torturing openssl

15
Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)

Upload: nedra

Post on 23-Feb-2016

46 views

Category:

Documents


0 download

DESCRIPTION

Torturing OpenSSL. Todd Austin University of Michigan with Andrea Pellegrini , William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation). Understanding Side Channel Attacks. Systems leak info about internal computation - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Torturing  OpenSSL

Torturing OpenSSL

Todd AustinUniversity of Michigan

with Andrea Pellegrini, William Arthur and Valeria Bertacco

(Based on Valeria’s BlackHat 2012 Presentation)

Page 2: Torturing  OpenSSL

2

Understanding Side Channel Attacks

· Systems leak info about internal computation• E.g., safes can be cracked by

carefully listening to the tumblers

· Clever attackers can utilize leaked info to grain secrets• Generally not directly• Use statistical methods over time

· Attacks implementation, rather than algorithm

Page 3: Torturing  OpenSSL

3

Fault-Based Attack of RSA

Correct behavior:•Server challenge:

s = md mod n•Client verifies:

m = se mod n

Faulty Server:ŝ != md mod n

Public Key(e,n)

Private Key(d,n)

m

s

Public Key(e,n)

Private Key(d,n)

m

ŝ

mTactical advantage: We have years

to implement this attack!

Page 4: Torturing  OpenSSL

4

Injecting Faults in RSA AuthenticationMaking hardware fail:Lower voltage causes signals to slow down, thus missing

the deadline imposed by the system clockHigh temperatures increase signal propagation delays· Over-clocking shortens the allowed time for traversing the

logic cloud· Charged particles cause internal signals to change value,

causing errors

Page 5: Torturing  OpenSSL

5

Wanted: Single-Bit Errors in Multiplication

A corrupted signature leaks data if only one multiplication is corrupted by a single bit flip

0

10

20

30

40

50

60

1.30 1.29 1.28 1.27 1.26 1.25 1.24 1.23

Voltage [V]

Sin

gle

bit f

aults

(%)

0

2.75

5.50

8.25

11.00

13.75

16.50

Faul

ty p

rodu

cts

(%)

Single bit faults

Faulty multiplications

Page 6: Torturing  OpenSSL

6

Implementing the Fault-Based Attack

Fault-Based Attack of RSA Attackers

1. Subject server to potential single-bit faults in multiplications2. Repeatedly authenticate to collect faulty RSA signatures3. Offline, analyze RSA signatures to extract private key bits4. Repeat steps 2 & 3 until entire RSA private key identified

Page 7: Torturing  OpenSSL

7

Extracting the Key with Offline Analysis· The attacker collects the faulty signatures

· The private key is recovered one window at the time

· The attacker checks its guess against the collected faulty signatures

Public Keyŝŝŝŝ

Private Keym

ŝŝ ŝ

ŝd= X X X Xd3d2d1d0

Page 8: Torturing  OpenSSL

8

Computing (s=md mod n) in OpenSSL

1101

s=1

for each window:

for each bit in window: //4times

s = (s * s) mod n

s = (s * mˆd[window]) mod n

return s

d=214= 0110

s=1

s=1

s= m1101

s= (∙∙∙(m1101) 2)2)2)2

s= (∙∙∙(m1101) 2)2)2)2)m0110

window 1 window 2

Page 9: Torturing  OpenSSL

9

Faulty Signature: ŝ!=md mod n

s=1

for each window:

for each bit in window: //4times

s = (s * s) mod n

s = (s * mˆd[window]) mod n

return s

s=1

s=1

s= m1101

ŝ = (∙∙∙(m1101) 2) 2) ±2f)2)2

ŝ = (∙∙∙(m1101) 2) 2) ±2f) 2)2)m0110

1101d=214= 0110window 1 window 2

Page 10: Torturing  OpenSSL

10

Reconstructing the SignatureThe private key is recovered one window at the time, guessing where and when the fault hits

ŝ = (∙∙∙(mdk)64)mdk-1)2) 2)2 ±2f)2) 2)2) mdk-2)64 …md0

Alreadyknown Value?

Which multiplication?

Which bit?

d= X X Xdk dk-1 …

For each window value to be guessed and signature we test:• 16 possible key values• 2 possible error values (0→1 or 1→0)• 4 squaring iterations

Page 11: Torturing  OpenSSL

11

Implementing Offline Analysis· In practice 40 bit positions typically affected by faults

→ the computation time is reduced to 2.5 seconds· Analyzing 8,800 corrupted signatures requires 1 CPU-

year – only ~1,000 are useful

· Signatures can be checked in parallel· Performed the analysis with 81 workstations

ŝŝŝŝŝŝ

Page 12: Torturing  OpenSSL

12

Fault-Based Attack of Leon3 SPARC

RSA 1024-bit private key

8,800 corrupted signatures collected in 10 hours

Distributed application with 81 machines for offline analysis

Private key recovered in 100 hours

Page 13: Torturing  OpenSSL

13

Exploring Temperature-Induced Faults

Page 14: Torturing  OpenSSL

14

Number of Key Bits Revealed (128-bit RSA)

20 30 40 50 60 70 80 90 1000

20

40

60

80

100

120

140

V=1.3 v

V=1.28 v

V=1.27 v

V=1.26 v

V=1.25 v

V=1.24 v

Temperature

Key

bits

reco

vere

d (o

ut o

f 128

)

Surprising insight: Attack is easier to implementwith more sophisticated cooling systems

Page 15: Torturing  OpenSSL

15

Conclusions

· Transient faults can leak vital private key data

· Fault-based attack devised for OpenSSL 0.9.8i ’s Fixed Window Exponentiation algorithm

· Attack demonstrated on a complete physical Leon3 SPARC system

· Software fix using “blind”ing available in OpenSSL to protect against timing attacks

· Published: “Fault-based Attack of RSA Authentication” - DATE 2010· Presented: BlackHat 2012