CacheBleed: A timing attack on OpenSSL constant time RSA
Authors
University of Adelaide
Data61
CSIRO
Technion — Israel Institute of Technology
Tel-Aviv University
University of Pennsylvania
Abstract
The scatter-gather technique is a commonly-implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant-time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy-Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4,096 bit RSA our attack can fully recover the private key after observing 16,000 decryptions.
BibTeX Entry
@inproceedings{Yarom_GH_16,
month = aug,
keywords = {side-channel attacks, cache attacks, cryptographic implementations, constant-time, rsa},
publisher = {Springer},
paperurl = {https://ts.data61.csiro.au/publications/nicta_full_text/9254.pdf},
booktitle = {Workshop on Cryptographic Hardware and Embedded Systems},
author = {Yarom, Yuval and Genkin, Daniel and Heninger, Nadia},
year = {2016},
pages = {346--367},
address = {Santa Barbara, CA, US},
title = {{CacheBleed}: A Timing Attack on {OpenSSL} Constant Time {RSA}}
}
Full text
BibTeX