Showing papers on "Timing attack published in 2005"

The program counter security model: automatic detection and removal of control-flow side channel attacks

Abstract: We introduce new methods for detecting control-flow side channel attacks, transforming C source code to eliminate such attacks, and checking that the transformed code is free of control-flow side channels. We model control-flow side channels with a program counter transcript, in which the value of the program counter at each step is leaked to an adversary. The program counter transcript model captures a class of side channel attacks that includes timing attacks and error disclosure attacks. Further, we propose a generic source-to-source transformation that produces programs provably secure against control-flow side channel attacks. We implemented this transform for C together with a static checker that conservatively checks x86 assembly for violations of program counter security; our checker allows us to compile with optimizations while retaining assurance the resulting code is secure. We then measured our technique's effect on the performance of binary modular exponentiation and real-world implementations in C of RC5 and IDEA: we found it has a performance overhead of at most 5× and a stack space overhead of at most 2×. Our approach to side channel security is practical, generally applicable, and provably secure against an interesting class of side channel attacks.

A host-based approach to network attack chaining analysis

Abstract: The typical means by which an attacker breaks into a network is through a chain of exploits, where each exploit in the chain lays the groundwork for subsequent exploits. Such a chain is called an attack path, and the set of all possible attack paths form an attack graph. Researchers have proposed a variety of methods to generate attack graphs. In this paper, we provide a novel alternative approach to network vulnerability analysis by utilizing a penetration tester's perspective of maximal level of penetration possible on a host. Our approach has the following benefits: it provides a more intuitive model in which an analyst can work, and its algorithmic complexity is polynomial in the size of the network, and so has the potential of scaling well to practical networks. The drawback is that we track only "good" attack paths, as opposed to all possible attack paths. Hence, an analyst may make suboptimal choices when repairing the network. Since attack graphs grow exponentially with the size of the network, we argue that suboptimal solutions are an unavoidable cost of scalability, and hence practical utility. A working prototype tool has been implemented to demonstrate the practicality of our approach

Improving Brumley and Boneh timing attack on unprotected SSL implementations

Abstract: Since the remarkable work of Kocher [7], several papers considering different types of timing attacks have been published. In 2003, Brumley and Boneh presented a timing attack on unprotected OpenSSL implementations [2]. In this paper, we improve the efficiency of their attack by a factor of more than 10. We exploit the timing behavior of Montgomery multiplications in the table initialization phase, which allows us to increase the number of multiplications that provide useful information to reveal one of the prime factors of RSA moduli. We also present other improvements, which can be applied to the attack in [2].

Timed Analysis of Security Protocols

Abstract: We propose a method for engineering security protocols that are aware of timing aspects. We study a simplified version of the well-known Needham Schroeder protocol and the complete Yahalom protocol, where timing information allows the study of different attack scenarios. We model check the protocols using UPPAAL. Further, a taxonomy is obtained by studying and categorising protocols from the well known Clark Jacob library and the Security Protocol Open Repository (SPORE) library. Finally, we present some new challenges and threats that arise when considering time in the analysis, by providing a novel protocol that uses time challenges and exposing a timing attack over an implementation of an existing security protocol.

Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources

Abstract: Attack mitigation schemes actively throttle attack traffic generated in distributed denial-of-service (DDoS) attacks. This paper presents attack diagnosis (AD), a novel attack mitigation scheme that combines the concepts of Pushback and packet marking. AD's architecture is inline with the ideal DDoS attack countermeasure paradigm, in which attack detection is performed near the victim host and attack mitigation is executed close to the attack sources. AD is a reactive defense that is activated by a victim host after an attack has been detected. A victim activates AD by sending AD-related commands to its upstream routers. On receipt of such commands, the AD-enabled upstream routers deterministically mark each packet destined for the victim with the information of the input interface that processed that packet. By collecting the router interface information recorded in the packet markings, the victim can trace back the attack traffic to the attack sources. Once the traceback is complete, the victim issues messages that command AD-enabled routers to filter attack packets close to the source. The AD commands can be authenticated by the TTL field of the IP header without relying on any global key distribution infrastructure in Internet. Although AD can effectively filter traffic generated by a moderate number of attack sources, it is not effective against large-scale attacks. To address this problem, we propose an extension to AD called parallel attack diagnosis (PAD) that is capable of throttling traffic coming from a large number of attack sources simultaneously. AD and PAD are analyzed and evaluated using a realistic network topology based on the Skitter Internet map. Both schemes are shown to be robust against IP spoofing and incur low false positive ratios.

