Jean-Pierre Seifert

Predicting secret keys via branch prediction

This paper announces a new software side-channel attack — enabled by the branch prediction capability common to all modern high-performance CPUs. The penalty paid (extra clock cycles) for a mispredicted branch can be used for cryptanalysis of cryptographic primitives that employ a data-dependent program flow. Analogous to the recently described cache-based side-channel attacks our attacks also allow an unprivileged process to attack other processes running in parallel on the same processor, despite sophisticated partitioning methods such as memory protection, sandboxing or even virtualization. In this paper, we will discuss several such attacks for the example of RSA, and experimentally show their applicability to real systems, such as OpenSSL and Linux. Moreover, we will also demonstrate the strength of the branch prediction side-channel attack by rendering the obvious countermeasure in this context (Montgomery Multiplication with dummy-reduction) as useless. Although the deeper consequences of the latter result make the task of writing an efficient and secure modular exponentiation (or scalar multiplication on an elliptic curve) a challenging task, we will eventually suggest some countermeasures to mitigate branch prediction side-channel attacks.

Advances on access-driven cache attacks on AES

An access-driven attack is a class of cache-based side channel analysis. Like the time-driven attack, the caches timings are under inspection as a source of information leakage. Access-driven attacks scrutinize the cache behavior with a finer granularity, rather than evaluating the overall execution time. Access-driven attacks leverage the ability to detect whether a cache line has been evicted, or not, as the primary mechanism for mounting an attack. In this paper we focus on the case of AES and we show that the vast majority of processors suffer from this cache-based vulnerability. Our best results are indeed performed on a processor without the multi-threading capabilities -- in contrast to previous works in this area that had suggested that multi-threading actually improved, or even made possible, this class of attack. Despite some technical difficulties required to mount such attacks, our work shows that access-driven cache-based attacks are becoming easier to understand and analyze. Also, when such attacks are mounted against systems performing AES, only a very limited number of encryptions are required to recover the whole key with a high probability of success, due to our last round analysis from the ciphertext.

Fault Diagnosis and Tolerance in Cryptography

Attacks on Public Key Systems.- Is It Wise to Publish Your Public RSA Keys?.- Wagners Attack on a Secure CRT-RSA Algorithm Reconsidered.- Attacking Right-to-Left Modular Exponentiation with Timely Random Faults.- Sign Change Fault Attacks on Elliptic Curve Cryptosystems.- Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection.- Protection of Public Key Systems.- Blinded Fault Resistant Exponentiation.- Incorporating Error Detection in an RSA Architecture.- Data and Computational Fault Detection Mechanism for Devices That Perform Modular Exponentiation.- Attacks on and Protection of Symmetric Key Systems.- Case Study of a Fault Attack on Asynchronous DES Crypto-Processors.- A Fault Attack Against the FOX Cipher Family.- Fault Based Collision Attacks on AES.- An Easily Testable and Reconfigurable Pipeline for Symmetric Block Ciphers.- Models for Fault Attacks on Cryptographic Devices.- An Adversarial Model for Fault Analysis Against Low-Cost Cryptographic Devices.- Cryptographic Key Reliable Lifetimes: Bounding the Risk of Key Exposure in the Presence of Faults.- A Comparative Cost/Security Analysis of Fault Attack Countermeasures.- Fault-Resistant Arithmetic for Cryptography.- Non-linear Residue Codes for Robust Public-Key Arithmetic.- Fault Attack Resistant Cryptographic Hardware with Uniform Error Detection.- Robust Finite Field Arithmetic for Fault-Tolerant Public-Key Cryptography.- Fault Attacks and Other Security Threats.- DPA on Faulty Cryptographic Hardware and Countermeasures.- Fault Analysis of DPA-Resistant Algorithms.- Java Type Confusion and Fault Attacks.

Secrecy analysis in protocol composition logic

Extending a compositional protocol logic with an induction rule for secrecy, we prove soundness for a conventional symbolic protocol execution model, adapt and extend previous composition theorems, and illustrate the logic by proving properties of two key agreement protocols. The first example is a variant of the Needham-Schroeder protocol that illustrates the ability to reason about temporary secrets. The second example is Kerberos V5. The modular nature of the secrecy and authentication proofs for Kerberos makes it possible to reuse proofs about the basic version of the protocol for the PKINIT version that uses public-key infrastructure instead of shared secret keys in the initial steps.

A technical architecture for enforcing usage control requirements in service-oriented architectures

We present an approach to modeling and enforcing usage control requirements on remote clients in service-oriented architectures. Technically, this is done by leveraging a trusted software stack relying on a hardware-based root of trust and a trusted Java virtual machine to create a measurable and hence trust worthy client-side application environment. We define a model-driven approach to specifying remote policies that makes the technical intricacies of the target platform transparent to the policy modeler.

Is it wise to publish your public RSA keys

Only very recently, the study of introducing faults into the public-key elements of the RSA signature scheme was initiated. Following the seminal work of Seifert on fault inductions during the RSA signature verification, Brier, Chevallier-Mames, Ciet, and Clavier considered in a recent paper the signature counterpart and showed how to recover the private exponent — even with absolutely no knowledge of the fault’s behavior. Consequently, this paper reconsiders the RSA signature verification and proposes two embassaring simple new fault attacks against the RSA verification process. Despite their trivial nature, both of our methods bear heavy practical consequences. While the first new attack of our methods simply eliminates the “somehow cumbersome” and subtle mathematical two-phase attack analysis of Seifert’s attack, the second methodology removes the so called “one-shot success” of Seifert’s attack and paves the way for a permanent and universal “mass-market” RSA signature forgery. Motivated by the obvious security threats through tampering attacks during the RSA verification process we will also consider some heuristic but practical countermeasures.