scispace - formally typeset
Search or ask a question

Showing papers on "Timing attack published in 2012"


Proceedings ArticleDOI
16 Oct 2012
TL;DR: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victims using the most recent version of the libgcrypt cryptographic library.
Abstract: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen). Such systems are very common today, ranging from desktops that use virtualization to sandbox application or OS compromises, to clouds that co-locate the workloads of mutually distrustful customers. Constructing such a side-channel requires overcoming challenges including core migration, numerous sources of channel noise, and the difficulty of preempting the victim with sufficient frequency to extract fine-grained information from it. This paper addresses these challenges and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victim using the most recent version of the libgcrypt cryptographic library.

839 citations


Journal ArticleDOI
TL;DR: Analyzing the security of a recently proposed asymmetric cryptosystem that based on the phase-truncated Fourier transforms (PTFTs) implies that some appropriate measurements should be made to enhance the resistance of the PTFT-based cryptos system against the specific attack when it is used as a public-key cryptosSystem.

217 citations


Book ChapterDOI
27 Feb 2012
TL;DR: It is shown in this paper that the isolation characteristic of system virtualization can be bypassed by the use of a cache timing attack, and that cache timing attacks are highly relevant in virtualization-based security architectures, such as trusted execution environments.
Abstract: We show in this paper that the isolation characteristic of system virtualization can be bypassed by the use of a cache timing attack. Using Bernstein’s correlation in this attack, an adversary is able to extract sensitive keying material from an isolated trusted execution domain. We demonstrate this cache timing attack on an embedded ARM-based platform running an L4 microkernel as virtualization layer. An attacker who gained access to the untrusted domain can extract the key of an AES-based authentication protocol used for a financial transaction. We provide measurements for different public domain AES implementations. Our results indicate that cache timing attacks are highly relevant in virtualization-based security architectures, such as trusted execution environments.

124 citations


Book ChapterDOI
03 May 2012
TL;DR: The experiments indicate that due to the generalization of SVM the SVM attack is able to recover the key using a smaller profiling base than the template attack, which counters the main drawback of the template attacked, i.e. a huge profiling base.
Abstract: In this contribution we propose the so-called SVM attack, a profiling based side channel attack, which uses the machine learning algorithm support vector machines (SVM) in order to recover a cryptographic secret. We compare the SVM attack to the template attack by evaluating the number of required traces in the attack phase to achieve a fixed guessing entropy. In order to highlight the benefits of the SVM attack, we perform the comparison for power traces with a varying noise level and vary the size of the profiling base. Our experiments indicate that due to the generalization of SVM the SVM attack is able to recover the key using a smaller profiling base than the template attack. Thus, the SVM attack counters the main drawback of the template attack, i.e. a huge profiling base.

121 citations


Book ChapterDOI
27 Feb 2012
TL;DR: In this paper, the authors present a bug attack against OpenSSL version 0.9.8g that can recover the entire (static) private key from an associated SSL server via 633 adaptive queries when the NIST curve P-256 is used.
Abstract: We analyse and exploit implementation features in OpenSSL version 0.9.8g which permit an attack against ECDH-based functionality. The attack, although more general, can recover the entire (static) private key from an associated SSL server via 633 adaptive queries when the NIST curve P-256 is used. One can view it as a software-oriented analogue of the bug attack concept due to Biham et al. and, consequently, as the first bug attack to be successfully applied against a real-world system. In addition to the attack and a posteriori countermeasures, we show that formal verification, while rarely used at present, is a viable means of detecting the features which the attack hinges on. Based on the security implications of the attack and the extra justification posed by the possibility of intentionally incorrect implementations in collaborative software development, we conclude that applying and extending the coverage of formal verification to augment existing test strategies for OpenSSL-like software should be deemed a worthwhile, long-term challenge.

99 citations


Journal ArticleDOI
TL;DR: An approach based on Planner, a special purpose search algorithm from artificial intelligence domain, has been proposed for time-efficient, scalable representation of the attack graphs and shows that generation of attack graph using the customized algorithms can be done in polynomial time.
Abstract: In the present scenario, even well administered networks are susceptible to sophisticated cyber attacks. Such attack combines vulnerabilities existing on different systems/services and are potentially more harmful than single point attacks. One of the methods for analyzing such security vulnerabilities in an enterprise network is the use of attack graph. It is a complete graph which gives a succinct representation of different attack scenarios, depicted by attack paths. An attack path is a logical succession of exploits, where each exploit in the series satisfies the preconditions for subsequent exploits and makes a causal relationship among them. Thus analysis of the attack graph may help in assessing network security from hackers' perspective. One of the intrinsic problems with the generation and analysis of such a complete attack graph is its scalability. In this work, an approach based on Planner, a special purpose search algorithm from artificial intelligence domain, has been proposed for time-efficient, scalable representation of the attack graphs. Further, customized algorithms have been developed for automatic generation of attack paths (using Planner as a low-level module). The analysis shows that generation of attack graph using the customized algorithms can be done in polynomial time. A case study has also been presented to demonstrate the efficacy of the proposed methodology.

47 citations


Proceedings ArticleDOI
14 Dec 2012
TL;DR: The factors that impact on the effectiveness of each of these attacks are studied and the efficiency of the counter measures are evaluated through extensive experiments on traces produced by GTMobiSim at different scales of geographic maps.
Abstract: Mix-zones are recognized as an alternative and complementary approach to spatial cloaking based approach to location privacy protection. Mix-zones break the continuity of location exposure by ensuring that users' movements cannot be traced while they reside in a mix-zone. In this paper we provide an overview of various known attacks that make mix-zones on road networks vulnerable and illustrate a set of counter measures to make road network mix-zones attack resilient. Concretely, we categorize the vulnerabilities of road network mix-zones into two classes: one due to the road network characteristics and user mobility, and the other due to the temporal, spatial and semantic correlations of location queries. For instance, the timing information of users' entry and exit into a mix-zone provides information to launch a timing attack. The non-uniformity in the transitions taken at the road intersection may lead to transition attack. An example query correlation attack is the basic continual query (CQ) attacks, which attempt to break the anonymity of road network aware mix-zones by performing query correlation based inference. The CQ-timing attacks carry out inference attacks based on both query correlation and timing correlation, and the CQ-transition attacks execute inference attacks based on both query correlation and transition correlation. We study the factors that impact on the effectiveness of each of these attacks and evaluate the efficiency of the counter measures, such as non-rectangle mix-zones and delay tolerant mix-zones, through extensive experiments on traces produced by GTMobiSim at different scales of geographic maps.

23 citations


Journal ArticleDOI
TL;DR: This paper develops a methodology by which an adversary capable of limited number of side-channel measurements can choose the best strategy prior to the actual attack and shows that the best attacking strategy can be estimated closely, without the requirement of an exhaustive search.
Abstract: The vulnerability of cryptographic devices to side-channel attacks is of interest in the domain of information security. The success of a side-channel attack depends on the crypto-algorithm implementation, the platform being attacked, and the attack strategy. While the former two parameters are generally beyond the adversary's control, the choice of the attack strategy is solely with the adversary. However, there is no unique “best attack strategy.” The attack strategy that works best for one platform may not be the best for another. Further there is no systematic way to choose the best attack strategy from the available pool. In this paper, we analyze a category of side-channel attacks known as profiled cache-timing attacks and develop a methodology by which an adversary capable of limited number of side-channel measurements can choose the best strategy prior to the actual attack. The methodology is tested on several platforms and cipher implementations and shows that the best attacking strategy can be estimated closely, without the requirement of an exhaustive search.

17 citations


Proceedings ArticleDOI
01 Sep 2012
TL;DR: In this paper, the authors proposed a software-based countermeasure against cache timing attacks, known as constant time encryption, which they believe is secure against statistical analysis, and proved that their countermeasures are secure against Bernstein's cache timing attack.
Abstract: Rijndael was standardized in 2001 by National Institute of Standard and Technology as the Advanced Encryption Standard (AES). AES is still being used to encrypt financial, military and even government confidential data. In 2005, Bernstein illustrated a remote cache timing attack on AES using the client-server architecture and therefore proved a side channel in its software implementation. Over the years, a number of countermeasures have been proposed against cache timing attacks both using hardware and software. Although the software based countermeasures are flexible and easy to deploy, most of such countermeasures are vulnerable to statistical analysis. In this paper, we propose a novel software based countermeasure against cache timing attacks, known as constant time encryption, which we believe is secure against statistical analysis. The countermeasure we proposed performs rescheduling of instructions such that the encryption rounds will consume constant time independent of the cache hits and misses. Through experiments, we prove that our countermeasure is secure against Bernstein's cache timing attack.

