CacheBleed: A timing attack on OpenSSL constant time RSA
Authors
University of Adelaide
Data61
CSIRO
University of Pennsylvania
University of Maryland
Abstract
The scatter-gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.
BibTeX Entry
@article{Yarom_GH_17, doi = {10.1007/s13389-017-0152-y}, month = may, journal = {Journal of Cryptographic Engineering}, paperurl = {https://ts.data61.csiro.au/publications/nicta_full_text/9535.pdf}, year = {2017}, slides = {http://ts.data61.csiro.au/publications/nicta_slides/9535.pdf}, volume = {7}, title = {{CacheBleed}: A Timing Attack on {OpenSSL} Constant Time {RSA}}, number = {2}, author = {Yarom, Yuval and Genkin, Daniel and Heninger, Nadia}, pages = {99--112} }