SlideShare a Scribd company logo

Cache Attacks On Secret Key Cryptosystems

Download as PPTX, PDF
L
lawuah

Presentation on new cryptographic protocols for wireless Ad-hoc networks

1 of 29
Cache Attacks on Secret Key Cryptosystems Rajesh Ravi Lawrence Awuah
Agenda Introduction Background Investigation Results Mitigation Future Work Conclusion
Introduction Side Channel Cryptanalysis Definition: Any attack on a cryptosystem using information leaked given off as a byproduct of the physical implementation of the cryptosystem, rather than a theoretical weakness. Exploitable Side Channels Power usage Cache accesses Noise Heat Time
Background AES Overview Based on finite mathematics Widely analyzed and considered secure Used for US Government Top Secret data Supports 128, 196, and 256 bit keys Expected to be the standard for 20+ years
AES AES encrypts 16 byte data n, using a 16 byte key k using Sbox tables S and S’, each of 256 bytes. These tables are expanded in to four tables, each of 1024 byte
AES AES works with two 16-byte auxiliary arrays, x and y First array initialized to k Second array to n xor k AES modifies x Let x be four byte arrays x1,x2,x3,x4 Compute the four byte array
AES Replace x0,x1,x2,x3 with y0,y1,y2,y3 are given by
AES AES then modifies x again modulo 2, y again and then x again modulo 4 and so on. Ten rounds Finally y= AESk(n)
Cache Special type of computer memory operating at high speed Stores frequently accessed data Cache Miss :- If data is not found in the cache.
Bernstein’s Attack Conducted in 4 phases Profiling : Known key at server, send plain text and record timing information using different byte packet sizes of 400, 600, 800 Attacking : Unknown key at server, repeat the same Correlation : Correlate the timing information Brute Force Search : Find all possible keys from the correlations
Sample correlations 16 0 d9 db d8 d0 d4 d1 df d3 de d5 d2 da d7 dc d6 dd 70 1 86 8d 85 82 81 8b 8e 88 89 8f 8a 87 83 8c 84 80 32 2 5f 5b 55 50 51 54 5e 57 5a 59 53 5d 5c 58 56 52 63.. 240 3 87 86 8b 89 84 85 81 8a 80 83 8f 82 8e 8d 88 8c.... 134 4 86 81 8b 8d 87 82 89 8c 83 85 8a 8f 88 80 8e 84... 32 5 88 8b 86 82 8c 81 8e 80 83 8a 8f 85 8d 87 89 84 f1.. 16 6 37 3b 33 32 31 34 3e 38 30 36 3c 3f 3d 3a 39 35 16 7 b1 bd b2 b4 b3 b5 bc bf b7 b8 be ba b9 bb b0 b6 16 8 23 2d 2b 28 25 27 24 2c 20 26 2e 2f 22 2a 29 21 48 9 bd bf b5 bc b6 b0 b8 b1 ba be bb b7 b4 b2 b3 b9 ... 16 10 96 91 9f 90 92 93 97 9d 9b 98 9e 9a 9c 94 99 95 16 11 f1 f0 f3 fd fe f8 f2 fa f7 f4 ff fc f9 fb f6 f5 16 12 72 79 70 7a 7f 75 7d 77 73 7c 78 7b 7e 76 71 74 16 13 fc f0 ff f7 fe f9 f4 f2 fa f8 fd f3 f1 fb f6 f5 16 14 0a 0f 05 04 09 01 02 07 06 03 0b 0d 00 0c 0e 08 16 15 82 85 89 8a 87 8e 88 8b 83 84 80 86 8d 8c 81 8f
Bernstein’s Attack Input to AES encryption phase is either pj Å kj or p’j Å k’j Bernstein’s technique computes two matrices of the form
Bernstein’s Attack Individual time profiles for every byte are recorded for every byte of the key. Applying the heuristic pairs that satisfy this equality will have a matching time profile
Bernstein’s Attack This leads to correlation between the matrices computed. Secret key can be derived by
