CacheBleed: A timing attack on OpenSSL constant time RSA
Authors
University of Adelaide
Data61
CSIRO
Technion — Israel Institute of Technology
Tel-Aviv University
University of Pennsylvania
Abstract
The scatter-gather technique is a commonly-implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant-time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy-Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4,096 bit RSA our attack can fully recover the private key after observing 16,000 decryptions.
BibTeX Entry
@inproceedings{Yarom_GH_16, month = aug, keywords = {side-channel attacks, cache attacks, cryptographic implementations, constant-time, rsa}, publisher = {Springer}, paperurl = {https://ts.data61.csiro.au/publications/nicta_full_text/9254.pdf}, booktitle = {Workshop on Cryptographic Hardware and Embedded Systems}, author = {Yarom, Yuval and Genkin, Daniel and Heninger, Nadia}, year = {2016}, pages = {346--367}, address = {Santa Barbara, CA, US}, title = {{CacheBleed}: A Timing Attack on {OpenSSL} Constant Time {RSA}} }