Vulnerability Note VU#997481

Cryptographic libraries and applications do not adequately defend against timing attacks

Overview

Cryptographic libraries and applications do not provide adequate defense against a side-channel timing attack against RSA private keys. Such an attack has been shown to be practical using currently available hardware on systems and networks with sufficiently low variance in latency.

I. Description

David Brumley and Dan Boneh, researchers at Stanford University, have written a paper that demonstrates a practical attack that can be used to extract private keys from vulnerable RSA applications. Using statistical techniques and carefully measuring the amount of time required to complete an RSA operation, an attacker can recover one of the factors (q) of the RSA key. The timing differences examined in the paper are based on whether an extra Mongtomery reduction is performed (section 2.3) and whether Karatsuba (recursive) or "normal" multiplication is used (section 2.4). With the public key and the factor q, the attacker can compute the private key. As noted in the VMM/attestation example in section 4 of the paper, applications that perform RSA encryption (signing) operations may also be vulnerable if the attacker can control the data to be signed.

Similar types of timing attacks are discussed in CERT Advisory CA-1998-07, a paper by Daniel Bleichenbacher et al., and a paper by Paul Kocher.

The Brumley and Boneh paper documents a set of experiments using currently available hardware to attack three different OpenSSL-based RSA decryption applications: a simple RSA decryption oracle, Apache/mod_ssl, and Stunnel. Under optimal conditions, a 1024-bit RSA private key was extracted in approximately two hours using ~350,000 guesses. In the context of an SSL/TLS handshake, the guesses take the form of the premaster secret (client key exchange message), and the guesses may appear to a web server as completed TCP connections and failed attempts to set up SSL/TLS sessions. The experiments were conducted both interprocess on a single machine and on a high-speed, closed network that does not accurately reflect the network conditions found on the Internet. The attack could, however, be feasible on a network with a low variance in latency such as a LAN, corporate/campus network, or Internet2/Abilene. The attack could also work against an SSL/TLS enabled web server to which the attacker has local access, such as a shared server in a co-location facility. The paper also notes that interprocess attacks against Virtual Machines (VM) running on the same physical computer could yield RSA secrets held by a trusted VM, such as a TCPA/Palladium system.

The experiments focus on RSA software implementations, OpenSSL in particular. The paper states that "most crypto acceleration cards also implement defenses against the timing attack. Consequently, network servers using these accelerator cards are not vulnerable." Any applications that perform RSA private key operations may be vulnerable: SSL/TLS-enabled network services, IPsec, Secure Shell (SSH1, ssh-agent), TCPA/Palladium, and smart cards are some examples of such applications. For specific vendor information, see the Systems Affected section below.

The paper recommends a defense called "RSA blinding" that introduces an additional random component to the RSA calculation and makes timing information unusable to attackers. It appears that many cryptographic libraries and applications either do not implement RSA blinding or do not make use of it when it is available. RSA blinding does incur a slight performance penalty. Although the OpenSSL library used in the experiments does implement RSA blinding, it is not enabled by default. Many applications that use OpenSSL, including Apache mod_ssl, do not use RSA blinding, and are therefore vulnerable to this attack.

II. Impact

A remote attacker could derive private RSA keys. It is important to note that the attacks described in this paper appear to be practical under certain conditions. In the case of remote attacks against SSL/TLS-enabled web servers, variance in network latency must be sufficiently low (less than 1ms), and the attacker must account for other variables such as the load on the server. A server may be more vulnerable during a period of low activity. In the case of local interprocess attacks against a web server or a VM, all the necessary conditions exist.

III. Solution

Upgrade or Patch

quantizing

Monitor RSA applications

Monitor RSA applications for signs of attack. In the case of an attack against SSL/TLS web servers, logs may show a relatively high number of network connections and failed attempts to establish SSL/TLS sessions.

