Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack
نویسندگان
چکیده
We illustrate a vulnerability introduced to elliptic curve cryptographic protocols when implemented using a function of the OpenSSL cryptographic library. For the given implementation using an elliptic curve E over a binary field with a point G ∈ E, our attack recovers the majority of the bits of a scalar k when kG is computed using the OpenSSL implementation of the Montgomery ladder. For the Elliptic Curve Digital Signature Algorithm (ECDSA) the scalar k is intended to remain secret. Our attack recovers the scalar k and thus the secret key of the signer and would therefore allow unlimited forgeries. This is possible from snooping on only one signing process and requires computation of less than one second on a quad core desktop when the scalar k (and secret key) is around 571 bits.
منابع مشابه
Enhanced Flush+Reload Attack on AES
In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used in the crypto libraries like OpenSSL. Several Flush+Reload attacks on T-table implementat...
متن کامل"Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way
We apply the FLUSH+RELOAD side-channel attack based on cache hits/misses to extract a small amount of data from OpenSSL ECDSA signature requests. We then apply a “standard” lattice technique to extract the private key, but unlike previous attacks we are able to make use of the side-channel information from almost all of the observed executions. This means we obtain private key recovery by obser...
متن کاملTemplate attacks exploiting static power and application to CMOS lightweight crypto-hardware
Side-channel attacks are a serious threat to security-critical software. OpenSSL is a prime security attack target due to the library’s ubiquitous real world applications, therefore, the history of cache-timing attacks against OpenSSL is varied and rich. The presentation includes a brief history of cache-timing attacks in OpenSSL. To mitigate remote timing and cache-timing attacks, many ubiquit...
متن کاملConstant-Time Callees with Variable-Time Callers
Side-channel attacks are a serious threat to securitycritical software. To mitigate remote timing and cachetiming attacks, many ubiquitous cryptography software libraries feature constant-time implementations of cryptographic primitives. In this work, we disclose a vulnerability in OpenSSL 1.0.1u that recovers ECDSA private keys for the standardized elliptic curve P-256 despite the library feat...
متن کاملFlush, Gauss, and Reload - A Cache Attack on the BLISS Lattice-Based Signature Scheme
We present the first side-channel attack on a lattice-based signature scheme, using the Flush+Reload cache-attack. The attack is targeted at the discrete Gaussian sampler, an important step in the Bimodal Lattice Signature Schemes (BLISS). After observing only 450 signatures with a perfect side-channel, an attacker is able to extract the secret BLISS-key in less than 2 minutes, with a success p...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2014 شماره
صفحات -
تاریخ انتشار 2014