8 citations


Book ChapterDOI
12 Dec 2012
TL;DR: In this paper, the authors analyzed five previously published trivial approaches and two new hybrid variants for the task of finding the roots of the error locator polynomial during the decryption operation of code-based encryption schemes and compared the performance of these algorithms and showed that optimizations concerning finite field element representations play a key role for the speed of software implementations.
Abstract: In this work we analyze five previously published respectively trivial approaches and two new hybrid variants for the task of finding the roots of the error locator polynomial during the decryption operation of code-based encryption schemes. We compare the performance of these algorithms and show that optimizations concerning finite field element representations play a key role for the speed of software implementations. Furthermore, we point out a number of timing attack vulnerabilities that can arise in root-finding algorithms, some aimed at recovering the message, others at the secret support. We give experimental results of software implementations showing that manifestations of these vulnerabilities are present in straightforward implementations of most of the root-finding variants presented in this work. As a result, we find that one of the variants provides security with respect to all vulnerabilities as well as competitive computation time for code parameters that minimize the public key size.

7 citations


Proceedings ArticleDOI
05 Sep 2012
TL;DR: A hardware architecture is proposed based on a Fault attack and Simple Power attack resistant algorithm for Chinese Remainder Theorem (CRT) RSA that through the principles of parallelism and component reusability can guarantee hardware efficiency.
Abstract: RSA cryptographic algorithm has long achieved cryptographic and market maturity. However, RSA implementations, after the discovery of Side Channel Attacks (SCA), are susceptible to a variety of different attacks that target the hardware structure rather than the algorithm itself. There are a wide range of countermeasures that can be applied on the RSA structure in order to protect the algorithm from SCAs, however few of them are efficient in hardware since they add extensive performance cost to an SCA resistant RSA implementation. In this paper, a hardware architecture is proposed based on a Fault attack (FA) and Simple Power attack (SPA) resistant algorithm for Chinese Remainder Theorem (CRT) RSA that through the principles of parallelism and component reusability can guarantee hardware efficiency. We describe an implementation approach based on Montgomery modular multiplication and also propose a testing hardware architecture to simulate the security chip environment that our FA-SPA resistant CRT RSA can be integrated in. The designed architecture is implemented in FPGA technology and results on its time and space complexity are extracted and evaluated.

Book ChapterDOI
01 Jan 2012
TL;DR: This work pairs the Baptista design with a concept taken from the Iterated Function Systems (IFS) and discusses the quantitative properties of the design in discussing its cryptographic properties namely the Maximum Deviation Factor (MDF), Correlation Coefficient Factor (CCF) and the Strict Avalanche Criterion (SAC).
Abstract: Ever since Baptista in 1998 introduced his cryptographic scheme utilizing the only in online version. ergodic property of chaotic maps which is able to produce different cipher values for the same plaintext within the same message, intense scrutiny has been given upon the design. The capability to do the above mentioned output is akin to the Vigenere cipher and thus has the capacity to render an attacker with infinitely many choices (theoretically speaking) or in cryptographic terms would render an attacker to have a set off possible ciphertexts that could all have the possibility to just be mapped to a unique plaintext. This makes it computationally infeasible for the attacker to re-construct the correct plaintext. The Baptista design has been attacked and repaired many times. Alvarez noticed the characteristic of the cryptosystem that generates a sequence which can be exploited by an attacker. The attack which is dubbed the one-time pad attack is akin to an attack upon a One-Time-Pad (OTP) cryptosystem that reuses its key. Since then, attempts were made to redefine the cryptosystem such that it would be resistant towards the attack. Most of the attempts failed due to either the repaired cryptosystem still generates an exploitable sequence or it is not invertible. In this work we pair the Baptista design with a concept taken from the Iterated Function Systems (IFS). Although we did not encompass the whole concept of iterating the IFS, it could be seen that this could be easily done with the same desirable results. Four main outcomes are discussed. Beginning with the discussion on the infeasibility of Alvarez’s one-time pad attack on the design, we then discuss the quantitative properties of the design in discussing its cryptographic properties namely the Maximum Deviation Factor (MDF), Correlation Coefficient Factor (CCF) and the Strict Avalanche Criterion (SAC). Each experimental result shows promising results for this new design.

