CacheBleed: A timing attack on OpenSSL constant time RSA

Authors

Yuval Yarom, Daniel Genkin and Nadia Heninger

University of Adelaide

Data61
CSIRO

University of Pennsylvania

University of Maryland

Abstract

The scatter-gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

BibTeX Entry

  @article{Yarom_GH_17,
    doi              = {10.1007/s13389-017-0152-y},
    month            = may,
    journal          = {Journal of Cryptographic Engineering},
    paperurl         = {https://ts.data61.csiro.au/publications/nicta_full_text/9535.pdf},
    year             = {2017},
    slides           = {http://ts.data61.csiro.au/publications/nicta_slides/9535.pdf},
    volume           = {7},
    title            = {{CacheBleed}: A Timing Attack on {OpenSSL} Constant Time {RSA}},
    number           = {2},
    author           = {Yarom, Yuval and Genkin, Daniel and Heninger, Nadia},
    pages            = {99--112}
  }

Download

• Full text
• BibTeX