Cryptology ePrint Archive: Report 2016/594
"Make Sure DSA Signing Exponentiations Really are Constant-Time''
Cesar Pereida García and Billy Bob Brumley and Yuval Yarom
Abstract: TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October
2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes
to extract a 2048/256-bit DSA key from an stunnel server.
Category / Keywords: applied cryptography; digital signatures; side-channel analysis; timing attacks; cache-timing attacks; DSA; OpenSSL; CVE-2016-2178
Original Publication (with minor differences): Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Date: received 6 Jun 2016, last revised 10 Nov 2016
Contact author: cesar pereidagarcia at tut fi
Available format(s): PDF | BibTeX Citation
Note: Footnote information about patches updated.
Version: 20161110:090554 (All versions of this report)
Short URL: ia.cr/2016/594
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]