Return of the Hidden Number Problem.

IACR Transactions on Cryptographic Hardware and Embedded Systems Pub Date : 2018-11-09 DOI:10.46586/tches.v2019.i1.146-168

Keegan Ryan

{"title":"Return of the Hidden Number Problem.","authors":"Keegan Ryan","doi":"10.46586/tches.v2019.i1.146-168","DOIUrl":null,"url":null,"abstract":"Side channels have long been recognized as a threat to the security of cryptographic applications. Implementations can unintentionally leak secret information through many channels, such as microarchitectural state changes in processors, changes in power consumption, or electromagnetic radiation. As a result of these threats, many implementations have been hardened to defend against these attacks. Despite these mitigations, this work presents a novel side-channel attack against ECDSA and DSA. The attack targets a common implementation pattern that is found in many cryptographic libraries. In fact, about half of the libraries that were tested exhibited the vulnerable pattern. This pattern is exploited in a full proof of concept attack against OpenSSL, demonstrating that it is possible to extract a 256-bit ECDSA private key using a simple cache attack after observing only a few thousand signatures. The target of this attack is a previously unexplored part of (EC)DSA signature generation, which explains why mitigations are lacking and the issue is so widespread. Finally, estimates are provided for the minimum number of signatures needed to perform the attack, and countermeasures are suggested to protect against this attack.","PeriodicalId":321490,"journal":{"name":"IACR Transactions on Cryptographic Hardware and Embedded Systems","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Cryptographic Hardware and Embedded Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2019.i1.146-168","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

Side channels have long been recognized as a threat to the security of cryptographic applications. Implementations can unintentionally leak secret information through many channels, such as microarchitectural state changes in processors, changes in power consumption, or electromagnetic radiation. As a result of these threats, many implementations have been hardened to defend against these attacks. Despite these mitigations, this work presents a novel side-channel attack against ECDSA and DSA. The attack targets a common implementation pattern that is found in many cryptographic libraries. In fact, about half of the libraries that were tested exhibited the vulnerable pattern. This pattern is exploited in a full proof of concept attack against OpenSSL, demonstrating that it is possible to extract a 256-bit ECDSA private key using a simple cache attack after observing only a few thousand signatures. The target of this attack is a previously unexplored part of (EC)DSA signature generation, which explains why mitigations are lacking and the issue is so widespread. Finally, estimates are provided for the minimum number of signatures needed to perform the attack, and countermeasures are suggested to protect against this attack.

查看原文本刊更多论文

隐数问题的返回。

侧信道长期以来一直被认为是对加密应用安全的威胁。实现可能无意中通过许多渠道泄露机密信息，例如处理器中的微体系结构状态更改、功耗更改或电磁辐射。由于这些威胁，许多实现已经加强以防御这些攻击。尽管有这些缓解措施，这项工作提出了一种针对ECDSA和DSA的新型侧信道攻击。这种攻击的目标是在许多加密库中发现的通用实现模式。事实上，测试的库中大约有一半显示出易受攻击的模式。这种模式在针对OpenSSL的完整概念验证攻击中被利用，证明在观察到几千个签名后，可以使用简单的缓存攻击提取256位ECDSA私钥。此攻击的目标是(EC)DSA签名生成中以前未开发的部分，这解释了为什么缺乏缓解措施而问题如此普遍。最后，给出了执行攻击所需的最小签名数的估计，并提出了防止这种攻击的对策建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Transactions on Cryptographic Hardware and Embedded Systems

自引率

0.00%

发文量