Proceedings ArticleDOI
20 Jun 2012
TL;DR: A novel scheme has been proposed which reduces random bytes from a random TCP segment to verify the authenticity of those optimistic acknowledgement to mitigate the low rate TCP-targeted denial of service attack.
Abstract: Low rate TCP-targeted denial of service attack is a cleverly crafted attack in which an attacker exploits congestion avoidance algorithm and uniformity of min RTO in Transmission Control Protocol(TCP). Attacker congest the network for a brief period of time then keep quiet for some time. This phenomenon is repeated after min RTO time. This attack causes degradation of service and denial of service to those TCP flows which satisfies certain condition. Attacker Launches this attack by exploiting the technique of optimistic acknowledgement which is used for sending of acknowledgement before data has been received. By this technique attacker induces server to perform the attack. Ever since the discovery of this attack, lot of solution, detection scheme have been proposed, each having their own merits and demerits. Mostly these schemes are complex and not scalable. In this paper a novel scheme has been proposed which reduces random bytes from a random TCP segment to verify the authenticity of those optimistic acknowledgement. As attacker does not know segment size whenever he sends optimistic acknowledgement it is dropped. Thus the attack can be mitigated using this technique

Book ChapterDOI
09 Sep 2012
TL;DR: It is shown, how to break RSA, when implemented with the standard version of Reduce-by-Feedback or Montgomery multiplication, by Differential Power Analysis, and the original and the modified Reduce- by- feedback algorithm resist timing attacks.
Abstract: We (re-) introduce the Reduce-By-Feedback scheme given by Vielhaber (1987), Benaloh and Dai (1995), and Jeong and Burleson (1997). We show, how to break RSA, when implemented with the standard version of Reduce-by-Feedback or Montgomery multiplication, by Differential Power Analysis. We then modify Reduce-by-Feedback to avoid this attack. The modification is not possible for Montgomery multiplication. We show that both the original and the modified Reduce-by-Feedback algorithm resist timing attacks. Furthermore, some VLSI-specific implementation details (delayed carry adder, re-use of MUX tree and logic) are provided.

Proceedings ArticleDOI
14 Dec 2012
TL;DR: This work proposes a modular testing environment for use in verifying the implementation attack resistance of secure systems and uses the proposed test environment to demonstrate a successful side-channel attack on AES, which illustrates the practical usefulness of the design for analyzing implementation attack security.
Abstract: Implementation attacks, including side-channel, fault, and probing attacks, have received significant attention in both research and commercial communities. Successful attacks have been demonstrated against standard cryptographic algorithms implemented on a wide variety of common platforms. In order to protect against these attacks, designers must incorporate complex countermeasures into the implementation of sensitive operations. Validating the effectiveness of implementation attack countermeasures requires specialized expertise and techniques not commonly used in other types of security and functional testing. We propose a modular testing environment for use in verifying the implementation attack resistance of secure systems. The proposed environment is an open-source solution that allows implementation attack testing to be independent of the system platform, implementation details, and type of attack under evaluation. These key features make the environment suitable for use with an implementation attack security standard in which standard test procedures are published openly and used to evaluate cryptographic systems. We use the proposed test environment to demonstrate a successful side-channel attack on AES, which illustrates the practical usefulness of our design for analyzing implementation attack security. Our open-source design is available at \url{http://rijndael.ece.vt.edu/iameter}.

Book ChapterDOI
09 Apr 2012
TL;DR: This paper proposes a feasible method to filter the inherently enlarging candidate key space with template attack, which is easy to implement and requires encryptions of just a few input data to screen out the correct key.
Abstract: Due to low Signal to Noise Ratio (SNR) in general experimental environments, previous attack methods such as correlation power analysis (CPA) do not always screen out the correct key value. Sometimes the success rate of the attack is so slight that we have to find other ways to make certain of the prosperity. In this paper, rather than adopting the traditional means of singling out a single key value, we suggest a way of setting up a threshold for the attack. Accordingly, we propose a feasible method to filter the inherently enlarging candidate key space, which is called correlation-template-induction attack. The method contains three steps: First, we apply a variation of CPA and get a set of candidate key values. Then, we filter the candidate key space with template attack, which is easy to implement and requires encryptions of just a few input data to screen out the correct key. Next, to achieve optimal of our attack, we mix the concept of induction together with our attack. The experimental results given in this article on an AES smart card implementation guarantee the effectiveness of our method.

