The remote timing attack against OpenSSL’s ECDSA

I've been asked lots of questions about recent research that shows that it's possible to do a remote timing attack against a particular version of ECDSA that OpenSSL uses. Here's my take on this.

Here's the abstract of the paper that describes this attack:

For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery's ladder that performs a fixed sequence of curve and field operations. This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key. Finally, we describe and implement an effective countermeasure.

If we look more closely at the paper, here's what we find:

  • This IS very clever work. It's stuff that I wish that I could have thought of first.
  • This IS an attack against a particular implementation of ECDSA.
  • This is NOT an attack against all implementations of TLS.
  • This is NOT an attack against all implementations of ECC.
  • This is NOT an attack against all implementations of ECDSA.

So does it make sense to panic and ban all uses of TLS/ECDSA/ECC?

Absolutely not.

There might not even be anyone who this attack actually affects. For this to affect you, you need to be using ECDSA in OpenSSL's TLS, and you need to be using it over a binary field. That's probably fairly rare. The version of ECDSA that's specified in the NSA's Suite B cryptography only uses prime fields (curves P-256 and P-384), for example. But if it applies to you, you might want to switch to a different signing algorithm before you're exploited.  

Leave a Reply

Your email address will not be published. Required fields are marked *