentiation with dierent inputmessages, the attacker can eventu-ally recover the entire private keyor enough to brute-orce the rest.vulnerable to side channel attacksbecause o its strict requirementsor absolute secrecy. In the sot-ware world, side channel attackshave sometimes been dismissed asimpractical. However, new systemarchitecture eatures, such as larger cache sizes and multicore proces-sors, have increased the prevalenceo side channels and quality o mea-surement available to an attacker.Sotware developers must be awareo the potential or side channel at-tacks and plan appropriately.
History of Side Channel Attacks 
Side channels are a variant o theclassic covert-channel problem.Covert channels involve two or more processes collaborating tocommunicate via a shared re-source that they can both aectand measure. Attackers can ex-ploit these channels to bypass op-erating system protections such asmandatory access control that areintended to keep the processesseparate. For example, one processcan allocate memory while theother measures the amount o reememory. Through repetition o this behavior, the rst process canslowly communicate inormationto the second. The channel’s sig-nal-to-noise (S/N) ratio measuresits quality. For example, memoryallocations by unrelated processesmight skew some measurements,so a particularly busy systemmight have a low S/N ratio. Error correction methods can assist withthis case.Whereas covert channels in-volve the problem o preventingcooperation, side channel attacksare a purely adversarial problem.Side channels emerge becausecomputation occurs on a non-ide-al system, composed o transistors,wires, power supplies, memory,and peripherals. Each componenthas characteristics that vary withthe instructions and data beingprocessed. When this variance ismeasurable by an attacker, a sidechannel is present.Intelligence agencies have o-ten relied on side channel attacksto monitor their oes. In one clev-er incident, the Soviet Union pro-vided a large wooden seal to theAmerican consulate in Moscow.The US ambassador proudly hungit in his ofce ater it had beenexamined or covert transmitters.It appeared to be clean. Unbe-knownst to the ambassador, theseal contained a careully designedcavity that vibrated in responseto sounds in the room. The spiestransmitted a radio beam at the
 W
hen it comes to cryptographic sotware,side channels are an oten-overlookedthreat. A side channel is any observableside eect o computation that an attack-er could measure and possibly inuence. Crypto is especially
N
ate
L
awsoN
Root Labs 
side Chnnel attck onCryptogrphic softwre
 
Crypto Corner 
www.cop.og/c
73
 
Timing attacks have continu-ally improved, even being per-ormed against an SSL (SecureSockets Layer) implementationover a network.
2
New ways to l-ter jitter have improved the distin-guishability to 200 ns over a LANand 30
m
s over the Internet.
3
At-tacks have also exploited new sidechannels. Power consumption, RFand electromagnetic emissions,sound, vibration, and even heatgive away inormation about secretcomputations. These attacks aren’tmerely the subject o research pa-pers. Smartcards used or payment,transit, and satellite TV have beencompromised by both active aultinduction attacks (“glitching”) andside channel attacks. Hackers useda timing attack against a secretkey stored in the Xbox360 CPUto orge an authenticator and loadtheir own code.
4
Embedded-systems designersare no longer the only ones whomust prevent side channel attacks.Previously, network-based timingattacks against SSL were the onlyside channel attack most sotwaredevelopers needed to consider.But today, virtualization and ap-plication-hosting services such asAmazon S3 have given attackersa more privileged vantage pointo running code on the same sys-tem (possibly even at the sameprivilege level) as the target’s code.Also, high-speed multicore CPUswith large caches and complicatedinstruction- and data-dependentbehavior provide more possibili-ties or side channels and greater precision or measurements.To illustrate side channel at-tacks against sotware cryptogra-phy, I analyze three recent attacks.Each is increasingly more pow-erul, to the point where the at-tacker can recover an entire RSAkey by measuring the behavior o a single decryption operation.
Keeping the Correct  Answer Secret 
The HMAC (Hash MessageAuthentication Code) hashconstruction is oten used to au-thenticate messages. To computea given message’s HMAC, thesender hashes the message anda secret key twice using a cryp-tographic hash algorithm (or example, SHA-256). The re-sult is attached to the message.The recipient then calculates themessage’s HMAC via the sameprocess and compares the resultto the value included with themessage. I they match, the mes-sage wasn’t tampered with ater the sender calculated the HMAC.One subtlety with this pro-cess is that the value the recipientcalculates must be kept secret.Consider what would happen i the result were revealed to thesender in the case o a mismatch,perhaps as part o an error mes-sage. An attacker could submit amessage with an invalid HMACeld, observe the error message,and then resend the same mes-sage with the correct value at-tached. The recipient wouldaccept this message as valid, eventhough the sender didn’t createthe authenticator. Although mostsystems probably don’t reveal thecorrect HMAC value directly,a side channel attack can otenproduce the same eect.I recently reviewed the open-source Google Keyczar cryp-tographic library or possibleaws.
5
This library provides use-ul high-level key managementeatures, with separate imple-mentations in Java, Python,and C++. Keyczar includes anHMAC implementation or au-thenticating messages.The Python code comparedthe received and calculated bytevalues as ollows:
return self.Sign(msg) ==sig_bytes
The Java code was equivalent.The underlying compari-son operator or both high-levellanguages perorms a byte-wisematch o the two arrays. I any el-ement didn’t match, the compari-son loop would terminate early.This would provide a timing sidechannel in which the attacker could iteratively ll in guesses or each byte o the HMAC eld, re-submitting the same message eachtime. When the guess was cor-rect, the comparison would take alittle longer. Eventually, when thewhole HMAC was correct, the re-cipient would accept the message.An implementation o this at-tack over a TCP connection tolocalhost took about a thousandqueries per byte o the secret key.This means that an attacker couldnd a 128-bit key in less than aew minutes. Because the arraycomparison operators in Java andPython aren’t implemented na-tively, the timing dierence or each loop iteration was relativelylarge. But even i there was morenetwork jitter or the comparisonloop was aster, the attacker couldsimply take more samples, applyan appropriate lter, and perorma statistical hypothesis test to de-termine which guess was correct.The solution to this problem isto implement a comparison unc-tion that doesn’t terminate early.Although this might sound easyat rst, eliminating all conditionalbranches rom a comparison loopis surprisingly difcult. Even witha correct algorithm, some un-derlying detail o the high-levellanguage implementation (suchas garbage collection) could still
Power consumption, RF and electromagnetic emissions,sound, vibration, and even heat give away informationabout secret computations.
 
