时间攻击TLS的ECDSA签名
This is a work trying to reproduce and improve on Billy Bob Brumley and Nicola Tuveri - Remote Timing Attacks are Still Practical.
You can reproduce my setup with what you find here. The lattice attack works. The remote timing is not precise enough to make the attack work (we need a huge amount of samples to make the attack work). If you can get the same setup and better timing that what I get below then you should contact me :)
It works on an unpatched version of OpenSSL, but theorically it should work on any TLS framework that has such a timing attack (and not only on binary curves).
But first, if you want to know more about this research check the latest draft of the whitepaper, and here are also direct links to the Timing Attack and the Lattice Attack. And also a demo of the attack.
If you know more about how to collect extremely accurate timing samples on a remote target I might need you. From a small sample of signatures I get mediocre results, the more signatures I get, the better results I get:
these are the results I get from a million signatures:
And from 10 million signatures I get better results. But this takes ~19 hours and still has too many false positives.
in setup/
you can find how to setup the server and the client to reproduce the attack (and how to modify the server’s openSSL to remove the fix)
in datasets/
you have data I got from my own experiments. You can play with that if you don’t want to setup a client/server. Note that my measurements from the client sucks
in tools/
you have tools to play with the data in datasets/
. Read the README there for more info.
PoC/
is an old proof of concept, it can run and find a key. It’s not very pretty though
SO_TIMESTAMPING
on raw sockets. Use a NIC that allows for hardware TCP timestamping. Also try to get nanoseconds results. See timestamping.copenssl s_client -connect website:443 -cipher 'ECDHE-ECDSA'
with -msg
, -debug
or tcpdump the traffic to get the packet.