Analysis on the parameter selection method for FLUSH+RELOAD based cache timing attack on RSA
TL;DR: The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed and how to select the optimal threshold based on Bayesian binary signal detection principal is also proposed.
Abstract: FLUSH+RELOAD attack is recently proposed as a new type of Cache timing attacks. There are three essential factors in this attack, which are monitored instructions, threshold and waiting interval. However, existing literature seldom exploit how and why they could affect the system. This paper aims to study the impacts of these three parameters, and the method of how to choose optimal values. The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed. How to select the optimal threshold based on Bayesian binary signal detection principal is also proposed. Meanwhile, the time sequence model of monitoring is constructed and the calculation of the optimal waiting interval is specified. Extensive experiments are conducted on RSA implemented with binary square-and-multiply algorithm. The results show that the average success rate of full RSA key recovery is 89.67%.
Citations
More filters
11 Jul 2016
TL;DR: This work presents for the first time the execution of a DTA and a secure enhanced NoC architecture able to avoid the timing attacks and results show that the NoC proposal can avoid the DTA with an increase in area and power.
Abstract: The wide use of Multi-processing systems-on-chip (MPSoCs) in embedded systems and the trend to increase the integration between devices have turned these systems vulnerable to attacks. Malicious software executed on compromised IP may become a serious security problem. By snooping the traffic exchanged through the Network-on-chip (NoC), it is possible to infer sensitive information such as secrets keys. NoCs are vulnerable to side channel attacks that exploit traffic interference as timing channels. When multiple IP cores are infected, they can work coordinately to implement a distributed timing attack (DTA). In this work we present for the first time the execution of a DTA and a secure enhanced NoC architecture able to avoid the timing attacks. Results show that our NoC proposal can avoid the DTA with an increase of only 1% in area and 0.8% in power regarding the whole chip design.
47 citations
TL;DR: Based on the quantum inverse Fourier transform and phase estimation, this paper presents a new polynomial-time quantum algorithm for breaking RSA, without explicitly factoring the modulus n, and a ciphertext-only attack attacking RSA is proposed.
Abstract: Security analysis of public-key cryptosystems is of fundamental significance for both theoretical research and applications in cryptography. In particular, the security of widely used public-key cryptosystems merits deep research to protect against new types of attacks. It is therefore highly meaningful to research cryptanalysis in the quantum computing environment. Shor proposed a well-known factoring algorithm by finding the prime factors of a number n = pq, which is exponentially faster than the best known classical algorithm. The idea behind Shor's quantum factoring algorithm is a straightforward programming consequence of the following proposition: to factor n, it suffices to find the order r; once such an r is found, one can compute gcd(ar/2 ± 1, n) = p or q. For odd values of r it is assumed that the factors of n cannot be found (since ar/2 is not generally an integer). That is, the order r must be even. This restriction can be removed, however, by working from another angle. Based on the quantum inverse Fourier transform and phase estimation, this paper presents a new polynomial-time quantum algorithm for breaking RSA, without explicitly factoring the modulus n. The probability of success of the new algorithm is greater than 4φ(r)/π2r, exceeding that of the existing quantum algorithm for attacking RSA based on factorization. In constrast to the existing quantum algorithm for attacking RSA, the order r of the fixed point C for RSA does not need to be even. It changed the practices that cryptanalysts try to recover the private-key, directly from recovering the plaintext M to start, a ciphertext-only attack attacking RSA is proposed.
17 citations
Cites methods from "Analysis on the parameter selection..."
...There are many methods for attacking RSA, such as the integer factorization attacks, the discrete logarithm attacks, the public exponent attacks, the private exponent attacks and side channel attacks [4][5]....
[...]
22 Mar 2016
TL;DR: A Strong, efficient and reliable personal messaging peer to peer architecture based on Hybrid RSA for an active networked environment is proposed.
Abstract: Rivest- Shamir-Adleman (RSA) algorithm is the widespread encryption scheme that promises confidentiality and authenticity over an insecure communication channel. The RSA has drawbacks of various attacks like Brute force key search, Mathematical attacks, Timing attacks and Chosen Ciphertext attacks etc. So here a Strong, efficient and reliable personal messaging peer to peer architecture based on Hybrid RSA for an active networked environment is proposed. The main peer to peer personal messaging architecture will be strong, efficient and reliable, and communication protocol will allow only one authenticated person to converse with the person who is in the server end, multiple chat clients can be connected to the server but has to wait for authenticated connection with secure server one by one. Also multiple servers with multiple clients can run for distributed strong, efficient and reliable messaging. As at the key exchange level, the Miller-Rabin test is done with pseudo random numbers generated and changing the keys synchronously with predefined time frames, these mechanisms make the keys absolutely strong and main RSA integration with shared RSA gives more statistical complexity here. In the decryption process, The Chinese Remainder Theorem (CRT) is used with shadows along with the strong prime of RSA criterion extended into domain of Gaussian Integer for very high efficiency. The Shared RSA adds more complexity in decryption. Public Key Cryptography Standards (PKCS) version 5 is used to tackle the Chosen cipher text attack when messaging is going on. The Efficient RSA with Rabin-Miller strong Primality test integration and pohligHellmanEncipher with salt and padding integration makes it strong and reliable.
