Big Numbers – Big Troubles: Systematically Analyzing Nonce Leakage in (EC)DSA Implementations

Samuel Weiser, David Schrammel, Lukas Bodner, Raphael Spreitzer

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

Side-channel attacks exploiting (EC)DSA nonce leakage easily lead to full key recovery. Although (EC)DSA implementations have already been hardened against side-channel leakage using the constant-time paradigm, the long-standing cat-and-mouse-game of attacks and patches continues. In particular, current code review is prone to miss less obvious side channels hidden deeply in the call stack. To solve this problem, a systematic study of nonce leakage is necessary. We present a systematic analysis of nonce leakage in cryptographic implementations. In particular, we expand DATA, an open-source side-channel analysis framework, to detect nonce leakage. Our analysis identified multiple unknown nonce leakage vulnerabilities across all essential computation steps involving nonces. Among others, we uncover inherent problems in Bignumber implementations that break claimed constant-time guarantees of (EC)DSA implementations if secrets are close to a word boundary. We found that lazy resizing of Bignumbers in OpenSSL and LibreSSL yields a highly accurate and easily exploitable side channel, which has been acknowledged with two CVEs. Surprisingly, we also found a tiny but expressive leakage in the constant-time scalar multiplication of OpenSSL and BoringSSL. Moreover, in the process of reporting and patching, we identified newly introduced leakage with the support of our tool, thus preventing another attack-patch cycle. We open-source our tool, together with an intuitive graphical user interface we developed.
Originalspracheenglisch
TitelProceedings of the 29th USENIX Security Symposium
Herausgeber (Verlag)USENIX Association
Seiten1767-1784
Seitenumfang18
ISBN (elektronisch)9781939133175
PublikationsstatusVeröffentlicht - 1 Jan 2020
Veranstaltung29th USENIX Security Symposium - Virtuell, USA / Vereinigte Staaten
Dauer: 12 Aug 202014 Aug 2020
https://www.usenix.org/conference/usenixsecurity20/

Publikationsreihe

NameProceedings of the 29th USENIX Security Symposium

Konferenz

Konferenz29th USENIX Security Symposium
LandUSA / Vereinigte Staaten
OrtVirtuell
Zeitraum12/08/2014/08/20
Internetadresse

ASJC Scopus subject areas

  • Information systems
  • Sicherheit, Risiko, Zuverlässigkeit und Qualität
  • Computernetzwerke und -kommunikation

Fingerprint

Untersuchen Sie die Forschungsthemen von „Big Numbers – Big Troubles: Systematically Analyzing Nonce Leakage in (EC)DSA Implementations“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren