"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Cesar Pereida García; Billy Bob Brumley; Yuval Yarom

doi:10.1145/2976749.2978420

"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Cesar Pereida García, Billy Bob Brumley, Yuval Yarom

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

37 Citations (Scopus)

98 Downloads (Pure)

Abstract

TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.

Original language	English
Title of host publication	Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016
Editors	Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, Shai Halevi
Publisher	ACM
Pages	1639-1650
Number of pages	12
ISBN (Print)	978-1-4503-4139-4
DOIs	https://doi.org/10.1145/2976749.2978420
Publication status	Published - 2016
Publication type	A4 Article in conference proceedings
Event	ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY - Duration: 1 Jan 1900 → …

Conference

Conference	ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY
Period	1/01/00 → …

Publication forum classification

Publication forum level 2

Access to Document

10.1145/2976749.2978420Licence: CC BY

p1639-pereida-garcia
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proﬁt or commercial advantage and that copies bear this notice and the full citation on the ﬁrst page. Copyrights for third-party components of this work must be honored. CCS’16 October 24-28, 2016, Vienna, Austria c 2016 Copyright held by the owner/author(s).
Final published version, 600 KBLicence: CC BY-NC-SA

http://eprint.iacr.org/2016/594Licence: CC BY
http://urn.fi/URN:NBN:fi:tty-201612024843Licence: CC BY-NC-SA

Cite this

García, C. P., Brumley, B. B., & Yarom, Y. (2016). "Make Sure DSA Signing Exponentiations Really are Constant-Time". In E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, & S. Halevi (Eds.), Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016 (pp. 1639-1650). ACM. https://doi.org/10.1145/2976749.2978420

García, Cesar Pereida ; Brumley, Billy Bob ; Yarom, Yuval. / "Make Sure DSA Signing Exponentiations Really are Constant-Time". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. editor / Edgar R. Weippl ; Stefan Katzenbeisser ; Christopher Kruegel ; Andrew C. Myers ; Shai Halevi. ACM, 2016. pp. 1639-1650

@inproceedings{42d7aeb387e64982a7377dda185e90b4,

title = "{"}Make Sure DSA Signing Exponentiations Really are Constant-Time{"}",

abstract = "TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.",

author = "Garc{\'i}a, {Cesar Pereida} and Brumley, {Billy Bob} and Yuval Yarom",

year = "2016",

doi = "10.1145/2976749.2978420",

language = "English",

isbn = "978-1-4503-4139-4 ",

pages = "1639--1650",

editor = "Weippl, {Edgar R.} and Stefan Katzenbeisser and Christopher Kruegel and Myers, {Andrew C.} and Shai Halevi",

booktitle = "Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016",

publisher = "ACM",

note = "ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY ; Conference date: 01-01-1900",

}

García, CP, Brumley, BB & Yarom, Y 2016, "Make Sure DSA Signing Exponentiations Really are Constant-Time". in ER Weippl, S Katzenbeisser, C Kruegel, AC Myers & S Halevi (eds), Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. ACM, pp. 1639-1650, ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 1/01/00. https://doi.org/10.1145/2976749.2978420

"Make Sure DSA Signing Exponentiations Really are Constant-Time". / García, Cesar Pereida; Brumley, Billy Bob; Yarom, Yuval.

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. ed. / Edgar R. Weippl; Stefan Katzenbeisser; Christopher Kruegel; Andrew C. Myers; Shai Halevi. ACM, 2016. p. 1639-1650.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

TY - GEN

T1 - "Make Sure DSA Signing Exponentiations Really are Constant-Time"

AU - García, Cesar Pereida

AU - Brumley, Billy Bob

AU - Yarom, Yuval

PY - 2016

Y1 - 2016

N2 - TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.

AB - TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.

U2 - 10.1145/2976749.2978420

DO - 10.1145/2976749.2978420

M3 - Conference contribution

SN - 978-1-4503-4139-4

SP - 1639

EP - 1650

BT - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016

A2 - Weippl, Edgar R.

A2 - Katzenbeisser, Stefan

A2 - Kruegel, Christopher

A2 - Myers, Andrew C.

A2 - Halevi, Shai

PB - ACM

T2 - ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY

Y2 - 1 January 1900

ER -

"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Abstract

Conference

Publication forum classification

Access to Document

Fingerprint

Cite this