Dataset Open Access

CVE-2019-1547: research data and tooling

Pereida García, Cesar; ul Hassan, Sohaib; Tuveri, Nicola; Gridin, Iaroslav; Aldaya, Alejandro Cabrera; Brumley, Billy Bob


JSON-LD (schema.org) Export

{
  "inLanguage": {
    "alternateName": "eng", 
    "@type": "Language", 
    "name": "English"
  }, 
  "description": "<p>This dataset and software tool are for reproducing the research results related to <a href=\"https://nvd.nist.gov/vuln/detail/CVE-2019-1547\">CVE-2019-1547</a>, resulting from the manuscript <a href=\"https://arxiv.org/abs/1909.01785\">&quot;Certified Side Channels&quot;</a>. The data was used to produce Figure 4 <a href=\"https://arxiv.org/abs/1909.01785\">in the paper</a> and is part of the remote timing attack data in Section 4.1.</p>\n\n<p>Data description</p>\n\n<p>The file <code>timings.json</code> contains a single JSON array. Each entry is a dictionary representation of one digital signature. A description of the dictionary fields follows.</p>\n\n<ul>\n\t<li><code>hash_function</code>: string denoting the hash function for the digital signature.</li>\n\t<li><code>hash</code>: the output of said hash function, i.e. hash of the message digitally signed.</li>\n\t<li><code>order</code>: the order of the generator.</li>\n\t<li><code>private_key</code>: the ECDSA private key.</li>\n\t<li><code>public_key</code>: the corresponding public key.</li>\n\t<li><code>sig_r</code>: the <code>r</code> component of the ECDSA signature.</li>\n\t<li><code>sig_s</code>: the <code>s</code> component of the ECDSA signature.</li>\n\t<li><code>sig_nonce</code>: the ground truth nonce generated during ECDSA signing.</li>\n\t<li><code>nonce_bits</code>: the ground truth number of bits in said nonce.</li>\n\t<li><code>latency</code>: the measured wall clock time (CPU clock cycles) to produce the digital signature.</li>\n</ul>\n\n<p>Prerequisites</p>\n\n<p>OpenSSL 1.1.1a, 1.1.1b, or 1.1.1.c.</p>\n\n<pre><code>sudo apt install python-ijson jq</code></pre>\n\n<p>Data setup</p>\n\n<p>Extract the JSON:</p>\n\n<pre><code>tar xf timings.tar.xz</code></pre>\n\n<p>Key setup</p>\n\n<p>Generate the public key (<code>public.pem</code> here) from the provided private key (<code>private.pem</code> here):</p>\n\n<pre><code>$ openssl pkey -in private.pem -pubout -out public.pem</code></pre>\n\n<p>Examine the keys if you want.</p>\n\n<pre><code>$ openssl pkey -in private.pem -text -noout\n$ openssl pkey -in public.pem -text -noout -pubin</code></pre>\n\n<p>Example: Verify key material</p>\n\n<pre><code>$ grep --max-count=1 'private_key' timings.json\n  \"private_key\":\"0x6b76cc816dce9a8ebc6ff190bcf0555310d1fb0824047f703f627f338bcf5435\",\n$ grep --max-count=1 'public_key' timings.json\n  \"public_key\":\"0x04396d7ae480016df31f84f80439e320b0638e024014a5d8e14923eea76948afb25a321ccadabd8a4295a1e8823879b9b65369bd49d337086850b3c799c7352828\",\n$ openssl pkey -in private.pem -text -noout\nPrivate-Key: (256 bit)\npriv:\n    6b:76:cc:81:6d:ce:9a:8e:bc:6f:f1:90:bc:f0:55:\n    53:10:d1:fb:08:24:04:7f:70:3f:62:7f:33:8b:cf:\n    54:35\npub:\n    04:39:6d:7a:e4:80:01:6d:f3:1f:84:f8:04:39:e3:\n    20:b0:63:8e:02:40:14:a5:d8:e1:49:23:ee:a7:69:\n    48:af:b2:5a:32:1c:ca:da:bd:8a:42:95:a1:e8:82:\n    38:79:b9:b6:53:69:bd:49:d3:37:08:68:50:b3:c7:\n    99:c7:35:28:28\nField Type: prime-field\nPrime:\n    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:\n    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:\n    ff:ff:ff\nA:   \n    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:\n    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:\n    ff:ff:fc\nB:   \n    5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:\n    bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:\n    60:4b\nGenerator (uncompressed):\n    04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:\n    40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:\n    98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:\n    7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:\n    68:37:bf:51:f5\nOrder: \n    00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:\n    ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:\n    63:25:51\nCofactor:  0\nSeed:\n    c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:\n    b7:81:9f:7e:90</code></pre>\n\n<p>Three things to note in the output:</p>\n\n<ol>\n\t<li>The private key bytes match (<code>private_key</code> and <code>priv</code> byte strings are equal)</li>\n\t<li>The public key bytes match (<code>public_key</code> and <code>pub</code> byte strings are equal)</li>\n\t<li>This is an explicit parameters key, with the <code>Cofactor</code> parameter missing or zero, as described in the manuscript.