An effective method to generate attack graph

Abstract: As the traditional method, the result of vulnerability scanning can't directly reflect complex attack routes existing in network, so the attack graph is presented. After analyzing host computer, devices link relation and the characteristic of attack, the model of network security status was built. A forward-search, breadth-first and depth-limited (attack steps limited) algorithm is used to produce attack route, and the tools to generate the attack graph is implemented. The experiment validates the prototype of network attack graph generating tools, and contrasts our method to the other used.

Timing attacks on RSA: revealing your secrets through the fourth dimension

Abstract: Do you think your computer system is secure because you use strong cryptography? Do you think your system is impenetrable because you use a long secret value in the cryptographic computation that attackers cannot guess by brute force? If so, you should know that attackers may be able to exploit your system in an unexpected manner by surreptitiously invading it rather than by directly attempting to break the cryptography.

A CRT-based RSA countermeasure against physical cryptanalysis

Abstract: This paper considers a secure and practical CRT-based RSA signature implementation against both side channel attacks (including power analysis attack, timing attack, and most specially the recent MRED attack) as well as the various CRT-based fault attacks. Moreover, the proposed countermeasure can resist C safe-error attack which can be mounted in many existing good countermeasures. To resist side-channel attack, a special design of random message blinding is employed. On the other hand, a countermeasure based on the idea of fault diffusion is developed to protect the implementation against the powerful CRT-based fault attacks.

An attack with known image to an image cryptosystem based on general cat map

Abstract: We proved that the encryption algorithm proposed in An image cryptosystem based on general cat map is insecure in the image-known attack The equivalent key of this encryption algorithm can be found by attack algorithm based on the affine property of functions used by the algorithm The complexity of the attack is 2()ON。

Side Channel Cryptanalysis on XTR Public Key Cryptosystem

Abstract: The XTR public key cryptosystem was introduced in 2000. XTR is suitable for a variety of environments including low-end smart cards, and is regarded as an excellent alternative to RSA and ECC. Moreover, it is remarked that XTR single exponentiation (XTR-SE) is less susceptible than usual exponentiation routines to environmental attacks such as the timing attack and the differential power analysis (DPA). This paper investigates the security of side channel attack (SCA) on XTR. In this paper, we show the immunity of XTR-SE against the simple power analysis if the order of the computation of XTR-SE is carefully considered. In addition, we show that XTR-SE is vulnerable to the data-bit DPA, the address-bit DPA, the doubling attack, the modified refined power analysis, and the modified zero-value attack. Moreover, we propose some countermeasures against these attacks. We also show experimental results of the efficiency of the countermeasures. From our implementation results, if we compare XTR with ECC with countermeasures against "SCAs," we think XTR is as suitable to smart cards as ECC.

Embedded cryptographic hardware : design & security

Abstract: Compact and Efficient Encryption/Decryption Module for FPGA Implementation of AES PAX: A Datapath-Scalable Minimalist Cryptographic Processor For Mobile Devices Architectural Design Features of a Programmable High Throughput AES Coprocessor Power-Analysis Attack on an ASIC AES Implementation On the Importance of Protecting c in SFLASH against Side Channel Attacks Resistance Against Power and Timing Attacks: An Evaluation of Two Clock-less Implementations of the AES Modular Multiplication: Methods and Hardware A Design of Basis-Independent Bit-Parallel Multipliers Reducing the Complexity of Modular Multiplication by Modification of One Operand Special Hyperelliptic Curve Cryptosystems of Genus Two: Efficient Arithmetic and Fast Implementation A Generic Coprocessor For Elliptic Curve Scalar Multiplication on Hardware Hyperelliptic Curve Cryptosystem: What is the Best Parallel Hardware Architecture? Permutation Operations in Block Ciphers Streaming Encryption for a Secure Wavelength and Time Domain Hopped Optical Network Bibliography Index.

Common Control System Vulnerability

Abstract: The Control Systems Security Program and other programs within the Idaho National Laboratory have discovered a vulnerability common to control systems in all sectors that allows an attacker to penetrate most control systems, spoof the operator, and gain full control of targeted system elements. This vulnerability has been identified on several systems that have been evaluated at INL, and in each case a 100% success rate of completing the attack paths that lead to full system compromise was observed. Since these systems are employed in multiple critical infrastructure sectors, this vulnerability is deemed common to control systems in all sectors. Modern control systems architectures can be considered analogous to today's information networks, and as such are usually approached by attackers using a common attack methodology to penetrate deeper and deeper into the network. This approach often is composed of several phases, including gaining access to the control network, reconnaissance, profiling of vulnerabilities, launching attacks, escalating privilege, maintaining access, and obscuring or removing information that indicates that an intruder was on the system. With irrefutable proof that an external attack can lead to a compromise of a computing resource on the organization's business local area network (LAN), access to the control more » network is usually considered the first phase in the attack plan. Once the attacker gains access to the control network through direct connections and/or the business LAN, the second phase of reconnaissance begins with traffic analysis within the control domain. Thus, the communications between the workstations and the field device controllers can be monitored and evaluated, allowing an attacker to capture, analyze, and evaluate the commands sent among the control equipment. Through manipulation of the communication protocols of control systems (a process generally referred to as ''reverse engineering''), an attacker can then map out the control system processes and functions. With the detailed knowledge of how the control data functions, as well as what computers and devices communicate using this data, the attacker can use a well known Man-in-the-Middle attack to perform malicious operations virtually undetected. The control systems assessment teams have used this method to gather enough information about the system to craft an attack that intercepts and changes the information flow between the end devices (controllers) and the human machine interface (HMI and/or workstation). Using this attack, the cyber assessment team has been able to demonstrate complete manipulation of devices in control systems while simultaneously modifying the data flowing back to the operator's console to give false information of the state of the system (known as ''spoofing''). This is a very effective technique for a control system attack because it allows the attacker to manipulate the system and the operator's situational awareness of the perceived system status. The three main elements of this attack technique are: (1) network reconnaissance and data gathering, (2) reverse engineering, and (3) the Man-in-the-Middle attack. The details of this attack technique and the mitigation techniques are discussed. « less

A secure modular exponential algorithm resists to power, timing, C safe error and M safe error attacks

Abstract: This paper proposes a method for protecting public key schemes from timing and fault attacks. In general, this is accomplished by implementing critical operations using "branch-less" path routines. More particularly, the proposed method provides a modular exponentiation algorithm without any redundant computation does not have a store operation with non-certain destination so that it can protect the secret key from many known attacks.

An SPA-Based Extension of Schindler's Timing Attack against RSA Using CRT

Abstract: At CHES 2000, Schindler introduced a timing attack that enables the factorization of an RSA-modulus if RSA implementations use the Chinese Remainder Theorem and Montgomery multiplication. In this paper we introduce another approach for deriving the secret prime factor by focusing on the conditional branch Schindler used in his attack. One of the countermeasures against Schindler's attack is the blinding method. If input data are blinded with a fixed value or short-period random numbers, Schindler's attack does not work but our method can still factorize the RSA-modulus.

