Practical timing and SEMA on embedded OpenSSL’s ECDSA — Adrian Thillard, Franck Rondepierre, Guenael Renault, Julien Eynard
Date : 02 June 2022 à 09:15 — 15 min.
Timing attacks are a class of side-channel attacks allowing an adversary to recover some sensitive data by observing the execution time of some underlying algorithm. Several cryptographic libraries have been shown to be vulnerable against these attacks, oftentimes allowing practical key recoveries. While recent papers showed that these threats are well-known amongst developers, these libraries are often left unpatched, due to the perceived burden of implementing efficient countermeasures. Instead, many libraries chose to modify their threat model and to not consider attacks where the adversary have local access to the target anymore. In this paper, we show how to implement, on a real world device, a recent timing attack described by Weiser et al. at Usenix20, targeting OpenSSL’s ECDSA. We expand their discovery and demonstrate that this attack applies to a bigger set of curves than claimed in the original paper. After characterising the weakness against timing, we show that the perceived safety that can be provided by a practical resistance against those attacks can easily be shattered using slightly costlier attacks such as Simple Electro-Magnetic Analysis. Our work hence highlight that secure embedded purposes require a very careful choice of side-channel resistant library.
Commentaire de l'auteur
A complementary notebook introducing some of the mathematical subtleties is available at https://github.com/Ledger-Donjon/practical_attacks_on_openssl_ecdsa.