Hackers of India

Attacking OpenSSL using Side-channel Attacks: The RSA case study

By Praveen Vadnala , Lukasz Chmielewski on 04 Aug 2017 @ Sha
πŸ“„ Whitepaper πŸ“Ή Video πŸ”— Link
#reverse-engineering #architecture #embedded-security
Focus Areas: πŸ”§ Hardware Security , πŸ“‘ IoT Security , 🦠 Malware Analysis , πŸ—οΈ Security Architecture

Presentation Material

Abstract

Side channel attacks (SCA) gained attention in the past years. New low cost tools like Chip-Whisperer proved that these attacks are not any more a theoretical, academic risk but a real threat to the security of the embedded systems. Many cryptographic products are now being developed having this attacks in mind and countermeasures are being implemented. This is the case of the omnipresent OpenSSL, which implement protections against side channel attacks to prevent the extraction of the secret key. In our presentation, we will briefly introduce SCA to the audience and discuss later the countermeasures implemented in the OpenSSL RSA and our attack that allows us to bypass them. #NetworkSecurity

AI Generated Summary

The talk details a practical power analysis attack targeting the RSA implementation in OpenSSL, focusing on its Chinese Remainder Theorem (CRT) variant. The research demonstrates that even software countermeasures designed to mitigate simple power analysis, such as the “multiply always” technique, remain vulnerable to more advanced cross-correlation attacks.

The core technique involves measuring the device’s power consumption during RSA operations and analyzing the traces to detect when the same intermediate value is reused across different modular multiplications. This reuse, inherent to the square-and-multiply exponentiation algorithm, creates a detectable correlation in the power signal, revealing the corresponding exponent bit. The attack was performed on a 32-bit microcontroller running OpenSSL, using a current probe and oscilloscope to capture traces. Extensive preprocessing was required, including precise trace alignment to compensate for timing jitter and slow temperature-induced signal drift, and data reduction via windowing to manage the large volume of samples (approximately 80 million per exponentiation).

The attack successfully extracted the secret exponent by processing around 10,000 power traces. A key finding is that the cross-correlation leakage persists even when the implementation executes a uniform sequence of operations (multiplication followed by conditional result selection), because the operand values themselves depend on previous secret-dependent results. The researchers also identified anomalous behavior for operations involving multiplication by 1 or 0, which produced distinct correlation patterns but were still recognizable.

The practical implication is that

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.