Timed Analysis of Security Protocols

Abstract: We propose a method for engineering security protocols that are aware of timing aspects. We study a simplified version of the well-known Needham Schroeder protocol and the complete Yahalom protocol, where timing information allows the study of different attack scenarios. We model check the protocols using UPPAAL. Further, a taxonomy is obtained by studying and categorising protocols from the well known Clark Jacob library and the Security Protocol Open Repository (SPORE) library. Finally, we present some new challenges and threats that arise when considering time in the analysis, by providing a novel protocol that uses time challenges and exposing a timing attack over an implementation of an existing security protocol.

A timing attack on the CIKS-1 block cipher

Abstract: The use of data-dependent transformations has been an area of increasing interest for the designers of ciphers. In particular, data-dependent permutations (DDPs) provide a fast and simple cryptologic primitive when implemented in hardware. However, when a DDP block is naively implemented in software, it can reveal information about the Hamming weight of the control vector applied to it. Specifically, when a subkey is used as a control vector then information about the Hamming weight of the subkey can be directly obtained from timing information. This potentially leaves ciphers heavily dependent on DDPs vulnerable to timing attacks. In this paper, we examine the application of a timing attack to the CIKS-1 symmetric block cipher. The analysis is motivated by the possibility that a naive implementation of the DDPs used in CIKS-1 would result in encryption taking a time that is a function of data. Such implementations are possible in software environments, typically in embedded systems such as smart cards. The methodology of deriving the Hamming weight of the key using a known plaintext attack based on timing information is outlined and is followed by a discussion of the results. Further, a simple means of thwarting the timing attack in a software implementation is presented

Two-prime RSA immune cryptosystem and its FPGA implementation

Abstract: In this paper, an efficient immunity method is proposed for two-prime RSA cryptosystem against hardware fault attack. The proposed system has more immunity than the previous system and is targeted for FPGA implementation. For the 32-bit signing case, the proposed method is 15% faster than the previous design while requiring only 70% of the hardware resource.

Efficient and Secure Public-Key Cryptosystems

Abstract: Nowadays, RSA cryptosystem is used for practical security applications, e.g., SSL, IPSEC, PKI, etc. Elliptic curve cryptosystem has focused on the implementation on memory constraint environments due to its small key size. In this chapter we describe an overview of efficient algorithms applied to RSA cryptosystem and EC cryptosystem. On the other hand, novel attacks on the efficient implementation have been proposed, namely timing attack, side channel attacks, fault attack, etc. These attacks can break the secret key of the underlying cryptosystem, if the implementation method is not carefully considered. We also explain several attacks related to efficient implementation, and present countermeasures against them.

The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks.

Abstract: We introduce new methods for detecting control-flow side channel attacks, transforming C source code to eliminate such attacks, and checking that the transformed code is free of control-flow side channels. We model control-flow side channels with a program counter transcript, in which the value of the program counter at each step is leaked to an adversary. The program counter transcript model captures a class of side channel attacks that includes timing attacks and error disclosure attacks. We further show that the model formalizes previous ad hoc approaches to preventing side channel attacks. We then give a dynamic testing procedure for finding code fragments that may reveal sensitive information by key-dependent behavior, and we show our method finds side channel vulnerabilities in real implementations of IDEA and RC5, in binary modular exponentiation, and in the lsh implementation of the ssh protocol. Further, we propose a generic source-to-source transformation that produces programs provably secure against control-flow side channel attacks. We implemented this transform for C together with a static checker that conservatively checks x86 assembly for violations of program counter security; our checker allows us to compile with optimizations while retaining assurance the resulting code is secure. We then measured our technique’s effect on the performance of binary modular exponentiation and real-world implementations in C of RC5 and IDEA: we found it has a performance overhead of at most 5× and a stack space overhead of at most 2×. Our approach to side channel security is practical, generally applicable, and provably secure against an interesting class of side channel attacks.