Systems Affected

Vendor	Status	Date Notified
3Com	Unknown	17-Mar-2003
Alcatel	Unknown	19-Mar-2003
Apache	Unknown	4-Apr-2003
Apache-SSL	Unknown	17-Mar-2003
Apple Computer Inc.	Vulnerable	25-Mar-2003
AT&T	Unknown	19-Mar-2003
Avaya	Unknown	25-Mar-2003
Bitvise	Not Vulnerable	17-Mar-2003
BlueCat Networks	Unknown	17-Mar-2003
BorderWare	Unknown	19-Mar-2003
Check Point	Unknown	17-Mar-2003
Cisco Systems Inc.	Unknown	17-Mar-2003
Clavister	Not Vulnerable	4-Apr-2003
Computer Associates	Not Vulnerable	7-Apr-2003
Conectiva	Vulnerable	14-Apr-2003
Covalent	Vulnerable	4-Apr-2003
Cray Inc.	Unknown	19-Mar-2003
cryptlib	Vulnerable	4-Apr-2003
Crypto++	Vulnerable	25-Mar-2003
D-Link Systems	Unknown	19-Mar-2003
Data General	Unknown	17-Mar-2003
Debian	Vulnerable	23-Apr-2003
djbdns	Unknown	17-Mar-2003
Entrust	Not Vulnerable	19-Mar-2003
eSoft	Vulnerable	23-Apr-2003
F-Secure	Not Vulnerable	25-Mar-2003
F5 Networks	Vulnerable	25-Mar-2003
Foundry Networks Inc.	Vulnerable	22-Apr-2003
FreeBSD	Vulnerable	25-Mar-2003
FreeS/WAN	Unknown	19-Mar-2003
FreSSH	Vulnerable	25-Mar-2003
Fujitsu	Not Vulnerable	5-Apr-2003
Gentoo Linux	Vulnerable	5-Apr-2003
Global Technology Associates	Not Vulnerable	19-Mar-2003
GNU adns	Not Vulnerable	4-Apr-2003
GNU glibc	Not Vulnerable	25-Mar-2003
GNU Libgcrypt	Vulnerable	24-Mar-2003
GNU TLS	Vulnerable	23-Apr-2003
Guardian Digital Inc.	Vulnerable	5-Apr-2003
Hewlett-Packard Company	Vulnerable	29-Apr-2003
Hitachi	Vulnerable	13-Jun-2003
IBM	Vulnerable	21-Mar-2003
Ingrian Networks	Not Vulnerable	19-Mar-2003
Intel	Unknown	17-Mar-2003
Internet Initiative Japan (IIJ)	Not Vulnerable	5-Apr-2003
Internet Software Consortium	Unknown	25-Mar-2003
Intersoft International Inc.	Unknown	19-Mar-2003
Intoto	Vulnerable	25-Mar-2003
IP Filter	Not Vulnerable	25-Mar-2003
iPlanet	Not Vulnerable	21-Mar-2003
Juniper Networks	Unknown	17-Mar-2003
KAME Project	Unknown	17-Mar-2003
Lotus Software	Unknown	17-Mar-2003
lsh	Not Vulnerable	5-Apr-2003
Lucent Technologies	Unknown	17-Mar-2003
MacSSH	Not Vulnerable	14-Apr-2003
MandrakeSoft	Vulnerable	4-Apr-2003
Massachusetts Institute of Technology (MIT)	Unknown	19-Mar-2003
Men&Mice	Unknown	19-Mar-2003
MetaSolv Software Inc.	Unknown	17-Mar-2003
Microsoft Corporation	Not Vulnerable	19-Mar-2003
mod_ssl	Vulnerable	19-Mar-2003
MontaVista Software	Unknown	19-Mar-2003
Mozilla	Not Vulnerable	18-Mar-2003
Multi-Tech Systems Inc.	Unknown	19-Mar-2003
National Center for Supercomputing Applications (NCSA)	Unknown	19-Mar-2003
National Institute of Standards and Technology (NIST)	Unknown	19-Mar-2003
NEC Corporation	Unknown	19-Mar-2003
NetBSD	Vulnerable	23-Apr-2003
Netcomposite	Unknown	17-Mar-2003
