Author(s):	Valeria Bertacco
Location	Caro
Date	jan Thu 19	Days Raw Files
Start	10:30	First Raw Start	error-in-template
Duration	0:50:00	Offset	None
End	11:20	Last Raw End
Chapters
Total cuts_time	None min.

http://lca2012.linux.org.au/schedule/169/view_talk
raw-playlist raw-mp4-playlist encoded-files-playlist mp4 svg png

assets release.pdf Torturing_OpenSSL.json
logs
Admin: episode episode list cut list raw files day marks day marks day image_files

State:	--------- borked edit encode push to queue post richard review 1 email review 2 make public tweet to-miror conf done
Locked:	clear this to unlock
Locked by:	user/process that locked.
Start:	initially scheduled time from master, adjusted to match reality
Duration:	length in hh:mm:ss
Name:	Video Title (shows in video search results)
Emails:	email(s) of the presenter(s)
Released:	Unknown Yes No has someone authorised pubication
Normalise:
Channelcopy:	m=mono, 01=copy left to right, 10=right to left, 00=ignore.
Thumbnail:	filename.png
Description:	For any computing system to be secure, both hardware and software have to be trusted. If the hardware layer in a secure system is compromised, not only it is possible to extract secret information about the software, but it is also extremely difficult for the software to detect that an attack is underway. This talk will detail a complete end-to-end security attack to on a microprocessor system and will demonstrate how hardware vulnerabilities can be exploited to target systems that are software-secure. Specifically, we present a side-channel attack to the RSA signature algorithm by leveraging transient hardware faults at the server. Faults may be induced via voltage-supply variation, temperature variation, injection of single-event faults, etc. When affected by faults, the server produces erroneous RSA signatures, which it returns to the client. Once a sufficient number of erroneously signed messages is collected at the client end, we filter those that can leak private key information and we use them to extract the private key. We developed an algorithm to extract the private RSA key from messages affected by single-bit faults in the multiplication during Fixed Window Exponentiation (FWE), that is, the standard exponentiation algorithm used in OpenSSL during RSA signing. Our algorithm was inspired by a similar solution developed by Boneh, et al. for the Chinese Remainder Theorem (CRT) [D. Boneh, R. DeMillo, and R. Lipton. On the importance of eliminating errors in cryptographic computations. Journal of Cryptology, Dec 2001], an algorithm particularly prone to attacks. Depending of the window size used in the encryption algorithm, it is possible to extract 4-6 bits of the private key from an erroneously signed message. Our attack is perpetrated using a FPGA platform implementing a SPARC-based microprocessor running unmodified Linux and the OpenSSL authentication library. The server provides 1024-bits RSA authentication to a client we control via Ethernet connection. Faults are injected by inducing variations in the supply voltage on the FPGA platform or by subjecting the server to high temperatures. Our client collects a few thousands signed messages, which we transfer to an 80-machines computing pool to compute the private RSA key in less than 100 hours. Note that our attack does not require access to the victim system’s internal components, but simply proximity to it. Moreover, it is conceivable that an attack leveraging solely high temperatures can be carried out on machines in a remote poorly-conditioned server room. Finally, the attack does not leave any trail of the attack in the victim machine, and thus it cannot be detected. markdown
Comment:	production notes