Investigation of the attack 4 attacks conducted First, we needed to familiarize ourselves with the code and programs Second, the need to verify the attack using three computers in parallel Third, we verified the attack on Pentium M architecture The fourth attack was to do profiling phase using a known non-zero key
Test Environment Tests 1,2 and 4 Server : Centos 4.4, X86_64 bit edition, AMD Athlon 3200+ Venice Core, 2.0 GHz 2 GB RAM L1 Cache : 128 KB L2 Cache : 512 KB Open SSL : 0.9.8 b
Test Environment Attacker 1 Fedora Core 5, 32 bit Pentium 4 mobile 3.06 Ghz, 512 MB RAM L1 Cache : 8 KB data cache L2 Cache: 512 KB GCC version: 4.1 Open SSL version: 0.9.8 b
Test Environment Attacker 2 Fedora Core 5, 32 bit Pentium M mobile 1.8 GHz, 512 MB RAM L1 Cache : 64 KB L2 Cache: 2 MB GCC version: 4.1.1 Open SSL version: 0.9.8 b Attacker 3 has similar configuration
Test environment Test 3 Server Fedora Core 6 32 bit Pentium M mobile 1.8 GHz, 512 MB RAM L1 Cache : 64 KB L2 Cache : 2 MB GCC Version : 4.1 Open SSL Version : 0.9.7a
Test Environment Attackers 1,2 & 3 FedoraCore 6, 32 bit Intel Xeon processor, 512 MB RAM L1 Cache : 64 KB L2 Cache : 512 KB GCC Version : 4.1 Open SSL Version : 0.9.8 b
Investigation Tests 2 & Tests 3 Profiling phase took a total of 4.8 days Attacking phase took a total of 10 days Attack speed up by approximately 7 days.
Results Test 2 The correlations very small. The Brute force search wouldn’t make any sense. Possible reasons investigated. Open SSL mitigated the attack to certain extent. By compressing S-Boxes smaller sizes, approx 2.5 KB Making S-Boxes reside in the L2 Cache- bigger size
Results Test 3 Same version of Open SSL as used by Bernstein Huge improvement in Correlations. Still not good enough Brute force search would take lot of time. Possible reasons investigated. Cache sizes much bigger than in Bernstein’s original attack Highly dependent on the architecture and software Similar results obtained by lot of other researchers
Results Profiling using non-zero key A known key is setup at the server Study program sends different packet sizes and gets timing information Required to know how Bernstein’s code implements the heuristic explained before and cycle through and code and make necessary changes in the arguments
Mitigations Alternative Look Up tables Already implemented in newer Open ssl version Storing the S-Boxes in registers Adding noise-not perfect Operating System Support
Relevance of the attack in real world Too much time and packets are required for the attack to succeed In a similar paper, researchers found that there was a difference of two orders between network delays and encryption times They concluded that the variance of signals of the network is very high when compared to the target signal. Very high number of readings are needed to average out the noise
Conclusion Bernstein’s cache attack in original form requires many modifications to work on modern architectures and networks Profiling can be done with a non-zero key successfully
Future Work Extracting a Larger key Replicating improved version of Bernstein’s original attack Verification of mitigation techniques
Questions?

Recommended

TiReX: Tiled Regular eXpression matching architecture
TiReX: Tiled Regular eXpression matching architectureTiReX: Tiled Regular eXpression matching architecture
TiReX: Tiled Regular eXpression matching architectureNECST Lab @ Politecnico di Milano
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-modHarry Potter
 
Ch05
Ch05Ch05
Ch05Joe Christensen
 
Secured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionSecured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionTharindu Weerasinghe
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
 
Aes
AesAes
AesAravindharamanan S
 
Backtracking Algorithmic Complexity Attacks Against a NIDS
Backtracking Algorithmic Complexity Attacks Against a NIDSBacktracking Algorithmic Complexity Attacks Against a NIDS
Backtracking Algorithmic Complexity Attacks Against a NIDSamiable_indian
 

Recommended

TiReX: Tiled Regular eXpression matching architecture
TiReX: Tiled Regular eXpression matching architectureTiReX: Tiled Regular eXpression matching architecture
TiReX: Tiled Regular eXpression matching architectureNECST Lab @ Politecnico di Milano
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-modHarry Potter
 
Ch05
Ch05Ch05
Ch05Joe Christensen
 
Secured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionSecured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionTharindu Weerasinghe
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
 
Aes
AesAes
AesAravindharamanan S
 
Backtracking Algorithmic Complexity Attacks Against a NIDS
Backtracking Algorithmic Complexity Attacks Against a NIDSBacktracking Algorithmic Complexity Attacks Against a NIDS
Backtracking Algorithmic Complexity Attacks Against a NIDSamiable_indian
 
ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2Shuya Osaki
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Arduino Aficionado
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5guestff64339
 
Log
LogLog
LogMariiana Guerrero
 
Ch03
Ch03Ch03
Ch03Joe Christensen
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Cassandra SF 2013 - In Case Of Emergency Break Glass
Cassandra SF 2013 - In Case Of Emergency Break GlassCassandra SF 2013 - In Case Of Emergency Break Glass
Cassandra SF 2013 - In Case Of Emergency Break Glassaaronmorton
 
All functions
All functionsAll functions
All functionsKalpana Reddy
 
AES by example
AES by exampleAES by example
AES by exampleShiraz316
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Cryptanalysis of autokey cipher
Cryptanalysis of autokey cipherCryptanalysis of autokey cipher
Cryptanalysis of autokey cipherHarshil Darji
 
Class3
Class3Class3
Class3ankitasinghbsc
 
High Secure Password Authentication System
High Secure Password Authentication SystemHigh Secure Password Authentication System
High Secure Password Authentication SystemAkhil Nadh PC
 
Encryption
EncryptionEncryption
EncryptionMahmoud Abdeen
 
New Cryptographic Protocols For Wireless Ad Hoc Networks
New Cryptographic Protocols For Wireless Ad Hoc NetworksNew Cryptographic Protocols For Wireless Ad Hoc Networks
New Cryptographic Protocols For Wireless Ad Hoc Networkslawuah
 
Multi channel strategy mo mo chicago jan 24 final
Multi channel strategy mo mo chicago jan 24 finalMulti channel strategy mo mo chicago jan 24 final
Multi channel strategy mo mo chicago jan 24 finalNiti Vaish
 
Tour guide
Tour guideTour guide
Tour guideAziz Salafi
 
Amniat
AmniatAmniat
Amniatmojtabaghasemiroshan
 
Consult Czech Beer in Lithuania
Consult Czech Beer in LithuaniaConsult Czech Beer in Lithuania
Consult Czech Beer in LithuaniadesmitaLT
 
Whoopaa Launch Presentation
Whoopaa Launch PresentationWhoopaa Launch Presentation
Whoopaa Launch PresentationWhoopaa
 

More Related Content

What's hot

ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2Shuya Osaki
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Cassandra SF 2013 - In Case Of Emergency Break Glass
Cassandra SF 2013 - In Case Of Emergency Break GlassCassandra SF 2013 - In Case Of Emergency Break Glass
Cassandra SF 2013 - In Case Of Emergency Break Glassaaronmorton
 
AES by example
AES by exampleAES by example
AES by exampleShiraz316
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Cryptanalysis of autokey cipher
Cryptanalysis of autokey cipherCryptanalysis of autokey cipher
Cryptanalysis of autokey cipherHarshil Darji
 
High Secure Password Authentication System
High Secure Password Authentication SystemHigh Secure Password Authentication System
High Secure Password Authentication SystemAkhil Nadh PC
 

What's hot (15)

ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5
 
Log
LogLog
Log
 
Ch03
Ch03Ch03
Ch03
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
 
Cassandra SF 2013 - In Case Of Emergency Break Glass
Cassandra SF 2013 - In Case Of Emergency Break GlassCassandra SF 2013 - In Case Of Emergency Break Glass
Cassandra SF 2013 - In Case Of Emergency Break Glass
 
All functions
All functionsAll functions
All functions
 
AES by example
AES by exampleAES by example
AES by example
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
 
Cryptanalysis of autokey cipher
Cryptanalysis of autokey cipherCryptanalysis of autokey cipher
Cryptanalysis of autokey cipher
 
Class3
Class3Class3
Class3
 
High Secure Password Authentication System
High Secure Password Authentication SystemHigh Secure Password Authentication System
High Secure Password Authentication System
 

