摘要
基于持久性故障的碰撞攻击可以有效恢复AES加密/解密模块(基于S盒实现)中使用的密钥.现实中处理长消息需要调用相应的工作模式,不能满足基于持久性故障的碰撞攻击的前提假设.此外,广泛应用的开源密码库OpenSSL中AES密码模块采用多个T盒而非S盒实现,导致已有的持久性故障注入模式失效.本文针对OpenSSL中的不同工作模式分别研究.对于ECB模式,通过分别在T盒注入置零故障或随机故障,分别攻击ECB模式加/解密实现;对于CBC模式,通过挑战密文的方式攻击CBC模式的解密实现,从而避免加密时输入随机初始向量对中间值的干扰;对于OFB和CFB这种不直接操作消息的模式,通过挑战密文的方式仍能成功攻击.本文还证明了获得加密模块(或解密模块)的直接输出并非持久性故障碰撞攻击的必要条件,并通过对CMAC的分析验证了只要可以观测到中间状态的碰撞信息,就可以恢复密钥.通过在PC上仿真注入故障,针对上述工作模式实施密钥恢复实验,表明不论是单字节故障还是多字节故障,攻击成功率都为100%.
Persistent fault-based collision analysis can effectively recover the key used in the AES encryption/decryption module(based on the S-box implementation).Nevertheless,processing long messages requires invoking the corresponding working mode in reality,which cannot satisfy the presupposition of collision attack based on persistent fault.In addition,the AES cryptographic module of OpenSSL,a widely used open source cryptographic library,is implemented with multiple T-boxes instead of S-boxes,which invalidates the existing persistent fault injection mode.In this study,ECB mode in OpenSSL is implemented by injecting stuck at 0 fault or random fault into T-box respectively to attack ECB mode encryption/decryption.For CBC mode,this study attacks the decryption implementation of CBC mode by challenging ciphertext,so as to avoid interference of intermediate value by input random initial vector during encryption.For OFB and CFB modes,attacking the pattern of non-direct operating messages can be successful by challenging ciphertext.In addition,it is shown that obtaining the direct output of the encryption module(or decryption module)is not a necessary condition for persistent fault collision attack,and the key can be recovered as long as the collision information of the intermediate state can be observed by CMAC analysis.Some simulation experiments about injection faults on PC and implement key recovery are done for the above working modes.The experimental results show that the success rate of the attack is 100%for both single-byte and multi-byte faults.
作者
臧首金
郑世慧
ZANG Shou-Jin;ZHENG Shi-Hui(School of Cyberspace Security,Beijing University of Posts and Telecommunications,Beijing 100876,China)
出处
《密码学报》
CSCD
2023年第1期118-130,共13页
Journal of Cryptologic Research
基金
国家自然科学基金(61502048)。
