Cache-Timing Techniques: Exploiting the DSA Algorithm
Name
Cesar Pereida Garcia
Abstract
Side-channel information is any type of information leaked through unexpected
channels due to physical features of a system dealing with data.
The memory cache can be used as a side-channel, leakage and exploitation of
side-channel information from the executing processes is possible, leading to the recovery of secret information.
Cache-based side-channel attacks represent a serious threat to implementations
of several cryptographic primitives, especially in shared libraries.
This work explains some of the cache-timing techniques commonly used
to exploit vulnerable software. Using a particular combination of techniques and exploiting a vulnerability found in the implementation of the DSA signature scheme in the OpenSSL shared library, a cache-timing attack is performed against the DSA's sliding window exponentiation algorithm.
Moreover, the attack is expanded to show that it is possible to perform cache-timing attacks against protocols relying on the DSA signature scheme. SSH and TLS are attacked, leading to a key-recovery attack:
260 SSH-2 handshakes to extract a 1024/160-bit DSA hostkey from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.
channels due to physical features of a system dealing with data.
The memory cache can be used as a side-channel, leakage and exploitation of
side-channel information from the executing processes is possible, leading to the recovery of secret information.
Cache-based side-channel attacks represent a serious threat to implementations
of several cryptographic primitives, especially in shared libraries.
This work explains some of the cache-timing techniques commonly used
to exploit vulnerable software. Using a particular combination of techniques and exploiting a vulnerability found in the implementation of the DSA signature scheme in the OpenSSL shared library, a cache-timing attack is performed against the DSA's sliding window exponentiation algorithm.
Moreover, the attack is expanded to show that it is possible to perform cache-timing attacks against protocols relying on the DSA signature scheme. SSH and TLS are attacked, leading to a key-recovery attack:
260 SSH-2 handshakes to extract a 1024/160-bit DSA hostkey from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.
Graduation Thesis language
English
Graduation Thesis type
Master - Computer Science
Supervisor(s)
Dr. Billy Bob Brumley, Dr. Dominique Unruh, Dr. N. Asokan
Defence year
2016