Crypto Corner 
74
ieee seCurity & PriVaCy
leave a measurable timing dier-ence. The standard C
memcmp()
 unction is unsae as well becauseit also terminates early.
Footprints in the Cache 
Like the original RSA timing at-tack, the HMAC timing attackcombines many measurements o the entire operation to nd thetarget’s secret. However, morepowerul side channel attacks cangive insight into an algorithm’sintermediate working values, re-vealing the secret more quickly.Modern systems employ aCPU cache to keep requently ac-cessed memory close to where it’sneeded. When data or a given ad-dress is in the cache, it’s returnedimmediately. I not, it’s etchedrom memory into the cache,stalling the CPU or a ew morecycles. A cache is oten dividedinto blocks called
lines
.Because a cache is smaller thanthe memory it shadows, the CPUmust have a policy or lling andreusing its space. The most com-mon implementation is a set asso-ciative cache, which maps multipleaddresses to the same cache lineon the basis o some raction o the upper address bits. For exam-ple, the addresses 0x100, 0x200,and 0x800 would all use the samecache line i the cache had 256lines o one byte each. “Set” reersto the number o possible destina-tion cache lines per address (thatis,
-way). The CPU evicts older entries when data is loaded into analready-lled cache line.AES (Advanced EncryptionStandard) is a standard block cipher.It encrypts and decrypts data witha secret key, using a combinationo primitives such as
MixColumns
,
ShiftRows
, and
SubBytes
over many rounds (10 or a 128-bitkey). A common optimizationtechnique on 32-bit processors is toprecompute a series o tables on thebasis o the combination o theseprimitives. AES encryption thenbecomes a series o table lookupsand XOR operations.Because the index or theseAES tables is the XOR o a plain-text byte and a key byte, the in-dices themselves must remainsecret. However, a spy processrunning on the same system canobserve the variable timing o the AES encryption due to cachebehavior, narrowing down thepossible values or the key.
6
Eveni running a spy process isn’t pos-sible, a remote attacker can o-ten trigger changes in the systemcache state by interacting withother processes and timing thoseunrelated tasks’ behavior.Dag Arne Osvik and his col-leagues have described two useulways to induce variability and ob-serve cache behavior: Evict+Timeand Prime+Probe.
6
Evict+Time works as ollows:1. Trigger an encryption in thetarget process.2. Evict memory rom chosencache lines by accessing theappropriate addresses in theattacker’s process.3. Trigger and time another en-cryption o the same plaintext.The rst step ensures that all theAES lookup tables accessed bythe given plaintext and key arecached. The second step orcesthe CPU to evict part o one AEStable that the attacker is target-ing, on the basis o a guess o thekey byte. The nal step tests theattacker’s hypothesis. I a cachemiss occurs and the AES en-cryption takes longer than other cases, the guess or the XOR o the plaintext and key bytes wascorrect and caused the CPU toreload the table rom RAM ater it had been evicted. I not, theguess was incorrect. The attacker repeats this process to narrow thepossible key values.Prime+Probe (see Figure 1) ismore powerul. It’s analogous toplacing a lm negative behind anobject and measuring the outlinecast by the object’s shadow. Insteado timing the encryption process,which is subject to noise and jit-ter due to surrounding code inthe target, the attacker repeatedlytimes accesses to its own memorywhile the target encrypts. Eachtime an encryption occurs, theCPU evicts one or more lines o the attacker’s memory rom thecache, causing timing variation.Because the cache eviction is localto the attacker, countermeasuressuch as randomizing or normaliz-ing the total encryption time haveno eect.Such an attack isn’t merely atiming attack. Although time isthe method or probing cache be-havior, this attack could use other methods to determine the cachestate. For example, i an instruc-tion provided the number o validcache lines or the current task, itwould directly provide the sameinormation obtained rom thistiming side channel.Intel and AMD (and previ-ously, Via) introduced AES in-structions to address this problem
AES processCacheSpy process
Figure 1. In a Prime+Probe attack, a spy process probesthe cache by monitoring timing of accesses to itsown memory. As the target process encrypts, it evictsportions of the attacker’s memory from the cache,resulting in longer access times. The access times for the individual regions of the attacker’s memorycorrespond to which tables the encryption processaccessed, and thus the target’s key.
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.