Viewers also liked

New Cryptographic Protocols For Wireless Ad Hoc Networks
New Cryptographic Protocols For Wireless Ad Hoc NetworksNew Cryptographic Protocols For Wireless Ad Hoc Networks
New Cryptographic Protocols For Wireless Ad Hoc Networkslawuah
 
Multi channel strategy mo mo chicago jan 24 final
Multi channel strategy mo mo chicago jan 24 finalMulti channel strategy mo mo chicago jan 24 final
Multi channel strategy mo mo chicago jan 24 finalNiti Vaish
 
Consult Czech Beer in Lithuania
Consult Czech Beer in LithuaniaConsult Czech Beer in Lithuania
Consult Czech Beer in LithuaniadesmitaLT
 
Whoopaa Launch Presentation
Whoopaa Launch PresentationWhoopaa Launch Presentation
Whoopaa Launch PresentationWhoopaa
 
A world without politicians
A world without politiciansA world without politicians
A world without politiciansLenox Mhlanga
 
Contract act
Contract actContract act
Contract actlck005
 
Well read 1 ch 6
Well read 1 ch 6Well read 1 ch 6
Well read 1 ch 6Aziz Salafi
 
Multi-Stage Clos Networks in Router Architecture
Multi-Stage Clos Networks in Router ArchitectureMulti-Stage Clos Networks in Router Architecture
Multi-Stage Clos Networks in Router Architecturelawuah
 
Process paragraph
Process paragraphProcess paragraph
Process paragraphAziz Salafi
 
Course specification 011
Course specification 011 Course specification 011
Course specification 011 Aziz Salafi
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecturelawuah
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Well read 1 ch 2
Well read 1 ch 2Well read 1 ch 2
Well read 1 ch 2Aziz Salafi
 

Viewers also liked (20)

Encryption
EncryptionEncryption
Encryption
 
New Cryptographic Protocols For Wireless Ad Hoc Networks
New Cryptographic Protocols For Wireless Ad Hoc NetworksNew Cryptographic Protocols For Wireless Ad Hoc Networks
New Cryptographic Protocols For Wireless Ad Hoc Networks
 
Multi channel strategy mo mo chicago jan 24 final
Multi channel strategy mo mo chicago jan 24 finalMulti channel strategy mo mo chicago jan 24 final
Multi channel strategy mo mo chicago jan 24 final
 
Tour guide
Tour guideTour guide
Tour guide
 
Amniat
AmniatAmniat
Amniat
 
Consult Czech Beer in Lithuania
Consult Czech Beer in LithuaniaConsult Czech Beer in Lithuania
Consult Czech Beer in Lithuania
 
Whoopaa Launch Presentation
Whoopaa Launch PresentationWhoopaa Launch Presentation
Whoopaa Launch Presentation
 
Amniat(ghasemi)
Amniat(ghasemi)Amniat(ghasemi)
Amniat(ghasemi)
 
A world without politicians
A world without politiciansA world without politicians
A world without politicians
 
Presentacion diapositiva 40
Presentacion diapositiva 40Presentacion diapositiva 40
Presentacion diapositiva 40
 
Contract act
Contract actContract act
Contract act
 
Well read 1 ch 6
Well read 1 ch 6Well read 1 ch 6
Well read 1 ch 6
 
Multi-Stage Clos Networks in Router Architecture
Multi-Stage Clos Networks in Router ArchitectureMulti-Stage Clos Networks in Router Architecture
Multi-Stage Clos Networks in Router Architecture
 
Process paragraph
Process paragraphProcess paragraph
Process paragraph
 
Course specification 011
Course specification 011 Course specification 011
Course specification 011
 
Juniper Networks Router Architecture
Juniper Networks Router ArchitectureJuniper Networks Router Architecture
Juniper Networks Router Architecture
 
cryptography
cryptographycryptography
cryptography
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Well read 1 ch 2
Well read 1 ch 2Well read 1 ch 2
Well read 1 ch 2
 

Similar to Cache Attacks On Secret Key Cryptosystems

Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labslosalamos
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxHodaAhmedBekhitAhmed
 
ImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_DoinImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_DoinJonny Doin
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad Renas Rekany
 
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORIMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORacijjournal
 
Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportsakhi rehman
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Module 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxModule 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxSridharCS7
 
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...Kinson Chan
 

Similar to Cache Attacks On Secret Key Cryptosystems (20)

Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4
 
Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 
Unit 2
Unit 2Unit 2
Unit 2
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptx
 
Renas Rajab Asaad
Renas Rajab AsaadRenas Rajab Asaad
Renas Rajab Asaad
 
AES Cryptosystem
AES CryptosystemAES Cryptosystem
AES Cryptosystem
 
ImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_DoinImplementingCryptoSecurityARMCortex_Doin
ImplementingCryptoSecurityARMCortex_Doin
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad
 
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORIMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
 
Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_report
 
DES.ppt
DES.pptDES.ppt
DES.ppt
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
Module 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxModule 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptx
 
Encryption
EncryptionEncryption
Encryption
 
Sha
ShaSha
Sha
 
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
 
Ijnsa050206
Ijnsa050206Ijnsa050206
Ijnsa050206
 

Cache Attacks On Secret Key Cryptosystems

  • 1. Cache Attacks on Secret Key Cryptosystems Rajesh Ravi Lawrence Awuah
  • 2. Agenda Introduction Background Investigation Results Mitigation Future Work Conclusion
  • 3. Introduction Side Channel Cryptanalysis Definition: Any attack on a cryptosystem using information leaked given off as a byproduct of the physical implementation of the cryptosystem, rather than a theoretical weakness. Exploitable Side Channels Power usage Cache accesses Noise Heat Time
  • 4. Background AES Overview Based on finite mathematics Widely analyzed and considered secure Used for US Government Top Secret data Supports 128, 196, and 256 bit keys Expected to be the standard for 20+ years
  • 5. AES AES encrypts 16 byte data n, using a 16 byte key k using Sbox tables S and S’, each of 256 bytes. These tables are expanded in to four tables, each of 1024 byte
  • 6. AES AES works with two 16-byte auxiliary arrays, x and y First array initialized to k Second array to n xor k AES modifies x Let x be four byte arrays x1,x2,x3,x4 Compute the four byte array
  • 7. AES Replace x0,x1,x2,x3 with y0,y1,y2,y3 are given by
  • 8. AES AES then modifies x again modulo 2, y again and then x again modulo 4 and so on. Ten rounds Finally y= AESk(n)
  • 9. Cache Special type of computer memory operating at high speed Stores frequently accessed data Cache Miss :- If data is not found in the cache.
  • 10. Bernstein’s Attack Conducted in 4 phases Profiling : Known key at server, send plain text and record timing information using different byte packet sizes of 400, 600, 800 Attacking : Unknown key at server, repeat the same Correlation : Correlate the timing information Brute Force Search : Find all possible keys from the correlations
  • 11. Sample correlations 16 0 d9 db d8 d0 d4 d1 df d3 de d5 d2 da d7 dc d6 dd 70 1 86 8d 85 82 81 8b 8e 88 89 8f 8a 87 83 8c 84 80 32 2 5f 5b 55 50 51 54 5e 57 5a 59 53 5d 5c 58 56 52 63.. 240 3 87 86 8b 89 84 85 81 8a 80 83 8f 82 8e 8d 88 8c.... 134 4 86 81 8b 8d 87 82 89 8c 83 85 8a 8f 88 80 8e 84... 32 5 88 8b 86 82 8c 81 8e 80 83 8a 8f 85 8d 87 89 84 f1.. 16 6 37 3b 33 32 31 34 3e 38 30 36 3c 3f 3d 3a 39 35 16 7 b1 bd b2 b4 b3 b5 bc bf b7 b8 be ba b9 bb b0 b6 16 8 23 2d 2b 28 25 27 24 2c 20 26 2e 2f 22 2a 29 21 48 9 bd bf b5 bc b6 b0 b8 b1 ba be bb b7 b4 b2 b3 b9 ... 16 10 96 91 9f 90 92 93 97 9d 9b 98 9e 9a 9c 94 99 95 16 11 f1 f0 f3 fd fe f8 f2 fa f7 f4 ff fc f9 fb f6 f5 16 12 72 79 70 7a 7f 75 7d 77 73 7c 78 7b 7e 76 71 74 16 13 fc f0 ff f7 fe f9 f4 f2 fa f8 fd f3 f1 fb f6 f5 16 14 0a 0f 05 04 09 01 02 07 06 03 0b 0d 00 0c 0e 08 16 15 82 85 89 8a 87 8e 88 8b 83 84 80 86 8d 8c 81 8f
  • 12. Bernstein’s Attack Input to AES encryption phase is either pj Å kj or p’j Å k’j Bernstein’s technique computes two matrices of the form
  • 13. Bernstein’s Attack Individual time profiles for every byte are recorded for every byte of the key. Applying the heuristic pairs that satisfy this equality will have a matching time profile
  • 14. Bernstein’s Attack This leads to correlation between the matrices computed. Secret key can be derived by
  • 15. Investigation of the attack 4 attacks conducted First, we needed to familiarize ourselves with the code and programs Second, the need to verify the attack using three computers in parallel Third, we verified the attack on Pentium M architecture The fourth attack was to do profiling phase using a known non-zero key
  • 16. Test Environment Tests 1,2 and 4 Server : Centos 4.4, X86_64 bit edition, AMD Athlon 3200+ Venice Core, 2.0 GHz 2 GB RAM L1 Cache : 128 KB L2 Cache : 512 KB Open SSL : 0.9.8 b
  • 17. Test Environment Attacker 1 Fedora Core 5, 32 bit Pentium 4 mobile 3.06 Ghz, 512 MB RAM L1 Cache : 8 KB data cache L2 Cache: 512 KB GCC version: 4.1 Open SSL version: 0.9.8 b
  • 18. Test Environment Attacker 2 Fedora Core 5, 32 bit Pentium M mobile 1.8 GHz, 512 MB RAM L1 Cache : 64 KB L2 Cache: 2 MB GCC version: 4.1.1 Open SSL version: 0.9.8 b Attacker 3 has similar configuration
  • 19. Test environment Test 3 Server Fedora Core 6 32 bit Pentium M mobile 1.8 GHz, 512 MB RAM L1 Cache : 64 KB L2 Cache : 2 MB GCC Version : 4.1 Open SSL Version : 0.9.7a
  • 20. Test Environment Attackers 1,2 & 3 FedoraCore 6, 32 bit Intel Xeon processor, 512 MB RAM L1 Cache : 64 KB L2 Cache : 512 KB GCC Version : 4.1 Open SSL Version : 0.9.8 b
  • 21. Investigation Tests 2 & Tests 3 Profiling phase took a total of 4.8 days Attacking phase took a total of 10 days Attack speed up by approximately 7 days.
  • 22. Results Test 2 The correlations very small. The Brute force search wouldn’t make any sense. Possible reasons investigated. Open SSL mitigated the attack to certain extent. By compressing S-Boxes smaller sizes, approx 2.5 KB Making S-Boxes reside in the L2 Cache- bigger size
  • 23. Results Test 3 Same version of Open SSL as used by Bernstein Huge improvement in Correlations. Still not good enough Brute force search would take lot of time. Possible reasons investigated. Cache sizes much bigger than in Bernstein’s original attack Highly dependent on the architecture and software Similar results obtained by lot of other researchers
  • 24. Results Profiling using non-zero key A known key is setup at the server Study program sends different packet sizes and gets timing information Required to know how Bernstein’s code implements the heuristic explained before and cycle through and code and make necessary changes in the arguments
  • 25. Mitigations Alternative Look Up tables Already implemented in newer Open ssl version Storing the S-Boxes in registers Adding noise-not perfect Operating System Support
  • 26. Relevance of the attack in real world Too much time and packets are required for the attack to succeed In a similar paper, researchers found that there was a difference of two orders between network delays and encryption times They concluded that the variance of signals of the network is very high when compared to the target signal. Very high number of readings are needed to average out the noise
  • 27. Conclusion Bernstein’s cache attack in original form requires many modifications to work on modern architectures and networks Profiling can be done with a non-zero key successfully
  • 28. Future Work Extracting a Larger key Replicating improved version of Bernstein’s original attack Verification of mitigation techniques