Constant-Time Callees with Variable-Time Callers

Cesar Pereida Garcia, Billy Bob Brumley

    Tutkimustuotos: KonferenssiartikkeliScientificvertaisarvioitu

    23 Sitaatiot (Scopus)
    50 Lataukset (Pure)

    Abstrakti

    Side-channel attacks are a serious threat to security critical software. To mitigate remote timing and cache-timing attacks, many ubiquitous cryptography software libraries feature constant-time implementations of cryptographic primitives. In this work, we disclose a vulnerability in OpenSSL 1.0.1u that recovers ECDSA private keys for the standardized elliptic curve P-256 despite the library featuring both constant-time curve operations and
    modular inversion with microarchitecture attack mitigations. Exploiting this defect, we target the errant modular inversion code path with a cache-timing and improved performance degradation attack, recovering the inversion state sequence. We propose a new approach of extracting a variable number of nonce bits from these sequences, and improve upon the best theoretical result to recover private keys in a lattice attack with as few as 50 signatures and corresponding traces. As far as we are aware, this is the first timing attack against OpenSSL ECDSA that does not target scalar multiplication, the first
    side-channel attack on cryptosystems leveraging P-256 constant-time scalar multiplication and furthermore, we extend our attack to TLS and SSH protocols, both linked to OpenSSL for P-256 ECDSA signing.
    AlkuperäiskieliEnglanti
    Otsikko26th USENIX Security Symposium (USENIX Security 17)
    JulkaisupaikkaVancouver, BC
    KustantajaThe USENIX Association
    Sivut83-98
    Sivumäärä16
    ISBN (elektroninen)978-1-931971-40-9
    TilaJulkaistu - 2017
    OKM-julkaisutyyppiA4 Artikkeli konferenssijulkaisussa
    TapahtumaUSENIX SECURITY SYMPOSIUM -
    Kesto: 1 tammik. 1900 → …

    Conference

    ConferenceUSENIX SECURITY SYMPOSIUM
    Ajanjakso1/01/00 → …

    Julkaisufoorumi-taso

    • Jufo-taso 1

    Sormenjälki

    Sukella tutkimusaiheisiin 'Constant-Time Callees with Variable-Time Callers'. Ne muodostavat yhdessä ainutlaatuisen sormenjäljen.

    Siteeraa tätä