"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Cesar Pereida García, Billy Bob Brumley, Yuval Yarom

    Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

    37 Citations (Scopus)
    98 Downloads (Pure)

    Abstract

    TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.
    Original languageEnglish
    Title of host publicationProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016
    EditorsEdgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, Shai Halevi
    PublisherACM
    Pages1639-1650
    Number of pages12
    ISBN (Print)978-1-4503-4139-4
    DOIs
    Publication statusPublished - 2016
    Publication typeA4 Article in conference proceedings
    EventACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY -
    Duration: 1 Jan 1900 → …

    Conference

    ConferenceACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY
    Period1/01/00 → …

    Publication forum classification

    • Publication forum level 2

    Fingerprint

    Dive into the research topics of '"Make Sure DSA Signing Exponentiations Really are Constant-Time"'. Together they form a unique fingerprint.

    Cite this