Single Trace Attack Against RSA Key Generation in Intel SGX SSL

Samuel Weiser, Raphael Spreitzer, Lukas Bodner

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

Microarchitectural side-channel attacks have received significant attention recently. However, while side-channel analyses on secret key operations such as decryption and signature generation are well established, the process of key generation did not receive particular attention so far. Especially due to the fact that microarchitectural attacks usually require multiple observations (more than one measurement trace) to break an implementation, one-time operations such as key generation routines are often considered as uncritical and out of scope. However, this assumption is no longer valid for shielded execution architectures, where sensitive code is executed---in the realm of a potential attacker---inside hardware enclaves. In such a setting, an untrusted operating system can conduct noiseless controlled-channel attacks by exploiting page access patterns.

In this work, we identify a critical vulnerability in the RSA key generation procedure of Intel SGX SSL (and the underlying OpenSSL library) that allows to recover secret keys from observations of a single execution. In particular, we mount a controlled-channel attack on the binary Euclidean algorithm (BEA), which is used for checking the validity of the RSA key parameters generated within an SGX enclave. Thereby, we recover all but 16 bits of one of the two prime factors of the public modulus. For an 8192-bit RSA modulus, we recover the remaining 16 bits and thus the full key in less than 12 seconds on a commodity PC. In light of these results, we urge for careful re-evaluation of cryptographic libraries with respect to single trace attacks, especially if they are intended for shielded execution environments such as Intel SGX.
Original languageEnglish
Title of host publicationASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security
PublisherAssociation of Computing Machinery
Pages575-586
ISBN (Electronic)978-1-4503-5576-6
DOIs
Publication statusPublished - 2018
Event13th ACM ASIA Conference on Information, Computer and Communications Security - Incheon, Korea, Republic of
Duration: 4 Jun 20188 Jun 2018
http://asiaccs2018.org/

Conference

Conference13th ACM ASIA Conference on Information, Computer and Communications Security
Abbreviated titleASIACCS 2018
CountryKorea, Republic of
CityIncheon
Period4/06/188/06/18
Internet address

Fingerprint

Hardware
Side channel attack

Cite this

Weiser, S., Spreitzer, R., & Bodner, L. (2018). Single Trace Attack Against RSA Key Generation in Intel SGX SSL. In ASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security (pp. 575-586). Association of Computing Machinery. https://doi.org/10.1145/3196494.3196524

Single Trace Attack Against RSA Key Generation in Intel SGX SSL. / Weiser, Samuel; Spreitzer, Raphael; Bodner, Lukas.

ASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security . Association of Computing Machinery, 2018. p. 575-586.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Weiser, S, Spreitzer, R & Bodner, L 2018, Single Trace Attack Against RSA Key Generation in Intel SGX SSL. in ASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security . Association of Computing Machinery, pp. 575-586, 13th ACM ASIA Conference on Information, Computer and Communications Security, Incheon, Korea, Republic of, 4/06/18. https://doi.org/10.1145/3196494.3196524
Weiser S, Spreitzer R, Bodner L. Single Trace Attack Against RSA Key Generation in Intel SGX SSL. In ASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security . Association of Computing Machinery. 2018. p. 575-586 https://doi.org/10.1145/3196494.3196524
Weiser, Samuel ; Spreitzer, Raphael ; Bodner, Lukas. / Single Trace Attack Against RSA Key Generation in Intel SGX SSL. ASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security . Association of Computing Machinery, 2018. pp. 575-586
@inproceedings{e05e95a4111840669cf179eeca7e00b3,
title = "Single Trace Attack Against RSA Key Generation in Intel SGX SSL",
abstract = "Microarchitectural side-channel attacks have received significant attention recently. However, while side-channel analyses on secret key operations such as decryption and signature generation are well established, the process of key generation did not receive particular attention so far. Especially due to the fact that microarchitectural attacks usually require multiple observations (more than one measurement trace) to break an implementation, one-time operations such as key generation routines are often considered as uncritical and out of scope. However, this assumption is no longer valid for shielded execution architectures, where sensitive code is executed---in the realm of a potential attacker---inside hardware enclaves. In such a setting, an untrusted operating system can conduct noiseless controlled-channel attacks by exploiting page access patterns. In this work, we identify a critical vulnerability in the RSA key generation procedure of Intel SGX SSL (and the underlying OpenSSL library) that allows to recover secret keys from observations of a single execution. In particular, we mount a controlled-channel attack on the binary Euclidean algorithm (BEA), which is used for checking the validity of the RSA key parameters generated within an SGX enclave. Thereby, we recover all but 16 bits of one of the two prime factors of the public modulus. For an 8192-bit RSA modulus, we recover the remaining 16 bits and thus the full key in less than 12 seconds on a commodity PC. In light of these results, we urge for careful re-evaluation of cryptographic libraries with respect to single trace attacks, especially if they are intended for shielded execution environments such as Intel SGX.",
author = "Samuel Weiser and Raphael Spreitzer and Lukas Bodner",
year = "2018",
doi = "10.1145/3196494.3196524",
language = "English",
pages = "575--586",
booktitle = "ASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security",
publisher = "Association of Computing Machinery",
address = "United States",

