Dataset Open Access

CVE-2019-1547: research data and tooling

Pereida García, Cesar; ul Hassan, Sohaib; Tuveri, Nicola; Gridin, Iaroslav; Aldaya, Alejandro Cabrera; Brumley, Billy Bob


DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://datacite.org/schema/kernel-4" xsi:schemaLocation="http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4.1/metadata.xsd">
  <identifier identifierType="DOI">10.5281/zenodo.3878833</identifier>
  <creators>
    <creator>
      <creatorName>Pereida García, Cesar</creatorName>
      <givenName>Cesar</givenName>
      <familyName>Pereida García</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0001-6812-8498</nameIdentifier>
      <affiliation>Tampere University</affiliation>
    </creator>
    <creator>
      <creatorName>ul Hassan, Sohaib</creatorName>
      <givenName>Sohaib</givenName>
      <familyName>ul Hassan</familyName>
      <affiliation>Tampere University</affiliation>
    </creator>
    <creator>
      <creatorName>Tuveri, Nicola</creatorName>
      <givenName>Nicola</givenName>
      <familyName>Tuveri</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0001-5172-4568</nameIdentifier>
      <affiliation>Tampere University</affiliation>
    </creator>
    <creator>
      <creatorName>Gridin, Iaroslav</creatorName>
      <givenName>Iaroslav</givenName>
      <familyName>Gridin</familyName>
      <affiliation>Tampere University</affiliation>
    </creator>
    <creator>
      <creatorName>Aldaya, Alejandro Cabrera</creatorName>
      <givenName>Alejandro Cabrera</givenName>
      <familyName>Aldaya</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0002-1544-6772</nameIdentifier>
      <affiliation>Tampere University</affiliation>
    </creator>
    <creator>
      <creatorName>Brumley, Billy Bob</creatorName>
      <givenName>Billy Bob</givenName>
      <familyName>Brumley</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0001-9160-0463</nameIdentifier>
      <affiliation>Tampere University</affiliation>
    </creator>
  </creators>
  <titles>
    <title>CVE-2019-1547: research data and tooling</title>
  </titles>
  <publisher>Zenodo</publisher>
  <publicationYear>2020</publicationYear>
  <subjects>
    <subject>side-channel analysis</subject>
    <subject>ECDSA</subject>
    <subject>OpenSSL</subject>
    <subject>applied cryptography</subject>
    <subject>CVE-2019-1547</subject>
    <subject>timing attacks</subject>
  </subjects>
  <dates>
    <date dateType="Issued">2020-04-01</date>
  </dates>
  <language>en</language>
  <resourceType resourceTypeGeneral="Dataset"/>
  <alternateIdentifiers>
    <alternateIdentifier alternateIdentifierType="url">https://zenodo.org/record/3878833</alternateIdentifier>
  </alternateIdentifiers>
  <relatedIdentifiers>
    <relatedIdentifier relatedIdentifierType="arXiv" relationType="IsCitedBy" resourceTypeGeneral="ConferencePaper">arXiv:1909.01785</relatedIdentifier>
    <relatedIdentifier relatedIdentifierType="DOI" relationType="IsVersionOf">10.5281/zenodo.3736311</relatedIdentifier>
  </relatedIdentifiers>
  <rightsList>
    <rights rightsURI="https://opensource.org/licenses/MIT">MIT License</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
  </rightsList>
  <descriptions>
    <description descriptionType="Abstract">&lt;p&gt;This dataset and software tool are for reproducing the research results related to &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2019-1547"&gt;CVE-2019-1547&lt;/a&gt;, resulting from the manuscript &lt;a href="https://arxiv.org/abs/1909.01785"&gt;&amp;quot;Certified Side Channels&amp;quot;&lt;/a&gt;. The data was used to produce Figure 4 &lt;a href="https://arxiv.org/abs/1909.01785"&gt;in the paper&lt;/a&gt; and is part of the remote timing attack data in Section 4.1.&lt;/p&gt;

&lt;p&gt;Data description&lt;/p&gt;

&lt;p&gt;The file &lt;code&gt;timings.json&lt;/code&gt; contains a single JSON array. Each entry is a dictionary representation of one digital signature. A description of the dictionary fields follows.&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;hash_function&lt;/code&gt;: string denoting the hash function for the digital signature.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;hash&lt;/code&gt;: the output of said hash function, i.e. hash of the message digitally signed.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;order&lt;/code&gt;: the order of the generator.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;private_key&lt;/code&gt;: the ECDSA private key.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;public_key&lt;/code&gt;: the corresponding public key.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;sig_r&lt;/code&gt;: the &lt;code&gt;r&lt;/code&gt; component of the ECDSA signature.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;sig_s&lt;/code&gt;: the &lt;code&gt;s&lt;/code&gt; component of the ECDSA signature.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;sig_nonce&lt;/code&gt;: the ground truth nonce generated during ECDSA signing.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;nonce_bits&lt;/code&gt;: the ground truth number of bits in said nonce.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;latency&lt;/code&gt;: the measured wall clock time (CPU clock cycles) to produce the digital signature.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Prerequisites&lt;/p&gt;

