Predicting Secret Keys Via Branch Prediction

Acıiçmez, Onur; Koç, Çetin Kaya; Seifert, Jean-Pierre

doi:10.1007/11967668_15

Cited by 201 publications

(200 citation statements)

References 14 publications

Supporting

Mentioning

194

Contrasting

Unclassified

Order By: Relevance

“…Another method exploits timing dependencies between the branch prediction capability common to all high performance micros and bits of the secret key [33], [34]. Compromise of the RSA algorithm was successfully demonstrated using this attack and generalization to symmetric ciphers is recommended for future work in [35]. These attacks are also applicable to hardware implementations that utilize these same processing elements.…”

Section: 41mentioning

confidence: 99%

An overview of cryptanalysis research for the advanced encryption standard

Kaminsky

Kurdziel²,

Radziszowski

2010

2010 - Milcom 2010 Military Communications Conference

View full text Add to dashboard Cite

-Since its release in November 2001, the Advanced Encryption Standard (NIST FIPS-197) has been the subject of extensive cryptanalysis research. The importance of this research has intensified since AES was named, in 2003, by NSA as a Type-1 Suite B Encryption Algorithm (CNSSP-15). As such, AES is now authorized to protect classified and unclassified national security systems and information. This paper provides an overview of current cryptanalysis research on the AES cryptographic algorithm. Discussion is provided on the impact by each technique to the strength of the algorithm in national security applications. The paper is concluded with an attempt at a forecast of the usable life of AES in these applications. Keywords-Advanced Encryption Standard; AES; Cryptanalysis; Side Channel Attacks INTRODUCTIONIn 2003, the National Security Agency took the unprecedented step of approving a public-domain encryption algorithm, AES, for classified information processing. Prior to this milestone, all encryption algorithms approved by the NSA for classified processing were, themselves, classified. The strength of any good encryption algorithm is not enhanced by holding the design as secret. In fact, a public domain encryption standard is subject to continuous, vigilant, expert cryptanalysis. Any breakthroughs will very likely be available to users as well as their adversaries at the same time.In consumer applications, this isn't as much of a problem, but in military communication applications it can be disastrous. Here, the adversary can have national intelligence agency level resources and can exploit vulnerabilities as soon as they are identified. If practical vulnerabilities are found, there will be a period of reduced confidence until a new algorithm can be installed.It is prudent for users and providers of military communications equipment to stay abreast of the progress and trends on cryptanalysis of AES. Facilitating this process is the objective of this paper.Section 2 presents a summary of the past and current areas of research on cryptanalysis of the AES. This section is divided into 5 subsections. The first discusses attacks that pre-existed AES and were addressed as part of its design. The second discusses progress in the new area of algebraic attacks. The third discusses progress on SAT solver and hybrid attacks. Subsection 4 discusses the progress made in side-channel cryptanalysis. Subsection 5 presents a summary of related-key vulnerabilities and distinguishing attacks on AES. These are particularly relevant when AES is used in applications other than traffic encryption (such as hash functions). Section 3 provides discussion of the current strength of AES in national security applications. A forecast of the usable life of AES in these applications is attempted. The paper is concluded in Section 4. CURRENT AREAS OF RESEARCH 2.1Pre-Existing Attacks 2.1.1 Linear Cryptanalysis Linear cryptanalysis exploits approximate linear relationships that exist between inputs and outputs of a function block [1]. In ...

show abstract

Section: 41mentioning

confidence: 99%

An overview of cryptanalysis research for the advanced encryption standard

Kaminsky

Kurdziel²,

Radziszowski

2010

2010 - Milcom 2010 Military Communications Conference

View full text Add to dashboard Cite

show abstract

“…As a consequence, it cannot be excluded that the conditional branching can be detected through the timing in certain scenarios. Furthermore, based on the conditional branching, the attack can in principle be mounted as a branch prediction attack [7]. Basically, it is easily possible to remove this vulnerability by using branch free code employing the techniques shown in [8,9].…”

Section: The Rsa-oaep Decoding Operation In Opensslmentioning

confidence: 99%

Manger’s Attack Revisited

Strenzke

2010

Information and Communications Security

View full text Add to dashboard Cite

Abstract. In this work we examine a number of different open source implementations of the RSA Optimal Asymmetric Encryption Padding (OAEP) and generally RSA with respect to the message-aimed timing attack introduced by James Manger in CRYPTO 2001. We show the shortcomings concerning the countermeasures in two libraries for personal computers, and address potential flaws in previously proposed countermeasures. Furthermore, we point out a new source of timing differences that has not been addressed previously. We also investigate a new class of related problems in the multi-precision integer arithmetic that in principle allows a variant of Manger's attack to be launched against RSA implementations on 8-bit and possibly 16-bit platforms.

show abstract

“…More sophisticated attacks are presented in (Acıiçmez et al, 2007b;Acıiçmez et al, 2007c) that modify the BTB to produce effects that can leak information more efficiently than observing the time taken to compute an algorithm. Indeed, the most efficient attack described involves closely observing the BP during the computation of an RSA signature by using a spy process that modifies the BTB and observes the subsequent behaviour.…”

Section: Branch Prediction Analysismentioning

confidence: 99%

“…This could allow an attacker to derive the private key from one signature generation. An implementation of this type of attack on a modified version of the function used in OpenSSL to generate RSA signatures is described in (Acıiçmez et al, 2007b).…”

Section: Branch Prediction Analysismentioning

confidence: 99%

Securing Openssl Against Micro-Architectural Attacks

Joye¹,

Tunstall

2007

Proceedings of the Second International Conference on Security and Cryptography

View full text Add to dashboard Cite

Abstract:This paper presents a version of the 2 k -ary modular exponentiation algorithm that is secure against current methods of side-channel analysis that can be applied to PCs (the so-called micro-architectural attacks). Some optimisations to the basic algorithm are also proposed to improve the efficiency of an implementation. The proposed algorithm is compared to the current implementation of OpenSSL, and it is shown that the proposed algorithm is more robust than the current implementation.

show abstract

Predicting Secret Keys Via Branch Prediction

Cited by 201 publications

References 14 publications

An overview of cryptanalysis research for the advanced encryption standard

An overview of cryptanalysis research for the advanced encryption standard

Manger’s Attack Revisited

Securing Openssl Against Micro-Architectural Attacks

Contact Info

Product

Resources

About