Abstract
During the last decade, constant-time cryptographic software has quickly transitioned from an academic construct to a concrete security requirement for real-world libraries. Most of OpenSSL’s constant-time code paths are driven by cryptosystem implementations enabling a dedicated flag at runtime. This process is perilous, with several examples emerging in the past few years of the flag either not being set or software defects directly mishandling the flag. In this work, we propose a methodology to analyze security-critical software for side-channel insecure code path traversal. Applying our methodology to OpenSSL, we identify three new code paths during RSA key generation that potentially leak critical algorithm state. Exploiting one of these leaks, we design, implement, and mount a single trace cache-timing attack on the GCD computation step. We overcome several hurdles in the process, including but not limited to: (1) granularity issues due to word-size operands to the GCD function; (2) bulk processing of desynchronized trace data; (3) non-trivial error rate during information extraction; and (4) limited high-confidence information on the modulus factors. Formulating lattice problem instances after obtaining and processing this limited information, our attack achieves roughly a 27% success rate for key recovery using the empirical data from 10K trials.
Highlights
Side-channel analysis (SCA) continues to be a serious threat against the security of systems and cryptography libraries
RSA key generation we identified the following subset of known side-channel vulnerable functions of interest: (1) The function BN_gcd contains highly input-dependent branches that can potentially be used as a side-channel attack vector
The roadmap for our end-to-end attack is as follows: (1) We capture cache-timing traces from BN_gcd executions during RSA key generation, —leveraging signal processing techniques—extract the portions corresponding to p−1 and q−1, apply digital filters and extract their corresponding LS-sequences (Section 3.4); (2) Building upon previous work, we design and implement an error correction algorithm for these sequences—leveraging number theoretic constraints imposed by RSA—to extract partial bits of one factor of N (Section 4); (3) Said algorithm yields an ordered list of candidates for partial factors; we derive lattice parameters for factoring with Coppersmith’s method, and create lattice instances with said candidates, iteratively executing them until the result yields complete factorization of N (Section 5)
Summary
Side-channel analysis (SCA) continues to be a serious threat against the security of systems and cryptography libraries. Our contributions in this work are the following: (1) We develop a methodology to identify insecure code paths through known side-channel vulnerable functions still in use by cryptography libraries, and use it to identify and exploit a flaw in OpenSSL that allows a practical single trace cache-timing attack against RSA key generation (Section 3.1); (2) We combine several techniques from cache-timing attacks and power analysis to capture traces during binary GCD execution and process them in order to obtain a sequence of shift and subtraction operations, i.e. algorithm state, related with prime values p and q (Section 3.4); (3) Building on existing RSA key recovery work, we propose a novel error correction algorithm for noisy RSA primes that allows us to recover roughly 50% of bits for each prime (Section 4); (4) We implement a lattice attack that factors RSA-2048 keys knowing 522 bits of one prime. We perform an end-to-end attack for 10K independent keys achieving roughly a 27% success rate, with room for improvement (Section 5)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
