david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Timing and Lattice Attacks on a Remote ECDSA OpenSSL Server: How Practical Are They Really?

posted August 2015

Alright! My master thesis is done. Here's a download link

It's a timing attack on an vulnerable version of OpenSSL. In particular its ECDSA signature with binary curves.

There was an optimization right before the constant-time scalar multiplication of the nonce with the public point. That leads to a timing attack that leaks the length of the ephemeral keys of an Openssl server's signatures.

In this paper I explain how to setup such an attack, how to use lattices to recover the private key out of just knowing the lengths of the nonces of a bunch of signatures taken during an ephemeral handshake.

If this doesn't make sense to you just read the paper :D

Also everything is on this github repo. You can reproduce my setup for a vulnerable server and an attacker. Patch and tools are there. If you end up getting better results than the ones in the paper, well tell me!

Also here's a demo:

EDIT: it's on the ePrint archive as well now.

Well done! You've reached the end of my post. Now you can leave me a comment :)

cq

how about the latest openssl.

david

it is patched! Look at my paper :P

cq

thanks.how about the get_small_nonces_data.py,may be missed. :)

cq

btw,which paper,u mention in LLL video about tsinghua university,can u give a link~thanks

david

I just added it in `tools/`!

I have a bunch of other tools and readmes on how to make the plots, maybe I should upload that.

as for the tsinghua paper, check my paper here: https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/survey_final.pdf

But I might not talk about it there, if not I don't know where you can find that other than looking in the eprint of IACR for boneh and durfee

david

found it: Remarks on the bounds for cryptanalysis of low private key RSA (2008)

cq

yeap.
how about LLL compare to other method or algorithm. for example target rsa-150.
time cost,bla bla....

david

why would someone test rsa-150? (You mean rsa with modulus of 150bits?)

I don't really understand your question, there are some numbers in my paper. It would be interesting to see if BKZ has better results (although when I was testing it seemed to have the same results for the RSA attack)

cq

i mean https://en.wikipedia.org/wiki/RSA_numbers

david

I don't think LLL and BKZ are very relevant to factorization contests

the attack applies if the private key is small

cq

On my ubuntu local,it always run with result -trick(1000 | 10000 | 100000). i guess it's not that practical.
Also only solved when length=157.And when trick should be 6,when 7.
i guess may be i should try older version.like 0.9.8.