}

TY - GEN

T1 - Single Trace Attack Against RSA Key Generation in Intel SGX SSL

AU - Weiser, Samuel

AU - Spreitzer, Raphael

AU - Bodner, Lukas

PY - 2018

Y1 - 2018

N2 - Microarchitectural side-channel attacks have received significant attention recently. However, while side-channel analyses on secret key operations such as decryption and signature generation are well established, the process of key generation did not receive particular attention so far. Especially due to the fact that microarchitectural attacks usually require multiple observations (more than one measurement trace) to break an implementation, one-time operations such as key generation routines are often considered as uncritical and out of scope. However, this assumption is no longer valid for shielded execution architectures, where sensitive code is executed---in the realm of a potential attacker---inside hardware enclaves. In such a setting, an untrusted operating system can conduct noiseless controlled-channel attacks by exploiting page access patterns. In this work, we identify a critical vulnerability in the RSA key generation procedure of Intel SGX SSL (and the underlying OpenSSL library) that allows to recover secret keys from observations of a single execution. In particular, we mount a controlled-channel attack on the binary Euclidean algorithm (BEA), which is used for checking the validity of the RSA key parameters generated within an SGX enclave. Thereby, we recover all but 16 bits of one of the two prime factors of the public modulus. For an 8192-bit RSA modulus, we recover the remaining 16 bits and thus the full key in less than 12 seconds on a commodity PC. In light of these results, we urge for careful re-evaluation of cryptographic libraries with respect to single trace attacks, especially if they are intended for shielded execution environments such as Intel SGX.

AB - Microarchitectural side-channel attacks have received significant attention recently. However, while side-channel analyses on secret key operations such as decryption and signature generation are well established, the process of key generation did not receive particular attention so far. Especially due to the fact that microarchitectural attacks usually require multiple observations (more than one measurement trace) to break an implementation, one-time operations such as key generation routines are often considered as uncritical and out of scope. However, this assumption is no longer valid for shielded execution architectures, where sensitive code is executed---in the realm of a potential attacker---inside hardware enclaves. In such a setting, an untrusted operating system can conduct noiseless controlled-channel attacks by exploiting page access patterns. In this work, we identify a critical vulnerability in the RSA key generation procedure of Intel SGX SSL (and the underlying OpenSSL library) that allows to recover secret keys from observations of a single execution. In particular, we mount a controlled-channel attack on the binary Euclidean algorithm (BEA), which is used for checking the validity of the RSA key parameters generated within an SGX enclave. Thereby, we recover all but 16 bits of one of the two prime factors of the public modulus. For an 8192-bit RSA modulus, we recover the remaining 16 bits and thus the full key in less than 12 seconds on a commodity PC. In light of these results, we urge for careful re-evaluation of cryptographic libraries with respect to single trace attacks, especially if they are intended for shielded execution environments such as Intel SGX.

U2 - 10.1145/3196494.3196524

DO - 10.1145/3196494.3196524

M3 - Conference contribution

SP - 575

EP - 586

BT - ASIACCS '18 - Proceedings of the 2018 on Asia Conference on Computer and Communications Security

PB - Association of Computing Machinery

ER -