Side-Channel Attack against RSA Key Generation Algorithms

Bauer, Aurélie; Jaulmes, Éliane; Lomné, Victor; Prouff, Emmanuel; Roche, Thomas

doi:10.1007/978-3-662-44709-3_13

Cited by 10 publications

(12 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, Vuillaume et al consider the Fermat test [34,Algorithm 4.9], which is rarely used in practice due to false positives (Carmichael numbers). Bauer et al [7] also attacked the prime sieve procedure during the prime number generation. All these side-channel attacks either target the primality test or the prime generation itself and cannot be executed by only running software on the targeted machine.…”

Section: Microarchitectural Attacks On Rsamentioning

confidence: 99%

“…Although cryptographic implementations (e.g., in OpenSSL [20]) are often hardened against side-channel attacks on secret key operations such as decryption and signature generation of digital signature schemes, the process of key generation has been mostly neglected in these analyses. While power analysis attacks targeting the prime factor generation during RSA key generation have been investigated [7,19,48], software-based side-channel attacks have been considered out of scope for various side-channel attack scenarios. On the one hand, key generation is usually a one-time operation, limiting possible attack observations to a minimum.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Weiser

Spreitzer

Bodner

2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Microarchitectural side-channel attacks have received significant attention recently. However, while side-channel analyses on secret key operations such as decryption and signature generation are well established, the process of key generation did not receive particular attention so far. Especially due to the fact that microarchitectural attacks usually require multiple observations (more than one measurement trace) to break an implementation, one-time operations such as key generation routines are often considered as uncritical and out of scope. However, this assumption is no longer valid for shielded execution architectures, where sensitive code is executedin the realm of a potential attacker-inside hardware enclaves. In such a setting, an untrusted operating system can conduct noiseless controlled-channel attacks by exploiting page access patterns.In this work, we identify a critical vulnerability in the RSA key generation procedure of Intel SGX SSL (and the underlying OpenSSL library) that allows to recover secret keys from observations of a single execution. In particular, we mount a controlled-channel attack on the binary Euclidean algorithm (BEA), which is used for checking the validity of the RSA key parameters generated within an SGX enclave. Thereby, we recover all but 16 bits of one of the two prime factors of the public modulus. For an 8 192-bit RSA modulus, we recover the remaining 16 bits and thus the full key in less than 12 seconds on a commodity PC. In light of these results, we urge for careful re-evaluation of cryptographic libraries with respect to single trace attacks, especially if they are intended for shielded execution environments such as Intel SGX.

show abstract

Section: Microarchitectural Attacks On Rsamentioning

confidence: 99%

mentioning

confidence: 99%

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Weiser

Spreitzer

Bodner

2018

Proceedings of the 2018 on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…In [3], the Joye and Pallier method proposed in [4] was analyzed to recover some bits of the secret primes, and the Coppersmith method was used to calculate the remaining ones, with an overall success rate of 0.1% [5]. In [6] and [7], the authors analyzed the leakages that could exist in different methods for checking the divisibility of a prime candidate by a prime sieve. Independent of the specific random prime number generation algorithms analyzed in these works and their intrinsic implementation details, the best success rate achieved was 25% [7].…”

Section: Introductionmentioning

confidence: 99%

“…In [6] and [7], the authors analyzed the leakages that could exist in different methods for checking the divisibility of a prime candidate by a prime sieve. Independent of the specific random prime number generation algorithms analyzed in these works and their intrinsic implementation details, the best success rate achieved was 25% [7].…”

Section: Introductionmentioning

confidence: 99%

“…

…”

mentioning

confidence: 99%

See 1 more Smart Citation

Side‐channel analysis of the modular inversion step in the RSA key generation algorithm

Aldaya

Márquez

Sarmiento

et al. 2016

Circuit Theory & Apps

View full text Add to dashboard Cite

This paper studies the security of the RSA key generation algorithm with regard to side-channel analysis and presents a novel approach that targets the simple power analysis (SPA) vulnerabilities that may exist in an implementation of the binary extended Euclidean algorithm (BEEA). The SPA vulnerabilities described, together with the properties of the values processed by the BEEA in the context of RSA key generation, represent a serious threat for an implementation of this algorithm. It is shown that an adversary can disclose the private key employing only one power trace with a success rate of 100 %an improvement on the 25% success rate achieved by the best side-channel analysis carried out on this algorithm. Two very different BEEA implementations are analyzed, showing how the algorithm's SPA leakages could be exploited. Also, two countermeasures are discussed that could be used to reduce those SPA leakages and prevent the recovery of the RSA private key.One of the algorithms that have been targeted using this kind of side-channel analysis is the RSA key generation procedure, an algorithm commonly used in electronic devices (i.e., hardware security modules) [2] dedicated to the generation and storage of cryptographic keys.Side-channel leakages that may exist during the RSA key generation procedure have been analyzed in several published works, most of which have focused their attention on the algorithms employed to generate the secret prime numbers needed to construct an RSA key. In [3], the Joye and Pallier method proposed in [4] was analyzed to recover some bits of the secret primes, and the Coppersmith method was used to calculate the remaining ones, with an overall success rate of 0.1% [5]. In [6] and [7], the authors analyzed the leakages that could exist in different methods for checking the divisibility of a prime candidate by a prime sieve. Independent of the specific random prime number generation algorithms analyzed in these works and their intrinsic implementation details, the best success rate achieved was 25% [7].This work presents a new side-channel analysis of the RSA key generation procedure. Instead of targeting a prime generation algorithm as in previous works, the proposed side-channel analysis, based on SPA leakages, focuses on the modular inversion operation required to generate an RSA private key. In this context, the RSA key generation procedure imposes the requirement that only one power consumption trace can be used to extract the private key.There are different approaches for computing modular inverses. Among the most popular methods are those based on the extended Euclidean algorithm [8]. In order to avoid the divisions involved in this algorithm, a binary variant of it, called binary extended Euclidean algorithm (BEEA), is often preferred because it replaces multi-precision divisions with right shift operations [9]. This change results in software implementations with very good performance [10], and it is also very suitable for hardware realizations, as the required shift operations ...

show abstract

Cache-Timing Attacks Still Threaten IoT Devices

Takarabt

Schaub

Facon

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Deployed widely and embedding sensitive data, IoT devices depend on the reliability of cryptographic libraries to protect user information. However when implemented on real systems, cryptographic algorithms are vulnerable to side channel attacks based on their execution behavior, which can be revealed by measurements of physical quantities such as timing or power consumption. Some countermeasures can be implemented in order to prevent those attacks. However those countermeasures are generally designed at high level description, and when implemented, some residual leakage may persist. In this article we propose a methodology to assess the robustness of the MbedTLS library against timing and cache-timing attacks. This comprehensive study of side-channel security allows us to identify the most frequent weaknesses in software cryptographic code and how those might be fixed. This methodology checks the whole source code, from the top level routines to low level primitives, that are used for the final application. We recover hundreds of lines of code that leak sensitive information.

show abstract

Side-Channel Attack against RSA Key Generation Algorithms

Cited by 10 publications

References 24 publications

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Side‐channel analysis of the modular inversion step in the RSA key generation algorithm

Cache-Timing Attacks Still Threaten IoT Devices

Contact Info

Product

Resources

About