Posted Content
TL;DR: A direct attack against Hwang et al.'s cryptosystem based on Lattice basis reduction algorithms is introduced and it is shown that unlike Aboud's cryptanalysis, this cryptanalysis is more efficient and practicable.
Abstract: We proposed a new attack against Hwang et al.'s cryptosystem. This cryptosystem uses a super-increasing sequence as private key and the authors investigate a new algorithm called permutation combination algorithm to enhance density of knapsack to avoid the low-density attack. Sattar J. Aboud [Aboud j. Sattar, "An improved knapsack public key cryptography system", International Journal of Internet Technology and Secured Transactions, Vol.3 (3), pp.310-319, 2011] used Shamir's attack on the basic Merkle-Hellman cryptosystem to break this cryptosystem. In this paper, we introduce a direct attack against Hwang et al.'s cryptosystem based on Lattice basis reduction algorithms. By computing complexity of propose attack, we show that unlike Aboud's cryptanalysis, our cryptanalysis is more efficient and practicable.

Proceedings ArticleDOI
25 Oct 2012
TL;DR: This paper demonstrates the introduction of a unique diffusion and confusion scheme in Rijndael by incorporating ASCII codes manipulations using playfair ciphering into the algorithm, not dependent on the key and input thereby making it a constant time module in AES algorithm.
Abstract: The Advanced Encryption Standard has been playing a prominent role in embedded systems security for a decade after being announced by the National Institute of Standards and Technology (NIST). However, vulnerabilities have emerged, especially timing attacks, that challenges its security. This paper demonstrates the introduction of a unique diffusion and confusion scheme in Rijndael by incorporating ASCII codes manipulations using playfair ciphering into the algorithm; it is not dependent on the key and input thereby making it a constant time module in AES algorithm. The concept counters possible leakages from the S-box lookups; intermediary operations (SubstituteByte, ShiftRows, MixColumns, AddRoundKey) of the AES are still applicable but it becomes impossible for cryptanalysis discovery of enciphering method and ciphertext bits. Success of cracking efforts will be beyond human patience as it avoids statistical precision, thereby curbing timing attacks.

Book ChapterDOI
Zhenqi Li1, Yao Lu1, Wenhao Wang1, Bin Zhang1, Dongdai Lin1 
29 Oct 2012
TL;DR: Both theoretical analysis and experimental results show that the new design can save about 53.7% cryptanalysis time compared to TY attack and can reduce about 35.2% storage requirement compared to the original rainbow attack.
Abstract: In this paper, we present a rigorous evaluation of Thing and Ying's attack (TY attack) [11] along with practical implementations. We find that the cryptanalysis time of their attack is too high to be practical. We also propose a more general time memory trade-off by combining the distinguished points strategy with TY attack. Both theoretical analysis and experimental results show that our new design can save about 53.7% cryptanalysis time compared to TY attack and can reduce about 35.2% storage requirement compared to the original rainbow attack.

Book ChapterDOI
01 Jan 2012
TL;DR: A static threshold using statistical and observation technique for detecting the fast attack intrusion that is within one second time interval is introduced.
Abstract: Intrusion Detection System (IDS) is an important component in a network security infrastructure. IDS need to be accurate and reliable in order to detect the intrusive behaviour of a packet that travelling through the network. With the current technological advancement attack on network infrastructure has evolve to a new level and to make IDS sensitive enough to detect the new attack, the detection framework need to be frequently updated. Both the fast attack and slow attack mechanism has become the subset of phases inside the anatomy of attack. Each of the attack mechanism has their own criteria and fast attack is the important type of attack that need to be considered as any late detection of the fast attack can cause a major bad impact to the organization. Therefore, there is a need to identify a suitable technique to detect the fast attack and based on this, this paper introduce a static threshold using statistical and observation technique for detecting the fast attack intrusion that is within one second time interval. The Threshold selected was based on the real network traffic dataset and verified using classification table on real network traffic.

Proceedings ArticleDOI
07 May 2012
TL;DR: The method allows us to accurately estimate the feasibility of an attack strategy and compare efficiency of different attacks and demonstrates that second round-only attack on AES is feasible when the first and the last rounds are already protected.
Abstract: In this paper, we present a formal analysis method of cache-based side-channel attacks by utilizing information and complexity theory. Although AES algorithm is chosen as the subject algorithm in the case study, the method is generic in the sense that it can be applied in many other algorithms that are subject to side-channel attacks. The adopted approach bases its analysis method on intermediate values used during the cryptographic computation observed via side-channels and explores the extent, to which the observations can be exploited in a successful attack. The method allows us to accurately estimate the feasibility of an attack strategy and compare efficiency of different attacks. Ultimate goal is to explore every attack possibility and estimate its corresponding feasibility to determine the optimal level of appropriate countermeasures. Using the method, we analyze four different cache-based attacks on AES and determine the complexity, feasibility, and strength of each attack. Our analysis demonstrates that second round-only attack on AES is feasible when the first and the last rounds are already protected.

Posted Content
TL;DR: Wang et al. as discussed by the authors proposed two mutual RFID authentication protocols that aim to improve YA-TRAP* by providing reader authentication, and a tag is allowed to refresh its pre-stored threshold value in their protocols, so that it does not become inoperative after exceeding the threshold.
Abstract: Security in passive resource-constrained Radio Frequency Identification (RFID) tags is of much interest nowadays. Resistance against illegal tracking, cloning, timing, and replay attacks are necessary for a secure RFID authentication scheme. Reader authentication is also necessary to thwart any illegal attempt to read the tags. With an objective to design a secure and low-cost RFID authentication protocol, Gene Tsudik proposed a timestamp-based protocol using symmetric keys, named YA-TRAP*. Although YA-TRAP* achieves its target security properties, it is susceptible to timing attacks, where the timestamp to be sent by the reader to the tag can be freely selected by an adversary. Moreover, in YA-TRAP*, reader authentication is not provided, and a tag can become inoperative after exceeding its pre-stored threshold timestamp value. In this paper, we propose two mutual RFID authentication protocols that aim to improve YA-TRAP* by preventing timing attack, and by providing reader authentication. Also, a tag is allowed to refresh its pre-stored threshold value in our protocols, so that it does not become inoperative after exceeding the threshold. Our protocols also achieve other security properties like forward security, resistance against cloning, replay, and tracking attacks. Moreover, the computation and communication costs are kept as low as possible for the tags. It is important to keep the communication cost as low as possible when many tags are authenticated in batch-mode. By introducing aggregate function for the reader-to-server communication, the communication cost is reduced. We also discuss different possible applications of our protocols. Our protocols thus capture more security properties and more efficiency than YA-TRAP*. Finally, we show that our protocols can be implemented using the current standard low-cost RFID infrastructures.

Journal ArticleDOI
TL;DR: Practical differential power analysis attacks are described, using the AES cryptographic algorithm in the ECB mode with the 128-bit key length and two implementations of this algorithm were used - in the C programming language and in the assembler.
Abstract: This paper describes practical differential power analysis attacks. There are presented successful and unsuccessful attack attempts with the description of the attack methodology. It provides relevant information about oscilloscope settings, optimization possibilities and fundamental attack principles, which are important when realizing this type of attack. The attack was conducted on the PIC18F2420 microcontroller, using the AES cryptographic algorithm in the ECB mode with the 128-bit key length. We used two implementations of this algorithm - in the C programming language and in the assembler.

Journal ArticleDOI
TL;DR: This paper investigates a computationally efficient and effective method to avoid the N-1 attack, which uses chosen input messages to obtain relevant information from the attacked cryptosystem.
Abstract: Simple Power Analysis (SPA) attacks are widely used against several cryptosystems, principally against cryptosystems based on modular exponentiation. Many types of SPA have been reported in the literature, Yen et al. introduced the N-1 attack, which uses chosen input messages to obtain relevant information from the attacked cryptosystem. Their attack was implemented on the square-and-multiply always and on the BRIP algorithm, both algorithms in left-to-right form. There are possible countermeasures against this attack, but all of them are costly and time consuming. In this paper, a computationally efficient and effective method to avoid the N-1 attack is investigated.