&lt;p&gt;OpenSSL 1.1.1a, 1.1.1b, or 1.1.1.c.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;sudo apt install python-ijson jq&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Data setup&lt;/p&gt;

&lt;p&gt;Extract the JSON:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;tar xf timings.tar.xz&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Key setup&lt;/p&gt;

&lt;p&gt;Generate the public key (&lt;code&gt;public.pem&lt;/code&gt; here) from the provided private key (&lt;code&gt;private.pem&lt;/code&gt; here):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ openssl pkey -in private.pem -pubout -out public.pem&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Examine the keys if you want.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ openssl pkey -in private.pem -text -noout
$ openssl pkey -in public.pem -text -noout -pubin&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Example: Verify key material&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ grep --max-count=1 'private_key' timings.json
  "private_key":"0x6b76cc816dce9a8ebc6ff190bcf0555310d1fb0824047f703f627f338bcf5435",
$ grep --max-count=1 'public_key' timings.json
  "public_key":"0x04396d7ae480016df31f84f80439e320b0638e024014a5d8e14923eea76948afb25a321ccadabd8a4295a1e8823879b9b65369bd49d337086850b3c799c7352828",
$ openssl pkey -in private.pem -text -noout
Private-Key: (256 bit)
priv:
    6b:76:cc:81:6d:ce:9a:8e:bc:6f:f1:90:bc:f0:55:
    53:10:d1:fb:08:24:04:7f:70:3f:62:7f:33:8b:cf:
    54:35
pub:
    04:39:6d:7a:e4:80:01:6d:f3:1f:84:f8:04:39:e3:
    20:b0:63:8e:02:40:14:a5:d8:e1:49:23:ee:a7:69:
    48:af:b2:5a:32:1c:ca:da:bd:8a:42:95:a1:e8:82:
    38:79:b9:b6:53:69:bd:49:d3:37:08:68:50:b3:c7:
    99:c7:35:28:28
Field Type: prime-field
Prime:
    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff
A:   
    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:fc
B:   
    5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
    bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
    60:4b
Generator (uncompressed):
    04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
    40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
    98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
    7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
    68:37:bf:51:f5
Order: 
    00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
    ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
    63:25:51
Cofactor:  0
Seed:
    c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
    b7:81:9f:7e:90&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Three things to note in the output:&lt;/p&gt;

&lt;ol&gt;
	&lt;li&gt;The private key bytes match (&lt;code&gt;private_key&lt;/code&gt; and &lt;code&gt;priv&lt;/code&gt; byte strings are equal)&lt;/li&gt;
	&lt;li&gt;The public key bytes match (&lt;code&gt;public_key&lt;/code&gt; and &lt;code&gt;pub&lt;/code&gt; byte strings are equal)&lt;/li&gt;
	&lt;li&gt;This is an explicit parameters key, with the &lt;code&gt;Cofactor&lt;/code&gt; parameter missing or zero, as described in the manuscript.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Example: Extract a single entry&lt;/p&gt;

&lt;p&gt;Here we use the python script &lt;code&gt;pickone.py&lt;/code&gt; to extract the entry at index 2 (starting from 0).&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ python2 pickone.py timings.json 2 | jq . &amp;gt; 2.json
$ cat 2.json 
{
  "public_key": "0x04396d7ae480016df31f84f80439e320b0638e024014a5d8e14923eea76948afb25a321ccadabd8a4295a1e8823879b9b65369bd49d337086850b3c799c7352828",
  "private_key": "0x6b76cc816dce9a8ebc6ff190bcf0555310d1fb0824047f703f627f338bcf5435",
  "hash": "0xf36d0481e14869fc558b39ae4c747bc6c089a0271b23cfd92bc0b8aa7ed2c3aa",
  "latency": 21565213,
  "nonce_bits": 253,
  "sig_nonce": "0x1b88c7802ea000ccb21116575c38004579b55f1f9c4f81ed321896b1e1034237",
  "hash_function": "sha256",
  "sig_s": "0x8c83417891547224006723169de9745a81fa8de7176428e1cd8e6110408f45da",
  "sig_r": "0xf922d9ba4f65d207300cc7eaaa15564e60a2b1f208d1389057ff1a1ec52dc653",
  "order": "0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551"
}&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Example: Dump hash to binary file&lt;/p&gt;

