Constant-Time Callees with Variable-Time Callers

Side-channel attacks are a serious threat to securitycritical software. To mitigate remote timing and cachetiming attacks, many ubiquitous cryptography software libraries feature constant-time implementations of cryptographic primitives. In this work, we disclose a vulnerability in OpenSSL 1.0.1u that recovers ECDSA private keys for the standardized elliptic curve P-256 despite the library featuring both constant-time curve operations and modular inversion with microarchitecture attack mitigations. Exploiting this defect, we target the errant modular inversion code path with a cache-timing and improved performance degradation attack, recovering the inversion state sequence. We propose a new approach of extracting a variable number of nonce bits from these sequences, and improve upon the best theoretical result to recover private keys in a lattice attack with as few as 50 signatures and corresponding traces. As far as we are aware, this is the first timing attack against OpenSSL ECDSA that does not target scalar multiplication, the first side-channel attack on cryptosystems leveraging P-256 constant-time scalar multiplication and furthermore, we extend our attack to TLS and SSH protocols, both linked to OpenSSL for P-256 ECDSA signing.

[1]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[2]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[3]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[4]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[5]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[6]  Wenbo Wang,et al.  Attacking OpenSSL Implementation of ECDSA with a Few Signatures , 2016, CCS.

[7]  Mark Stamp,et al.  Software Reverse Engineering , 2010, Handbook of Information and Communication Security.

[8]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[9]  Yuval Yarom,et al.  Just a Little Bit More , 2015, CT-RSA.

[10]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[11]  Yuval Yarom,et al.  CacheBleed: a timing attack on OpenSSL constant-time RSA , 2016, Journal of Cryptographic Engineering.

[12]  Shay Gueron,et al.  Fast prime field elliptic-curve cryptography with 256-bit primes , 2014, Journal of Cryptographic Engineering.

[13]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[14]  Jean-Pierre Seifert,et al.  New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures , 2007, IMACC.

[15]  Sarang Aravamuthan,et al.  A Parallelization of ECDSA Resistant to Simple Power Analysis Attacks , 2007, 2007 2nd International Conference on Communication Systems Software and Middleware.

[16]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[17]  David R. Karger,et al.  Relo: Helping Users Manage Context during Interactive Exploratory Visualization of Large Codebases , 2006, VL/HCC.

[18]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[19]  Cesar Pereida García,et al.  "Make Sure DSA Signing Exponentiations Really are Constant-Time" , 2016, CCS.

[20]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[21]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[22]  Emilia Käsper Fast Elliptic Curve Cryptography in OpenSSL , 2011, Financial Cryptography Workshops.

[23]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[24]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[25]  Santiago Sánchez-Solano,et al.  SPA vulnerabilities of the binary extended Euclidean algorithm , 2017, Journal of Cryptographic Engineering.

[26]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.

[27]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[28]  Billy Bob Brumley,et al.  Amplifying side channels through performance degradation , 2016, ACSAC.

[29]  Risto M. Hakala,et al.  Cache-Timing Template Attacks , 2009, ASIACRYPT.