Timing and Lattice Attacks on a Remote ECDSA OpenSSL Server: How Practical Are They Really?
posted August 2015
Alright! My master thesis is done. Here's a download link
It's a timing attack on an vulnerable version of OpenSSL. In particular its ECDSA signature with binary curves.
There was an optimization right before the constant-time scalar multiplication of the nonce with the public point. That leads to a timing attack that leaks the length of the ephemeral keys of an Openssl server's signatures.
In this paper I explain how to setup such an attack, how to use lattices to recover the private key out of just knowing the lengths of the nonces of a bunch of signatures taken during an ephemeral handshake.
If this doesn't make sense to you just read the paper :D
Also everything is on this github repo. You can reproduce my setup for a vulnerable server and an attacker. Patch and tools are there. If you end up getting better results than the ones in the paper, well tell me!
Also here's a demo:
EDIT: it's on the ePrint archive as well now.