Attacking OpenSSL using Side-channel Attacks: the RSA case study

We show that RSA implementation present in OpenSSL can be successfully attacked using sidechannels. In OpenSSL, the modular exponentiation is implemented using m-ary method, where a table of size 2m entries is precomputed. The exponent is divided into words of m-bits each and the algorithm proceeds one word at a time using the precomputed table. Furthermore, to protect against side-channel attacks, it implements message blinding countermeasure. However, this implementation has the following vulnerability: if two operations share the same secret key bit, the correlation between these samples will be higher compared to independent bits. This fact can be used to differentiate the secret key bit from 0 and 1 and can be exploited to reveal the secret key in a so called crosscorrelation attack. The cross-correlation attack works even in the case of message blinding because it does not depend on the absolute values of the operands. In the case of OpenSSL implementation, we cross-correlate the precomputations with the operands used in m-ary exponentiation to recover the full secret key. Furthermore, we explore other, more advanced ways to attack OpenSSL RSA, so called single traces attacks: template and horizontal attacks in particular.