</li>\n</ol>\n\n<p>Example: Extract a single entry</p>\n\n<p>Here we use the python script <code>pickone.py</code> to extract the entry at index 2 (starting from 0).</p>\n\n<pre><code>$ python2 pickone.py timings.json 2 | jq . &gt; 2.json\n$ cat 2.json \n{\n  \"public_key\": \"0x04396d7ae480016df31f84f80439e320b0638e024014a5d8e14923eea76948afb25a321ccadabd8a4295a1e8823879b9b65369bd49d337086850b3c799c7352828\",\n  \"private_key\": \"0x6b76cc816dce9a8ebc6ff190bcf0555310d1fb0824047f703f627f338bcf5435\",\n  \"hash\": \"0xf36d0481e14869fc558b39ae4c747bc6c089a0271b23cfd92bc0b8aa7ed2c3aa\",\n  \"latency\": 21565213,\n  \"nonce_bits\": 253,\n  \"sig_nonce\": \"0x1b88c7802ea000ccb21116575c38004579b55f1f9c4f81ed321896b1e1034237\",\n  \"hash_function\": \"sha256\",\n  \"sig_s\": \"0x8c83417891547224006723169de9745a81fa8de7176428e1cd8e6110408f45da\",\n  \"sig_r\": \"0xf922d9ba4f65d207300cc7eaaa15564e60a2b1f208d1389057ff1a1ec52dc653\",\n  \"order\": \"0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551\"\n}</code></pre>\n\n<p>Example: Dump hash to binary file</p>\n\n<p>Extract the <code>hash</code> field from the target JSON and dump it as binary.</p>\n\n<pre><code>$ sed -n 's/^  \"hash\": \"0x\\(.*\\)\",$/\\1/p' 2.json | xxd -r -p &gt; 2.hash\n$ xxd -g1 2.hash\n00000000: f3 6d 04 81 e1 48 69 fc 55 8b 39 ae 4c 74 7b c6  .m...Hi.U.9.Lt{.\n00000010: c0 89 a0 27 1b 23 cf d9 2b c0 b8 aa 7e d2 c3 aa  ...'.#..+...~...</code></pre>\n\n<p>Note the <code>xxd</code> output matches the <code>hash</code> byte string from the target JSON.</p>\n\n<p>Example: Dump signature to DER</p>\n\n<p>The <code>hex2der.sh</code> script takes as an argument the target JSON filename, and outputs the DER-encoded ECDSA signature to stdout by extracting the <code>sig_r</code> and <code>sig_s</code> fields from the target JSON.</p>\n\n<pre><code>$ ./hex2der.sh 2.json &gt; 2.der\n$ openssl asn1parse -in 2.der -inform DER\n    0:d=0  hl=2 l=  70 cons: SEQUENCE          \n    2:d=1  hl=2 l=  33 prim: INTEGER           :F922D9BA4F65D207300CC7EAAA15564E60A2B1F208D1389057FF1A1EC52DC653\n   37:d=1  hl=2 l=  33 prim: INTEGER           :8C83417891547224006723169DE9745A81FA8DE7176428E1CD8E6110408F45DA</code></pre>\n\n<p>Note the <code>asn1parse</code> output contains a sequence with two integers, matching the <code>sig_r</code> and <code>sig_s</code> fields from the target JSON.</p>\n\n<p>Example: Verify the signature</p>\n\n<p>We use <code>pkeyutl</code> here to verify the raw hash directly, in contrast to <code>dgst</code> that will only verify by recomputing the hash itself.</p>\n\n<pre><code>$ openssl pkeyutl -in 2.hash -inkey public.pem -pubin -verify -sigfile 2.der\nSignature Verified Successfully</code></pre>\n\n<p>Note it fails for other hashes (messages), a fundamental security property for digital signatures:</p>\n\n<pre><code>$ dd if=/dev/urandom of=bad.hash bs=1 count=32\n32+0 records in\n32+0 records out\n32 bytes copied, 0.00129336 s, 24.7 kB/s\n$ openssl pkeyutl -in bad.hash -inkey public.pem -pubin -verify -sigfile 2.der\nSignature Verification Failure</code></pre>\n\n<p>Example: Statistics</p>\n\n<p>The <code>stats.py</code> script shows how to extract the desired fields from the JSON. It computes the median latency over each nonce bit length.</p>\n\n<pre><code>$ python2 stats.py timings.json\nLen Median\n238 20592060\n239 20251286\n240 20706144\n241 20658896\n242 20820100\n243 20762304\n244 20907332\n245 20973536\n246 20972244\n247 21057788\n248 21115419\n249 21157888\n250 21210560\n251 21266378\n252 21322146\n253 21370608\n254 21425454\n255 21479105\n256 21532532</code></pre>\n\n<p>You can verify these medians are consistent with Figure 4 in the paper.