Please use this identifier to cite or link to this item: http://hdl.handle.net/1946/29661
Side-channel attacks like timing attacks are a severe threat towards cyber security. Although this type of attack has been known for more than 10 years, exploits based on timing attacks are still published. The aim of this work is to find a simple testing method for crypto libraries, that shows potential vulnerabilities. Therefore a precise measurement method is crucial.
Firstly experiments with Python benchmarking tools have been performed using a constant time AES implementation. The measurement has been repeated using the method proposed by Intel, that recommends the programming language C, specific instructions and the kernel
mode. This measurement method performed better than the one in Python. Furthermore the autocorrelation method and the Ljung-Box test have been applied to measurement results of the tests performed in C, but no large autocorrelations that indicate a timing leak were found.
The measurement method was then applied to OpenSSLs RSA decryption function, which leaks exploitable timing variances, if blinding is disabled. Although higher autocorrelations were found within this experiment, the results were so heavily affected by noise, that it was
difficult to determine if they came from the timing leak or from system noise. Therefore the goal to develop a simple testing method has not been reached.
|MSC-BUTSCHEK-2018.pdf||5.85 MB||Open||Complete Text||View/Open|