ATHENA: Authenticated Encryption Analysis

As opposed to a traditional block cipher that only provides confidentiality, Authenticated Encryption (AE) is a cryptographic primitive achieving confidentiality, integrity, and authenticity in a single function. AE is a fundamental concept in e.g. TLS, with several cipher suites utilizing AES Galois Counter Mode (GCM). Briefly, a TLS Cipher Suite is a combination of cryptographic algorithms to achieve a number of high level security goals.

ATHENA is a two year Academy of Finland project (grant 303814, PI Assistant Professor Billy Bob Brumley) that scrutinizes one of those goals in particular: authentication. Furthermore, in the context of real-world systems and protocols, TLS being the focus and OpenSSL the most popular open source implementation. ATHENA is coming to an end this year, so in this blog post we highlight three research results from this successful NISEC project.


(Text: Nicola Tuveri)

libsuola is a project aiming at developing an OpenSSL engine, rigging cryptosystem implementations derived from NaCl into OpenSSL.

From a research perspective, the project is meant to demonstrate how the OpenSSL ENGINE API is

  • an ideal architecture to address wide-ranging security concerns;
  • a valuable tool for future research, easing testing and facilitating dissemination of novel results in real-world systems;
  • a means to bridge the gaps between research results and currently deployed systems.

For developers, users and distribution maintainers, it allows seamless integration of emerging cryptographic standards in existing versions of OpenSSL, without a need to recompile applications depending on the OpenSSL library.

Distributions and OpenSSL support lifetimes

libsuola also showcases a way to inject alternative implementations, at runtime, for existing cryptosystems, completely transparently to existing applications: e.g., it is possible to use the engine to replace X25519 and Ed25519 using a formally verified implementation from the HACL* project.

For researchers, libsuola demonstrates a methodology to overcome some factors that hinder them from achieving timely and widespread dissemination of their scientific results in real-world applications, as detailed in the associated manuscript.

Finally, it lays the groundwork for future applied research: for example, by automating the process of generating the OpenSSL ENGINE, we plan to apply the same methodology to the currently ongoing NIST post-quantum cryptosystem standardization competition, comparing candidates w.r.t. real-world performance in TLS cipher suites.

Cache-timing attack against OpenSSL

(Text: Cesar Pereida García)

As part of the ongoing process to strength security-critical software libraries providing confidentiality, encryption and authentication, such as OpenSSL; we performed cache-based side-channel analysis (SCA) on one of the most ubiquitous algorithms used for authentication, namely P-256 ECDSA. This cryptosystem is widely used on the Internet to provide authenticity and we disclosed and fixed a software flaw affecting this algorithm that allows to retrieve private keys. OpenSSL implementation of P-256 ECDSA was believed to be constant time, but we found it was vulnerable to a new cache-timing attack.

ECDSA illustrated

In our research we combine several cache attack techniques leading to better information leakage. Then we proposed a new approach to recover a variable amount of bits from the leaked algorithm state that ultimately allows full private key recovery. Moreover, we successfully retrieved private keys on and end-to-end scenario where TLS and SSH protocols utilize the OpenSSL library as the underline cryptography library.

The research resulted in CVE-2016-7056 and a conference publication presented in 2017 at the 26th USENIX Security Symposium in Vancouver, Canada. Watch the presentation!

Side-Channel Analysis of SM2

(Text: Sohaib ul Hassan)

This research focused on identifying and rectifying the security gaps in new cryptographic implementations by performing regression testing through side-channels. In particular, we evaluated SM2, which is a Chinese public key cryptography standard recently adopted by OpenSSL. The results highlighted various security vulnerabilities in the OpenSSL implementation.

For performing the analysis on the SM2 public key encryption, we applied a statistical testing methodology, Test Vector Leakage Assessment (TVLA) on EM side-channels. TVLA is a well-known technique to perform black-box testing of cryptographic implementations and can be adopted across a broad range of cryptosystems such as authenticated encryption. The resulting TVLA values above a carefully chosen threshold implies that there is a side-channel leak, which can be exploited to break the cryptographic implementations.

To mitigate the side-channel leak on SM2 encryption, we submitted several security patches to OpenSSL: 6009, 6066, 6501, and 6521. The TVLA results showed significant improvement after they were merged.

Failed TVLA test (top) vs passed TVLA test (bottom)

The manuscript has been accepted in the 34th Annual Computer Security Applications Conference, USA.

This entry was posted in Projects, Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *