1 / 23

Attacks on RSA

Attacks on RSA. By, Barath Thangaraj Anup Talwalkar. Proceedings. Overview RSA-CRT Bellcore Attack and countermeasures Fault based Attack on RSA FWM and key recovery Algorithms References. Overview. Public key cryptography

molly
Télécharger la présentation

Attacks on RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacks on RSA By, Barath Thangaraj Anup Talwalkar

  2. Proceedings • Overview • RSA-CRT • Bellcore Attack and countermeasures • Fault based Attack on RSA • FWM and key recovery • Algorithms • References

  3. Overview • Public key cryptography • Secure / authenticate confidential data on public network • Sufficiently long keys makes it unbreakable • Advanced semiconductor technology and hardware design made it possible to execute on smaller machines • Possible for being used in secure services (online banking / shopping) • Vulnerability • If the hardware is compromised, Attack tamper-proof devices. Eg:SmartCard ICs • Fault attacks used to factorize RSA modulus. • Fault based attack? • Proximity to the hardware • Changing environment variables like voltage supply /temperature • In short, generating faults and extracting the key • A random fault occurs. Correct signature S, faulty signature S' are known.

  4. Fault based attack of RSA-CRT • Sung-Ming Yen, Sangjae Moon, and Jae-Cheol Ha, "Hardware Fault Attack on RSA with CRT Revisited" Springer-Verlag Berlin Heidelberg 2003. • C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. SeifertFault, "Attacks on RSA with CRT: Concrete Results and Practical Countermeasures".

  5. RSA-CRT • N = p * q • Sp = md mod p, Sq = md mod q • Find S (sign m) using either Gauss's or Garner's algorithm. • Gauss: S = (Sp * q * (q-1 mod p) + Sq * p * (p-1 mod q)) mod N • Garner: S = Sq + ((Sp-Sq) * (q-1 mod p) mod p) * q

  6. Bellcore Attack • A random error occurs when computing Sp. This yields a faulty signature Sp'. • Sq is computed correctly. • Such that, S – S' <> 0 but S-S' = 0 mod q. • N can be factorized • gcd ((m – (S')e) mod N, N) = q (or) gcd(S' – S, N) = q

  7. Countermeasures • Perform calculation twice • This is very time-consuming and it cannot always provide a satisfactory result because in case of permanent error, computing twice may also be of no use • Verify correctness by comparing inverse result with the input m • If e is large, it becomes time-consuming. Also, this seems to be safe

  8. Countermeasures continued… Shamir's: • Using a random prime r • Sp' = Sq' (mod r) used for verifying the correctness of Sp' and Sq‘ Shamir's Limitation: • Fault when accessing p in p’ = p * r • This will not be detected by Sp’ = Sq’ (mod r)

  9. Countermeasures continued… Infineon’s Countermeasure: • Using a random prime r. dp = d mod (p-1) • dp’ = dp + random1 * (p-1) • Sp’ = mdp’ mod p’ and Sp = Sp’ mod p • Check p’ mod p = 0 and dp’ mod (p-1) = dp • Check whether S mod p = Sp and S mod q = Sq • Additional check: (Sp’ mod r)dq’ mod (r-1) = (Sq’ mod r) dp’ mod (r-1) (mod r) Attack: • Fault when performing the modular operation Sp = Sp’ mod p

  10. Countermeasures continued… Enhanced Version of Shamir’s Countermeasure: • Verify S = Sp’ (mod p) and S = Sq’ (mod q) • Formed from S= Sp (mod p) and Sp’ = Sp (mod p) • Also, verify Sp’ = Sq’ (mod r)

  11. Feasibility of fault Attack – Spike • Voltage fluctuations. • A typical smartcard has a tolerance level of few voltages until which no error happens. • Eg: A 5 V Card could have a range of 4.5 V to 5.5 V. • More than 10% tolerance could cause faulty results on the smartcard IC. Spike generator

  12. Fault based attack of RSA authentication • Andrea Pellegrini, Valeria Bertacco and Todd Austin, University of Michigan "Fault Based Attack of RSA Authentication“, 2010

  13. Public key authentication and fault based attack • A client sends a unique message m to a server • Server signs it with its private key d • Client receives the digital signature s • the client can authenticate the identity of the server • Verify using the public key (n, e) that s will produce the original message m. • Fault based attack • produce intermittent computational errors during the authentication of a message.