&lt;p&gt;Extract the &lt;code&gt;hash&lt;/code&gt; field from the target JSON and dump it as binary.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ sed -n 's/^  "hash": "0x\(.*\)",$/\1/p' 2.json | xxd -r -p &amp;gt; 2.hash
$ xxd -g1 2.hash
00000000: f3 6d 04 81 e1 48 69 fc 55 8b 39 ae 4c 74 7b c6  .m...Hi.U.9.Lt{.
00000010: c0 89 a0 27 1b 23 cf d9 2b c0 b8 aa 7e d2 c3 aa  ...'.#..+...~...&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Note the &lt;code&gt;xxd&lt;/code&gt; output matches the &lt;code&gt;hash&lt;/code&gt; byte string from the target JSON.&lt;/p&gt;

&lt;p&gt;Example: Dump signature to DER&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;hex2der.sh&lt;/code&gt; script takes as an argument the target JSON filename, and outputs the DER-encoded ECDSA signature to stdout by extracting the &lt;code&gt;sig_r&lt;/code&gt; and &lt;code&gt;sig_s&lt;/code&gt; fields from the target JSON.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ ./hex2der.sh 2.json &amp;gt; 2.der
$ openssl asn1parse -in 2.der -inform DER
    0:d=0  hl=2 l=  70 cons: SEQUENCE          
    2:d=1  hl=2 l=  33 prim: INTEGER           :F922D9BA4F65D207300CC7EAAA15564E60A2B1F208D1389057FF1A1EC52DC653
   37:d=1  hl=2 l=  33 prim: INTEGER           :8C83417891547224006723169DE9745A81FA8DE7176428E1CD8E6110408F45DA&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Note the &lt;code&gt;asn1parse&lt;/code&gt; output contains a sequence with two integers, matching the &lt;code&gt;sig_r&lt;/code&gt; and &lt;code&gt;sig_s&lt;/code&gt; fields from the target JSON.&lt;/p&gt;

&lt;p&gt;Example: Verify the signature&lt;/p&gt;

&lt;p&gt;We use &lt;code&gt;pkeyutl&lt;/code&gt; here to verify the raw hash directly, in contrast to &lt;code&gt;dgst&lt;/code&gt; that will only verify by recomputing the hash itself.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ openssl pkeyutl -in 2.hash -inkey public.pem -pubin -verify -sigfile 2.der
Signature Verified Successfully&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Note it fails for other hashes (messages), a fundamental security property for digital signatures:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ dd if=/dev/urandom of=bad.hash bs=1 count=32
32+0 records in
32+0 records out
32 bytes copied, 0.00129336 s, 24.7 kB/s
$ openssl pkeyutl -in bad.hash -inkey public.pem -pubin -verify -sigfile 2.der
Signature Verification Failure&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Example: Statistics&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;stats.py&lt;/code&gt; script shows how to extract the desired fields from the JSON. It computes the median latency over each nonce bit length.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ python2 stats.py timings.json
Len Median
238 20592060
239 20251286
240 20706144
241 20658896
242 20820100
243 20762304
244 20907332
245 20973536
246 20972244
247 21057788
248 21115419
249 21157888
250 21210560
251 21266378
252 21322146
253 21370608
254 21425454
255 21479105
256 21532532&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;You can verify these medians are consistent with Figure 4 in the paper.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;stats.py&lt;/code&gt; script can be easily modified for more advanced analysis.&lt;/p&gt;

&lt;p&gt;Credits&lt;/p&gt;

&lt;p&gt;Authors&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Cesar Pereida Garc&amp;iacute;a (Tampere University, Tampere, Finland)&lt;/li&gt;
	&lt;li&gt;Sohaib ul Hassan (Tampere University, Tampere, Finland)&lt;/li&gt;
	&lt;li&gt;Iaroslav Gridin (Tampere University, Tampere, Finland)&lt;/li&gt;
	&lt;li&gt;Nicola Tuveri (Tampere University, Tampere, Finland)&lt;/li&gt;
	&lt;li&gt;Alejandro Cabrera Aldaya (Tampere University, Tampere, Finland)&lt;/li&gt;
	&lt;li&gt;Billy Bob Brumley (Tampere University, Tampere, Finland)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Funding&lt;/p&gt;

&lt;p&gt;This project has received funding from the European Research Council (ERC) under the European Union&amp;rsquo;s Horizon 2020 research and innovation programme (grant agreement No 804476).&lt;/p&gt;

&lt;p&gt;License&lt;/p&gt;

&lt;p&gt;This project is distributed under MIT license.&lt;/p&gt;</description>
  </descriptions>
  <fundingReferences>
    <fundingReference>
      <funderName>European Commission</funderName>
      <funderIdentifier funderIdentifierType="Crossref Funder ID">10.13039/501100000780</funderIdentifier>
      <awardNumber awardURI="info:eu-repo/grantAgreement/EC/H2020/804476/">804476</awardNumber>
      <awardTitle>Side-Channel Aware Engineering</awardTitle>
    </fundingReference>
  </fundingReferences>
</resource>
307
24
views
downloads
All versions This version
Views 30763
Downloads 248
Data volume 144.9 MB23.6 kB
Unique views 26056
Unique downloads 123

Share

Cite as