基于信息熵的RSA硬件时间隐通道信息泄露量化研究

Quantitative Analysis of Information Leakage Through Hardware RSA Timing Channel Based on Entropy Theory

RSA密码算法作为主流的公钥加密和签名算法,其安全性被工业界和学术界广泛关注.RSA算法的安全性主要包括算法自身的不易破解性和密钥的安全性两个方面.而通过能量和时间隐通道来攻击算法密钥往往比破解RSA算法更为有效.现有的研究大多关注RSA算法软件实现的安全性,并未深入探讨硬件IP(Intellectual Property)核中的时间隐通道对安全性的影响;虽然有基于形式化验证的方法对时间隐通道进行检测和隔离,或者采用基于类型系统的方法从硬件设计语言的角度消除时间隐通道,但这些硬件方法都只能实现时间隐通道的定性分析,缺乏有效的模型对时间隐通道进行量化分析.文中针对上述两个基本问题(硬件IP核与时间隐通道)开展研究.首先介绍了RSA时间隐通道的研究背景和硬件实现的威胁模型.然后引入基于信息熵的研究方法,分别建立了基于信息熵的时间隐通道攻击模型和基于信息熵的时间隐通道量化分析模型.文中实验对RSA密码核进行基于信息熵的攻击和基于方差的攻击以评估信息熵攻击的效果.同时,针对同一密码核不同密钥信息泄露进行量化分析;针对多种不同的RSA硬件架构量化分析模幂优化算法对时间隐通道信息泄露的影响;针对时间隐通道抵抗措施评估其减少时间隐通道信息泄露的作用;并通过攻击相应RSA核密钥以验证信息熵量化分析的有效性.最后实验综合评估不同RSA架构对设计复杂度的影响.实验结果显示基于信息熵的攻击方法在猜测正确率确信度方面优于基于方差的攻击方法;信息熵量化分析方法能够有效的评估RSA密码核时间隐通道信息泄露,为RSA密码核时间隐通道的研究提供量化分析的理论依据和测试手段.实验结果同时表明信息熵指标能够辅助设计人员权衡时间隐通道安全性与性能、资源开销之间的关系,为硬件设计自动化提供潜在的时间隐通道硬件安全评价指标,实现对硬件设计特征更加精细和完善的描述.

The RSA algorithm is a widely deployed public key cipher for data encryption and digital signature,whose security has drawn attention from both academic and industry fields.Its security relies on both the computation complexity of breaking the algorithm itself and the security of the encryption key.Generally,it is much easier to recover the encryption key than break the RSA algorithm through power and timing side channel analysis.Previous work primarily focuses on timing side channels in software RSA implementations,without in-depth studying the effect ofhardware architecture on timing channel security.Although there is work for detecting and isolating timing channel based on formal verification of timing information flow or building timing channel free hardware design by incorporating new type system into the hardware design language,they can only provide qualitative analysis of timing channel,lacking effective model to perform quantitative analysis of hardware timing channel security.In this work,we will concentrate on hardware RSA cores and provide a quantitative analysis model to evaluate such timing channel leakage.Firstly,we introduce hardware RSA timing channel and its threat model.We then employ the entropy theory to set up timing attack model and quantitative analysis model for RSA architecture timing channel.Besides,we attack RSA implementation based on entropy and variance analysis,respectively.In order to demonstrate the effectiveness of entropy in quantifying hardware RSA implementation leakage,we perform quantitative analysis of different key-pairs information leakage within the same RSA architecture,quantify information leakage for different RSA architecture implementations with timing channel algorithm optimization techniques,evaluate the effect of timing channel countermeasure on reducing information leakage;and also attack each RSA implementation to validate the effectiveness of our quantitative analysis model.Finally,we evaluate the effect of different algorithm optimizations,timing channel mitigation techniques and countermeasures on design complexity in terms of timing channel,performance and resource utilization.Experimental results show that entropy metric can be used to attack RSA timing channel and it can increase the success rate by combining variance analysis with entropy analysis.Entropy metric can be used to quantitatively analyze information leakage from timing channel in RSA hardware architectures effectively and efficiently,which provides an effective theoretical basis and test methodology to assess the severity of timing channel information leakage.In addition,entropy metric can help designers to tradeoff security requirements and design overheads such as performance and resource utilization,which provides a potential security metric to integrate timing channel security with traditional design metrics(e.g.area and performance)to characterize the hardware in more detail.