Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Timing Attack paper--pres--v.01
1. Timing Attacks
• Prepared By :
*Anas Za’za’
• Dr. Adwan Yasin.
• COMPUTER SECURITY.
2. Timing Attacks : side-channel attack based on
measuring the length of time it takes to digitally
sign a message(respond it)
3. Network Timing Attack
Regular Client
Server [Web,SSL]
1. ClientHello
2. ServerHello
(send public key)
3. ClientKeyExchange
4. Attack
Attack Client
Server
1. ClientHello
2. ServerHello
(send public key)
3. Record time t1
Send guess g or ghi
4. Alert
5. Record time t2
Compute t2 –t1
5. a = "ABCD"
b = "ABBA"
for (i = 0; i < a.length; i++)
{
if (a[i] != b[i])
return false;
}
return true;
7. a = "ABCD"
b = "ABBA"
for (i = 0; i < a.length; i++)
{
if (a[i] != b[i])
return false;
}
return true;
8. Reform The Code
match = true;
for (i = 0; i < a.length; i++)
{
if (a[i] != b[i])
match := false;
}
return match;
9. Reform The Code 2
match = 0;
for (i = 0; i < a.length; i++)
{
match = match or (a[i] xor b[i]);
}
return match == 0;
A B
OUTPUT
A XOR B
0 0 0
0 1 1
1 0 1
1 1 0
10. Attack on OpenSSL
OpenSSL: an open source cryptographic
library used in web servers and other SSL
applications.
11. RSA
Key generation:
• Generate large primes p, q
• Compute n=pq and (n)=(p-1)(q-1)
• Choose small e, relatively prime to (n)
• Compute unique d such that ed = 1 mod (n)
Public key = (e,n); private key = d
Security relies on the assumption that it is difficult to compute roots
modulo n without knowing p and q
Encryption of p (simplified!): c = pe mod n
Decryption of c: cd mod n = (pe)d mod n = m
12. Timing Attack on RSA
• Initial guess g for q
• Try all possible guesses for the top few bits
• Suppose we know i-1 top bits of q. Goal: ith bit.
• Set g =<known i-1 bits of q>000000
• Set ghi=<known i-1 bits of q>100000 - note: g<ghi
• If g<q<ghi then the ith bit of q is 0
• If g<ghi<q then the ith bit of q is 1
• Goal: decide whether g<q<ghi or g<ghi<q
Let ‘g’ be a guess as to the value of q
Let ghi be the same value as g, with the i'th bit
13. slide 13
Two Possibilities for ghi
Decryption time #Reductions
Mult routine
ghi Difference in decryption times ?
between g and ghi will be small
q
g ghi?
Value of ciphertext
Difference in decryption times
between g and ghi will be large
D=|t1-t2|.
If D is large then g<q<ghi and i’th bit of q is 0,
otherwise the bit is 1.
14. RSA Blinding
• Decrypt random number related to c:
1. Before decryption compute x’ = c*re mod N, r is random
2. p’ = Decrypt x’
3. Calculate p = p’/r mod N
• Since r is random, the decryption time should be random
• 2-10% performance penalty