Proceedings ArticleDOI
03 Nov 2012
TL;DR: Brier et al.'s attack to attack MIST algorithm and proposed corresponding countermeasure to protect RSA public elements is introduced.
Abstract: Fault attack is the very effective way to attack RSA cryptosystem, especially when it is implemented on embedded devices. Moreover, the fault attack methods become more and more advance, and there are some fault attacks on RSA public elements in recent years. Among publish attacks, Brier et al.'s attack make people to think that it is necessary to protect RSA public elements. In this paper, we introduce Brier et al.'s attack to attack MIST algorithm and propose corresponding countermeasure.

01 Jan 2012
TL;DR: It is shown that random delays between packets sending in SSH will destroy the timing statistics of keystrokes and cause difficulties for timing attack, and the standard deviation of inter-keystroke time increases about 14% by adding random delay in SSH.
Abstract: The SSH protocol is used for secure remote access to a remote server. However, the protocol as widely deployed is vulnerable to timing attack, where an adversary gets information from inter-keystroke time. This danger particularly threatens a user that execute su command in SSH session. By analyzing the packet transmitted, eavesdropper can get some information about the password typed by user. We show that random delays between packets sending in SSH will destroy the timing statistics of keystrokes and cause difficulties for timing attack. The result shows that the standard deviation of inter-keystroke time increases about 14% by adding random delay in SSH.

Posted Content
TL;DR: This paper first shows timing attacks on ZUC that can recover, with about 71.43% success rate, and suggests countermeasures.
Abstract: The core of the 3 Generation Partnership Project (3GPP) encryption standard 128-EEA3 is a stream cipher called ZUC. It was designed by the Chinese Academy of Sciences and proposed for inclusion in the cellular wireless standards called “Long Term Evolution” or “4G”. The LFSR-based cipher uses a 128-bit key. In this paper, we first show timing attacks on ZUC that can recover, with about 71.43% success rate, (i) one bit of the secret key immediately, and (ii) information involving 6 other key bits. The time, memory and data requirements of the attacks are negligible. While we see potential improvements to the attacks, we also suggest countermeasures.

Proceedings ArticleDOI
Zhiyuan Li1
21 Apr 2012
TL;DR: Experiments show that the attack algorithm is successful and requires that the attacker can get the smartcard to exponentiate using exponents of his own choosing.
Abstract: Multiple-Exponent Single-Data attack against circuit implementation of RSA modular exponentiation algorithm are described. The attack algorithm requires that the attacker can get the smartcard to exponentiate using exponents of his own choosing. Experiments show that the attack algorithm is successful.

Journal Article
TL;DR: The Chinese Remainder Theorem(CRT)based RSA algorithm is very suitable in smartcard and cryptosystem, however the security benefit people's interest is yet to be determined.
Abstract: The Chinese Remainder Theorem(CRT)based RSA algorithm is very suitable in smartcard and cryptosystem,however the security benefit people's interestThis paper showed a method to practice an optical injection in cryptographic deviceThe attack was used laser irradiation the depackaged device to impact cryptographic computation process,obtained the secret information from the inside of chipThis paper presented implementation CRT-RSA algorithm in cryptographic device existed security issue

Proceedings ArticleDOI
06 Apr 2012
TL;DR: Three methods of differential power analysis attacks against RSA algorithm are described and implemented and the practicality of three attack algorithms was confirmed by testing on the transistor level net list simulation.
Abstract: Power analysis attacks can recover the secret keys stored in cryptographic hardware devices by analyzing the input and output data combining with cross-correlation between the operation instruction and the power consumption during the cipher processing. Three methods of differential power analysis attacks against RSA algorithm are described and implemented. The first attack assumes that the smart card is willing to exponentiate an arbitrary number of random values with two exponents: the secret exponent and a public exponent. The assumption for the second attack is that the smart card will exponentiate a constant value using exponents chosen by the attacker. The last attack need internal hardware uniform exponent of the algorithm and modulus information. The practicality of three attack algorithms was confirmed by testing on the transistor level net list simulation.