</p>\n\n<p>The <code>stats.py</code> script can be easily modified for more advanced analysis.</p>\n\n<p>Credits</p>\n\n<p>Authors</p>\n\n<ul>\n\t<li>Cesar Pereida Garc&iacute;a (Tampere University, Tampere, Finland)</li>\n\t<li>Sohaib ul Hassan (Tampere University, Tampere, Finland)</li>\n\t<li>Iaroslav Gridin (Tampere University, Tampere, Finland)</li>\n\t<li>Nicola Tuveri (Tampere University, Tampere, Finland)</li>\n\t<li>Alejandro Cabrera Aldaya (Tampere University, Tampere, Finland)</li>\n\t<li>Billy Bob Brumley (Tampere University, Tampere, Finland)</li>\n</ul>\n\n<p>Funding</p>\n\n<p>This project has received funding from the European Research Council (ERC) under the European Union&rsquo;s Horizon 2020 research and innovation programme (grant agreement No 804476).</p>\n\n<p>License</p>\n\n<p>This project is distributed under MIT license.</p>", 
  "license": "https://opensource.org/licenses/MIT", 
  "creator": [
    {
      "affiliation": "Tampere University", 
      "@id": "https://orcid.org/0000-0001-6812-8498", 
      "@type": "Person", 
      "name": "Pereida Garc\u00eda, Cesar"
    }, 
    {
      "affiliation": "Tampere University", 
      "@type": "Person", 
      "name": "ul Hassan, Sohaib"
    }, 
    {
      "affiliation": "Tampere University", 
      "@id": "https://orcid.org/0000-0001-5172-4568", 
      "@type": "Person", 
      "name": "Tuveri, Nicola"
    }, 
    {
      "affiliation": "Tampere University", 
      "@type": "Person", 
      "name": "Gridin, Iaroslav"
    }, 
    {
      "affiliation": "Tampere University", 
      "@id": "https://orcid.org/0000-0002-1544-6772", 
      "@type": "Person", 
      "name": "Aldaya, Alejandro Cabrera"
    }, 
    {
      "affiliation": "Tampere University", 
      "@id": "https://orcid.org/0000-0001-9160-0463", 
      "@type": "Person", 
      "name": "Brumley, Billy Bob"
    }
  ], 
  "url": "https://zenodo.org/record/3878833", 
  "datePublished": "2020-04-01", 
  "@type": "Dataset", 
  "keywords": [
    "side-channel analysis", 
    "ECDSA", 
    "OpenSSL", 
    "applied cryptography", 
    "CVE-2019-1547", 
    "timing attacks"
  ], 
  "@context": "https://schema.org/", 
  "distribution": [
    {
      "contentUrl": "https://zenodo.org/api/files/b11b72f2-2c33-491f-92d4-93c4987bf404/hex2der.sh", 
      "encodingFormat": "sh", 
      "@type": "DataDownload"
    }, 
    {
      "contentUrl": "https://zenodo.org/api/files/b11b72f2-2c33-491f-92d4-93c4987bf404/LICENSE", 
      "encodingFormat": "", 
      "@type": "DataDownload"
    }, 
    {
      "contentUrl": "https://zenodo.org/api/files/b11b72f2-2c33-491f-92d4-93c4987bf404/pickone.py", 
      "encodingFormat": "py", 
      "@type": "DataDownload"
    }, 
    {
      "contentUrl": "https://zenodo.org/api/files/b11b72f2-2c33-491f-92d4-93c4987bf404/private.pem", 
      "encodingFormat": "pem", 
      "@type": "DataDownload"
    }, 
    {
      "contentUrl": "https://zenodo.org/api/files/b11b72f2-2c33-491f-92d4-93c4987bf404/README.md", 
      "encodingFormat": "md", 
      "@type": "DataDownload"
    }, 
    {
      "contentUrl": "https://zenodo.org/api/files/b11b72f2-2c33-491f-92d4-93c4987bf404/stats.py", 
      "encodingFormat": "py", 
      "@type": "DataDownload"
    }, 
    {
      "contentUrl": "https://zenodo.org/api/files/b11b72f2-2c33-491f-92d4-93c4987bf404/timings.tar.xz", 
      "encodingFormat": "xz", 
      "@type": "DataDownload"
    }
  ], 
  "identifier": "https://doi.org/10.5281/zenodo.3878833", 
  "@id": "https://doi.org/10.5281/zenodo.3878833", 
  "workFeatured": {
    "url": "https://www.usenix.org/conference/usenixsecurity20", 
    "location": "Boston, MA, USA", 
    "@type": "Event", 
    "name": "USENIX Security Symposium"
  }, 
  "name": "CVE-2019-1547: research data and tooling"
}
307
24
views
downloads
All versions This version
Views 30763
Downloads 248
Data volume 144.9 MB23.6 kB
Unique views 26056
Unique downloads 123

Share

Cite as