Torturing OpenSSL

Todd AustinUniversity of Michigan

with Andrea Pellegrini, William Arthur and Valeria Bertacco

(Based on Valeria’s BlackHat 2012 Presentation)

2

Understanding Side Channel Attacks

· Systems leak info about internal computation• E.g., safes can be cracked by

carefully listening to the tumblers

· Clever attackers can utilize leaked info to grain secrets• Generally not directly• Use statistical methods over time

· Attacks implementation, rather than algorithm

3

Fault-Based Attack of RSA

Correct behavior:•Server challenge:

s = md mod n•Client verifies:

m = se mod n

Faulty Server:ŝ != md mod n

Public Key(e,n)

Private Key(d,n)

m

s

Public Key(e,n)

Private Key(d,n)

m

ŝ

mTactical advantage: We have years

to implement this attack!

4

Injecting Faults in RSA AuthenticationMaking hardware fail:Lower voltage causes signals to slow down, thus missing

the deadline imposed by the system clockHigh temperatures increase signal propagation delays· Over-clocking shortens the allowed time for traversing the

logic cloud· Charged particles cause internal signals to change value,

causing errors

5

Wanted: Single-Bit Errors in Multiplication

A corrupted signature leaks data if only one multiplication is corrupted by a single bit flip

0

10

20

30

40

50

60

1.30 1.29 1.28 1.27 1.26 1.25 1.24 1.23

Voltage [V]

Sin

gle

bit f

aults

(%)

0

2.75

5.50

8.25

11.00

13.75

16.50

Faul

ty p

rodu

cts

(%)

Single bit faults

Faulty multiplications

6

Implementing the Fault-Based Attack

Fault-Based Attack of RSA Attackers

1. Subject server to potential single-bit faults in multiplications2. Repeatedly authenticate to collect faulty RSA signatures3. Offline, analyze RSA signatures to extract private key bits4. Repeat steps 2 & 3 until entire RSA private key identified

7

Extracting the Key with Offline Analysis· The attacker collects the faulty signatures

· The private key is recovered one window at the time

· The attacker checks its guess against the collected faulty signatures

Public Keyŝŝŝŝ

Private Keym

ŝŝ ŝ

ŝd= X X X Xd3d2d1d0

8

Computing (s=md mod n) in OpenSSL

1101

s=1

for each window:

for each bit in window: //4times

s = (s * s) mod n

s = (s * mˆd[window]) mod n

return s

d=214= 0110

s=1

s=1

s= m1101

s= (∙∙∙(m1101) 2)2)2)2

s= (∙∙∙(m1101) 2)2)2)2)m0110

window 1 window 2

9

Faulty Signature: ŝ!=md mod n

s=1

for each window:

for each bit in window: //4times

s = (s * s) mod n

s = (s * mˆd[window]) mod n

return s

s=1

s=1

s= m1101

ŝ = (∙∙∙(m1101) 2) 2) ±2f)2)2

ŝ = (∙∙∙(m1101) 2) 2) ±2f) 2)2)m0110

1101d=214= 0110window 1 window 2

10

Reconstructing the SignatureThe private key is recovered one window at the time, guessing where and when the fault hits

ŝ = (∙∙∙(mdk)64)mdk-1)2) 2)2 ±2f)2) 2)2) mdk-2)64 …md0

Alreadyknown Value?

Which multiplication?

Which bit?

d= X X Xdk dk-1 …

For each window value to be guessed and signature we test:• 16 possible key values• 2 possible error values (0→1 or 1→0)• 4 squaring iterations

11

Implementing Offline Analysis· In practice 40 bit positions typically affected by faults

→ the computation time is reduced to 2.5 seconds· Analyzing 8,800 corrupted signatures requires 1 CPU-

year – only ~1,000 are useful

· Signatures can be checked in parallel· Performed the analysis with 81 workstations

ŝŝŝŝŝŝ

12

Fault-Based Attack of Leon3 SPARC

RSA 1024-bit private key

8,800 corrupted signatures collected in 10 hours

Distributed application with 81 machines for offline analysis

Private key recovered in 100 hours

13

Exploring Temperature-Induced Faults

14

Number of Key Bits Revealed (128-bit RSA)

20 30 40 50 60 70 80 90 1000

20

40

60

80

100

120

140

V=1.3 v

V=1.28 v

V=1.27 v

V=1.26 v

V=1.25 v

V=1.24 v

Temperature

Key

bits

reco

vere

d (o

ut o

f 128

)

Surprising insight: Attack is easier to implementwith more sophisticated cooling systems

15

Conclusions

· Transient faults can leak vital private key data

· Fault-based attack devised for OpenSSL 0.9.8i ’s Fixed Window Exponentiation algorithm

· Attack demonstrated on a complete physical Leon3 SPARC system

· Software fix using “blind”ing available in OpenSSL to protect against timing attacks

· Published: “Fault-based Attack of RSA Authentication” - DATE 2010· Presented: BlackHat 2012