10 citations
01 Aug 2021
TL;DR: A comprehensive survey on cryptanalysis based strategies, employed by SCA and HT techniques, to successfully attack the VLSI crypto-devices is presented in this article, where the employed attack-specific countermeasure techniques are also examined.
Abstract: Serious threats to the VLSI crypto devices are posed by the Side Channel Attack (SCA) that utilizes the devices’ SCI (Side Channel Information) to break the entire cryptographic algorithm. Motive in this severe breach of security fence is to decipher the secret key for retrieval of confidential data. Recently, Hardware Trojan (HT) insertions that maliciously modify the circuitry of the crypto integrated chips are reported. Circuit behavioral alterations caused by the inserted Trojan, resulted in dysfunction/SCI leak of the device. The major focus of this paper is to report a comprehensive survey on cryptanalysis based strategies, employed by SCA and HT techniques, to successfully attack the VLSI crypto-devices. Cryptanalyst security breach schemes on specific VLSI devices are also reviewed. The employed attack-specific countermeasure techniques are also examined. Further, the limitations in implementation of these countermeasures in the system level design for ASIC, FPGA and SoC VLSI devices are provided. The weakness of each countermeasure for a specific application has also been analyzed.
5 citations
01 Oct 2018
TL;DR: This paper proposes a test framework to verify and assess whether and how much SGX influenced by timing side channel attacks, and validates OpenSSL timing channel security and assessing secure cryptography implementation with timing channel mitigation measures in SGX.
Abstract: With the advent of Intel SGX processor, Intel is trying to prove that SGX can completely eliminate the security problems in cloud environment with assisted hardware. However, many studies have demonstrated that SGX cannot prevent some side channel attacks such as the spectre and meltdown attacks. Intel has focused on this issue and tried to solve it, but so far it has not yet released a powerful version. In this paper, we investigate related security works with SGX involving cache timing channel and speculative execution deeply. Based on SGX platform, we are going to take OpenSSL as a case study to validate SGX timing channel security. Besides, we are proposing a test framework to verify and assess whether and how much SGX influenced by timing side channel. Consisting of validating OpenSSL timing channel security and assessing secure cryptography implementation with timing channel mitigation measures in SGX, the framework will also motivate us to evaluate cache protection measures and perform trade-off between timing channel security and performance when using SGX.
4 citations
Additional excerpts
...Typically, the spy process can be used to set the cache to a known state and monitor state changes to collect information about the cache access of the victim process [11]....
[...]
References
More filters
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
15 Aug 1999
TL;DR: In this paper, the authors examine specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. And they also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
Abstract: Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
6,757 citations
18 Aug 1996
TL;DR: By carefully measuring the amount of time required to perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems.
Abstract: By carefully measuring the amount of time required tm perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against, a valnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevenl timing attacks.
3,989 citations
Proceedings Article•
01 Jan 1996
3,526 citations
Proceedings Article•
20 Aug 2014TL;DR: This paper presents FLUSH+RELOAD, a cache side-channel attack technique that exploits a weakness in the Intel X86 processors to monitor access to memory lines in shared pages and recovers 96.7% of the bits of the secret key by observing a single signature or decryption round.
Abstract: Sharing memory pages between non-trusting processes is a common method of reducing the memory footprint of multi-tenanted systems In this paper we demonstrate that, due to a weakness in the Intel X86 processors, page sharing exposes processes to information leaks We present FLUSH+RELOAD, a cache side-channel attack technique that exploits this weakness to monitor access to memory lines in shared pages Unlike previous cache side-channel attacks, FLUSH+RELOAD targets the Last-Level Cache (ie L3 on processors with three cache levels) Consequently, the attack program and the victim do not need to share the execution core
We demonstrate the efficacy of the FLUSH+RELOAD attack by using it to extract the private encryption keys from a victim program running GnuPG 1413 We tested the attack both between two unrelated processes in a single operating system and between processes running in separate virtual machines On average, the attack is able to recover 967% of the bits of the secret key by observing a single signature or decryption round
1,001 citations