  14. Public key authentication and fault based attack

  15. Hardware fault model • Vulnerability in the hardware • Most of the computation goes through multiplier circuit • Often critical path of microprocessor system goes through multiplier circuit • Multiplier circuit is one of the first unit to fail in changing conditions • Possibility that signal through critical path not reaching corresponding register • Assumptions • Attacker can inject faults that affecting the result of multiplication • The system is subjected to a battery of infrequent short duration transient faults • Hardware faults producing multiplication result differ only in one bit position

  16. Fixed window modular exponentiation (FWM) • Modular exponentiation - md mod n • Similar to square and multiply if window size is 1 • Defines a window of w bits (fixed length) • Accumulates partial results FWE(m, d, n, win size) num win = #bits(d) / win size acc = 1 for(win idx in [num win-1..0] ) for(sqr iter in [0..win size-1] ) acc = (acc * acc) mod n d[win idx] = bits(d, win idx*win size,win size) acc = (acc * mˆd[win idx]) mod n return acc

  17. Theorem • < n, d, e > where n and e are known and d is not known, • the signature with the private key d of length N is computed using the fixed-window exponentiation (FWE) algorithm with a window size w, • k = N/w. • ˆs - a corrupted signature of the message m computed with the private key d. • Assume that a single-bit binary value change has occurred at the output of any of the squaring operations in FWE during the computation of ˆs. • An attacker that can collect at least S = k ·ln(2k) different pairs <m,ˆs> has a probability pr = 1/2 to recover the private key d of N bits in polynomial time - O(2wN3S).

  18. Fault model • FWE in presence of transient faults • fth bit is flipped – can be found out by modifying the signature +- 2f • Error amount is added or subtracted: 0 to 1 – error subtracted, 1 to 0 – error added • S: number of pairs <m, ˆs> (corrupted message signature pair) • Pair for which fault has been injected in a bit position revealing key bits • Ignore if error bits = 0 or more than 1 • <di, f, p> • di -window of the decryption key • f - position of bit flipped in the partial result • p – pth squaring operation in computation for the ith window of d • Soon the signature is found that provides a unique solution to <di, f, p> di can be determined

  19. Key recovery • d is the key to be recovered • Key size 16 bits - window size 4 bits • Recovery from msb – window d3 to d0 • Determine d3 • Search for appropriate d2, f, p that satisfies the equation by varying the values of d, f and p within the range • d:[0,15], p[0,3] and f[0,15]

  20. Algorithms • Private Key window search window search (m, s, e, win size, win idx) found = 0; for(d[win idx] in [0..2ˆwin size-1]; sqr iter in [0..win_size-1]; fault in [0..#bits(d)-1] ) found += test_equation 10( m, s, e, win idx, d[win idx], sqr iter, fault loc) if (found == 1) return d[win idx] else return -1 • Private key recovery algorithm private key recovery ( array<m,s>, e, win size) num win = #bits(d) / win size for(win idx in [num win-1..0] ) for (<m,s> in array<m,s>) d[win idx] = window_search(m,s,e, win size, win idx) if (d[win idx] >= 0) break if (d[win idx] < 0) double win size

  21. Experimental results and conclusion • FPGA (field programmable gate array) device • 1024 bit FWE multiplications • voltage 1.25V • 8800 of 10000 incorrect signatures recovered and analyzed • Key recovered in 104 hours • Potential danger of fault based attack on OpenSSL libraries

  22. rEferenceS • Andrea Pellegrini, Valeria Bertacco and Todd Austin, University of Michigan "Fault Based Attack of RSA Authentication“, 2010 • Sung-Ming Yen, Sangjae Moon, and Jae-Cheol Ha, "Hardware Fault Attack on RSA with CRT Revisited" Springer-Verlag Berlin Heidelberg 2003 • C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. SeifertFault, "Attacks on RSA with CRT: Concrete Results and Practical Countermeasures“ 2002

More Related