Netfilter	Not Vulnerable	14-Apr-2003
Netscape Communications Corporation	Not Vulnerable	11-Apr-2003
NetScreen	Unknown	19-Mar-2003
Nettle	Unknown	17-Mar-2003
Network Appliance	Unknown	19-Mar-2003
Network Associates	Unknown	19-Mar-2003
Nixu	Unknown	19-Mar-2003
Nokia	Unknown	19-Mar-2003
Nominum	Unknown	19-Mar-2003
Nortel Networks	Unknown	12-Mar-2003
Novell	Unknown	19-Mar-2003
OpenBSD	Vulnerable	5-Apr-2003
OpenPKG	Vulnerable	24-Jun-2004
OpenSSH	Vulnerable	15-Apr-2003
OpenSSL	Vulnerable	15-Apr-2003
Openwall GNU/*/Linux	Unknown	17-Mar-2003
Pragma Systems	Unknown	19-Mar-2003
PuTTY	Unknown	4-Apr-2003
Red Hat Inc.	Vulnerable	1-Apr-2003
Redback Networks Inc.	Unknown	19-Mar-2003
Riverstone Networks	Unknown	17-Mar-2003
RSA Security	Not Vulnerable	25-Mar-2003
SafeNet	Unknown	17-Mar-2003
Secure Computing Corporation	Unknown	17-Mar-2003
SecureWorx	Unknown	17-Mar-2003
Sequent	Unknown	19-Mar-2003
SGI	Vulnerable	15-May-2003
Slackware	Vulnerable	23-May-2003
Sony Corporation	Unknown	17-Mar-2003
Sorceror Linux	Vulnerable	4-Apr-2003
SSH Communications Security	Vulnerable	14-Apr-2003
SSLeay	Unknown	17-Mar-2003
Stonesoft	Vulnerable	2-Jun-2003
Stunnel	Vulnerable	25-Mar-2003
Sun Microsystems Inc.	Unknown	3-Mar-2003
SuSE Inc.	Unknown	17-Mar-2003
Symantec Corporation	Not Vulnerable	14-Apr-2003
The SCO Group	Vulnerable	25-Mar-2003
Trustix Secure Linux	Vulnerable	20-Mar-2003
TTSSH/TeraTerm	Not Vulnerable	25-Mar-2003
Unisys	Unknown	19-Mar-2003
VanDyke Software Inc.	Vulnerable	4-Apr-2003
WatchGuard	Unknown	17-Mar-2003
Wind River Systems Inc.	Unknown	17-Mar-2003
Wirex	Vulnerable	8-Apr-2003
ZyXEL	Not Vulnerable	4-Apr-2003

References

CA-1998-07
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
http://ietf.org/rfc/rfc2246.txt
http://wp.netscape.com/eng/ssl3/draft302.txt
http://www.cryptography.com/resources/whitepapers/TimingAttacks.pdf
http://www.bell-labs.com/user/bleichen/papers/chosen.ps
ftp://ftp.rsasecurity.com/pub/pdfs/bull-2.pdf
ftp://ftp.rsasecurity.com/pub/pdfs/bulletn5.pdf
http://link.springer.de/link/service/series/0558/papers/1070/10700001.pdf
http://www.openssl.org/news/secadv_20030317.txt
http://islab.oregonstate.edu/documents/People/blaze/quantize.shar

Credit

This vulnerability is documented in a research paper written by David Brumley and Dan Boneh of Stanford University.

This document was written by Art Manion.

Other Information

Date Public:	2003-03-14
Date First Published:	2003-03-25
Date Last Updated:	2004-08-25
CERT Advisory:
CVE-ID(s):	CAN-2003-0147
NVD-ID(s):	CAN-2003-0147
US-CERT Technical Alerts:
Metric:	9.42
Document Revision:	66

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader