Déjà Vu: Side-Channel Analysis of Mozilla's NSS

Sohaib Ul Hassan, Iaroslav Gridin, Ignacio M. Delgado-Lozano, Cesar Pereida García, Jesús Javier Chi-Domínguez, Alejandro Cabrera Aldaya, Billy Bob Brumley

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

10 Citations (Scopus)
95 Downloads (Pure)

Abstract

Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities in old and new products, highlighting a big issue among vendors: effectively tracking and fixing security vulnerabilities when disclosure is not done directly to them. In this work, we present another instance of this issue by performing the first library-wide SCA security evaluation of Mozilla's NSS security library. We use a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Our evaluation uncovers several new vulnerabilities in NSS affecting DSA, ECDSA, and RSA cryptosystems. We exploit said vulnerabilities and implement key recovery attacks using signals - -extracted through different techniques such as timing, microarchitecture, and EM - -and improved lattice methods.

Original languageEnglish
Title of host publicationCCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
PublisherACM
Pages1887-1902
Number of pages16
ISBN (Electronic)9781450370899
DOIs
Publication statusPublished - 30 Oct 2020
Publication typeA4 Article in conference proceedings
EventACM SIGSAC Conference on Computer and Communications Security -
Duration: 9 Nov 202013 Nov 2020

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

ConferenceACM SIGSAC Conference on Computer and Communications Security
Period9/11/2013/11/20

Keywords

  • applied cryptography
  • CVE-2020-12399
  • CVE-2020-12401
  • CVE-2020-12402
  • CVE-2020-6829
  • DSA
  • ECDSA
  • lattice-based cryptanalysis
  • NSS
  • public key cryptography
  • RSA
  • side-channel analysis
  • software security

Publication forum classification

  • Publication forum level 2

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Déjà Vu: Side-Channel Analysis of Mozilla's NSS'. Together they form a unique fingerprint.

Cite this