Manger’s Attack Revisited Falko Strenzke1,2 1 FlexSecure GmbH, Germany [email protected] 2 Cryptography and Computeralgebra, Department of Computer Science, Technische Universit¨at Darmstadt, Germany Abstract. In this work we examine a number of different open source implementations of the RSA Optimal Asymmetric Encryption Padding (OAEP) and generally RSA with respect to the message-aimed timing at- tack introduced by James Manger in CRYPTO 2001. We show the short- comings concerning the countermeasures in two libraries for personal computers, and address potential flaws in previously proposed counter- measures. Furthermore, we point out a new source of timing differences that has not been addressed previously. We also investigate a new class of related problems in the multi-precision integer arithmetic that in prin- ciple allows a variant of Manger’s attack to be launched against RSA implementations on 8-bit and possibly 16-bit platforms. Keywords: public key encryption scheme, RSA, RSA-OAEP, timing attack, side channel attack. 1 Introduction The widely used RSA public key encryption scheme was found to be insecure [1] when used with PKCS#1 v1.5 encoding [2]. The OAEP encoding [3] was introduced to overcome these security problems. While being formally secure, a straightforward implementation of the RSA-OAEP decoding was found to be vulnerable with respect to timing or fault attacks by James Manger [4]. The current RSA-OAEP specification [3] accounts for these vulnerabilities, and proposes countermeasures. In this work, we examine two prominent open source cryptographic libraries with respect to the realization of appropriate timing attack countermeasures against Manger’s attack. Specifically, these are the Botan [5] and OpenSSL [6] li- braries. We find shortcomings in both implementations concerning the realization of the countermeasures within the RSA-OAEP decoding routine. Furthermore, we show that both libraries also feature another source of timing differences that in principle allows Manger’s attack even when the RSA-OAEP decoding routine is perfectly secured, also enabling attacks against RSA independently of the en- coding method. We outline a countermeasure against this new vulnerability. The vulnerability discovered in the OAEP decoding routine of the Botan library was A part of the work of F. Strenzke was done at2. M. Soriano, S. Qing, and J. L´opez (Eds.): ICICS 2010, LNCS 6476, pp. 31–45, 2010. c Springer-Verlag Berlin Heidelberg 2010 32 F. Strenzke fixed in the 1.9.8 and 1.8.9 versions by the library maintainer Jack Lloyd after being informed by us. Furthermore, we show that an even deeper source of timing differences in the multi-precision integer arithmetic can in principle be used by an attacker to mount Manger’s attack especially on 8-bit architectures. Again, this vulnerability is independent of the OAEP decoding method. 2 Preliminaries: RSA-OAEP In the following, we will very briefly recapitulate the well known RSA public key encryption scheme and then explain the OAEP encoding. The RSA private key consists of the private exponent d, the public key is given by the modulus n and the public exponent e. RSA encryption is performed by computing the ciphertext c = me mod n, which is decrypted as m = cd mod n. The knowledge of the prime factors p, q with pq = n is the what enables the holder of the secret key to determine the correct private exponent d. In [1] it is shown that RSA used with the PKCS#1 v1.5 encoding [2] is vulnerable to certain reaction attacks where the attacker manipulates a target ciphertext he wishes to decrypt, and having access to a decryption oracle is able to observe whether this manipulated ciphertext can be decrypted correctly. To thwart these attacks, RSA-OAEP [3] was introduced. The aim of this so called conversion is to detect any manipulation of the ciphertext during the decryption phase and to refuse to output the decryption result. Fig. 1. The RSA-OAEP decoding procedure. Here, denotes XOR. Manger’s Attack Revisited 33 The RSA-OAEP decryption, depicted in Fig. 1, starts with the RSA decryp- tion. The resulting integer is encoded as an octet string, which is divided into two parts: starting at the most significant octet of the integer, we find a value used for later unmasking of a seed. The RSA-OAEP specification [3] demands that the leading octet of this octet string, denoted by “xx” in the figure, has value zero. This requirement guarantees that the integer representing the message is smaller than the RSA modulus when performing RSA-OAEP encryption. This relation in turn is a requirement of the RSA encryption algorithm. The RSA- OAEP specification [3] demands that after the RSA decryption it is verified that this condition is met and that an error is output in case of a violation. In the remainder of the paper, we will refer to this condition as the first error condition of the OAEP decoding, and will speak of a supernumerary octet in case this error condition is met. Fig. 1 also shows the further processing of the RSA-OAEP decryption opera- tion. It involves a mask generation function (MGF), specified in [3], which takes a variable length octet string as input and outputs an octet string of fixed length. After the final XOR operation, an octet string consisting of three elements is recovered (the uppermost rectangular box in the figure). The first element, H (called “pHash” in [3]) is the hash value of an octet string, referred to as the parameters, which must be available to both the encrypting and the decrypting party involved. The padding part is of variable length and has to meet certain requirements for a regular ciphertext, which are of no interest for our analysis. What is important for our analysis, is that a manipulated ciphertext will always cause at least the comparison H = H to fail, which we will refer to in the following as the second error condition. The first error condition, i.e. the check whether the highest octet of the RSA plaintext equals 00, will not be triggered in all cases. This is simply due to the fact that the probability for the highest octet being 00 is at least 1/256 when decrypting random RSA ciphertexts. The third check concerning the form of the padding, is of no importance for the vulnerabilities discussed in this work. Even if this check was executed before the check H = H, there is no known attack based on this error condition. 3 The Known Attacks against RSA-OAEP In [4], it is shown how fault and timing attacks may be possible, if the im- plementation of the scheme does not include appropriate countermeasures. The attack exploits the fact that in the RSA-OAEP decryption, errors can occur at two different points in the algorithm, as explained in the preceding section. If an attacker can distinguish between these error conditions, he can conduct an adaptively chosen ciphertext attack with the aim of recovering the message corresponding to a certain ciphertext. This is explained in detail in [4]. In the following we only give a brief outline of the principle of this attack, focusing on the underlying information leak. The attacker performs the attack by creating manipulated versions of the ciphertext he wishes to decrypt. Specifically, given the ciphertext c0,hechooses 34 F. Strenzke f c f ec n e n an integer and computes 0 = 0 mod where and are the public exponent and modulus of the key that was used to encrypt c0. The attack builds on the ability of the attacker to let the decryption device decrypt the manipulated c m fm cd cipher text 0 and learn whether 0 = 0 = 0 has a supernumerary octet in the sense described above. Let B be the smallest value of a message m which features a supernumerary octet, then the information learned by the attacker is whether fm0 mod n ≥ B is true or false. Repeating this with f chosen based on previous outcomes, he can by and by narrow down the number of possible values of m0. This is done with a specific strategy described in [4]. The details of this attack are not necessary to understand the remainder of the paper, the only important thing is the source of the information gain. The way in which an attacker can learn whether the decryption of a certain ciphertext c0 caused the supernumerary octet is described as twofold in [4]. First, if the error message in this case is different from the error message that occurs when checking whether H = H, and the attacker has access to these error messages, the attack can be mounted as a fault attack. But even if the error messages are indistinguishable, there is still a chance for the attacker to distinguish at which stage in the algorithm the error was caused based on the running time [4]. The attack becomes especially dangerous if the computation of the parameter hash value is performed after the check of the first error condition and the attacker is able to provide parameters of arbitrary length1. Then the timing differences based on the first error condition can become enormous. 4 Analysis of Two Open Source RSA-OAEP Implementations In this section, we analyze the implementation of the RSA-OAEP decoding in the open source cryptographic libraries Botan [5] and OpenSSL [6] concerning their defense against Manger’s attack [4]. In advance, we wish to point out that the most dangerous timing attacks, where the attacker is able to control the size of the parameters to be hashed, are not possible for RSA-OAEP as it is implemented in Botan and OpenSSL.