TY - GEN
T1 - Remote timing attacks are still practical
AU - Brumley, Billy
AU - Tuveri, Nicola
PY - 2011
Y1 - 2011
N2 - For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem with a goal to provide side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery's ladder that performs a fixed sequence of curve and field operations. This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key. Finally, we describe and implement an effective countermeasure.
AB - For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem with a goal to provide side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery's ladder that performs a fixed sequence of curve and field operations. This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key. Finally, we describe and implement an effective countermeasure.
KW - elliptic curve cryptography
KW - lattice attacks
KW - Side-channel attacks
KW - timing attacks
U2 - 10.1007/978-3-642-23822-2_20
DO - 10.1007/978-3-642-23822-2_20
M3 - Conference contribution
AN - SCOPUS:80052996390
SN - 9783642238215
VL - 6879 LNCS
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 355
EP - 371
BT - Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings
T2 - 16th European Symposium on Research in Computer Security, ESORICS 2011
Y2 - 12 September 2011 through 14 September 2011
ER -