Abstract
Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities in old and new products, highlighting a big issue among vendors: effectively tracking and fixing security vulnerabilities when disclosure is not done directly to them. In this work, we present another instance of this issue by performing the first library-wide SCA security evaluation of Mozilla's NSS security library. We use a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Our evaluation uncovers several new vulnerabilities in NSS affecting DSA, ECDSA, and RSA cryptosystems. We exploit said vulnerabilities and implement key recovery attacks using signals - -extracted through different techniques such as timing, microarchitecture, and EM - -and improved lattice methods.
Original language | English |
---|---|
Title of host publication | CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security |
Publisher | ACM |
Pages | 1887-1902 |
Number of pages | 16 |
ISBN (Electronic) | 9781450370899 |
DOIs | |
Publication status | Published - 30 Oct 2020 |
Publication type | A4 Article in conference proceedings |
Event | ACM SIGSAC Conference on Computer and Communications Security - Duration: 9 Nov 2020 → 13 Nov 2020 |
Publication series
Name | Proceedings of the ACM Conference on Computer and Communications Security |
---|---|
ISSN (Print) | 1543-7221 |
Conference
Conference | ACM SIGSAC Conference on Computer and Communications Security |
---|---|
Period | 9/11/20 → 13/11/20 |
Keywords
- applied cryptography
- CVE-2020-12399
- CVE-2020-12401
- CVE-2020-12402
- CVE-2020-6829
- DSA
- ECDSA
- lattice-based cryptanalysis
- NSS
- public key cryptography
- RSA
- side-channel analysis
- software security
Publication forum classification
- Publication forum level 2
ASJC Scopus subject areas
- Software
- Computer Networks and Communications
Fingerprint
Dive into the research topics of 'Déjà Vu: Side-Channel Analysis of Mozilla's NSS'. Together they form a unique fingerprint.Datasets
-
CVE-2020-12399: research data and tooling
Sohaib ul Hassan, N. (Creator), Gridin, I. (Creator), Delgado Lozano, I. (Creator), Pereida Garcia, C. (Creator), Chi Dominguez, J. (Creator), Cabrera Aldaya, A. (Creator) & Brumley, B. (Creator), Zenodo, 13 Aug 2020
Dataset