Paper 2016/224

CacheBleed: A Timing Attack on OpenSSL Constant Time RSA

Yuval Yarom, Daniel Genkin, and Nadia Heninger

Abstract

The scatter-gather technique is a commonly-implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant-time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
side-channel attackscache attackscryptographic implementationsconstant-timeRSA
Contact author(s)
yval @ cs adelaide edu au
History
2016-03-01: received
Short URL
https://ia.cr/2016/224
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2016/224,
      author = {Yuval Yarom and Daniel Genkin and Nadia Heninger},
      title = {CacheBleed: A Timing Attack on OpenSSL Constant Time RSA},
      howpublished = {Cryptology ePrint Archive, Paper 2016/224},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/224}},
      url = {https://eprint.iacr.org/2016/224}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.