This dataset and software tools are for reproducing the research results related to CVE-2020-12399, resulting from the manuscript "Déjà vu: Side-channel analysis of Mozilla's NSS", to appear at ACM CCS 2020.
\n\nData description
\n\nThe file remote_timings.json contains a single JSON array. Each entry is a dictionary representation of one digital signature. A description of the dictionary fields follows.
p: prime (DSA parameter).q: generator order (DSA parameter).g: generator (DSA parameter).x: the DSA private key.y: the corresponding public key.r: first component of the DSA signature.s: second component of the DSA signature.k: the ground truth nonce generated during DSA signing.k_len: the ground truth number of bits in said nonce.msg: message digitally signed.h: SHA-256 hash of said message. (Truncated to the same bitlen as q.)id: ignored.latency: the measured wall clock time (CPU clock cycles) to produce the digital signature.Prerequisites
\n\nsudo apt install openssl python3-ijson xxd jqData setup
\n\nExtract the JSON:
\n\ntar xf remote_timings_rpi.tar.gzKey setup
\n\nGenerate the public key (public.pem here) from the provided private key (private.pem here):
$ openssl pkey -in private.pem -pubout -out public.pemExamine the keys if you want.
\n\n$ openssl pkey -in private.pem -text -noout\n$ openssl pkey -in public.pem -text -noout -pubinExample: Verify key material
\n\n$ openssl pkey -in private.pem -text -noout\nPrivate-Key: (2048 bit)\npriv:\n 1f:87:68:eb:57:e1:f4:f1:29:a6:c8:ca:03:c8:db:\n 49:1d:8e:2b:81:bd:72:92:64:0c:1c:d6:6d\npub: \n 00:9d:fa:bc:47:00:cb:11:fa:51:45:c1:bd:b1:88:\n 2d:dd:a2:79:5b:c3:43:0a:af:bb:83:e2:d5:84:d1:\n 07:01:ab:f9:ae:76:2d:dd:f2:a5:75:f5:3e:94:4d:\n 3b:c6:f6:ce:17:c6:60:09:5b:49:3d:cb:a0:db:ec:\n 29:91:85:8b:c3:f5:6c:6a:3c:01:87:12:85:ae:fc:\n 9e:bf:67:81:1b:1d:b1:9d:12:bd:79:8c:54:08:48:\n 11:13:6d:ab:b0:16:ef:11:4a:27:a7:0a:80:b3:db:\n 72:c1:cc:1e:e8:4a:39:b7:00:ca:97:b7:3a:6e:e9:\n 25:22:2e:5c:57:ee:62:be:23:d0:5e:53:a3:9f:05:\n d4:7d:7f:b5:b6:cb:4b:27:90:14:79:72:a5:43:97:\n c6:6a:7d:f7:32:b3:67:58:90:fc:c3:65:34:57:89:\n 1b:43:28:68:43:24:12:5e:f1:43:76:3c:e9:bc:9c:\n 5d:7d:ae:d6:3a:31:32:ca:df:a4:07:88:a2:55:6e:\n a4:8c:da:13:c8:30:b7:2a:1c:23:0f:32:da:9e:7f:\n e1:f7:3d:2d:1c:58:f5:1d:f2:7d:fb:67:45:8d:dd:\n 84:eb:83:c4:b0:00:a6:c2:09:b0:48:48:f9:4e:a8:\n d7:ab:e1:c6:e8:bf:5c:fa:e3:f2:cd:c6:f1:e7:f2:\n 2c:90\nP:\n 00:e5:4e:f4:32:f8:4a:ec:28:3c:dd:32:a8:05:e3:\n 5a:fa:a5:81:47:98:d9:a7:94:ba:34:b0:f9:7b:20:\n c5:fb:52:12:3e:82:d7:6e:6f:f5:50:be:5e:9f:df:\n 82:9b:4e:0c:9d:a2:9f:3f:0a:f3:72:c2:55:7c:46:\n 6e:fe:48:00:88:b6:4e:4f:9b:19:8c:98:3b:71:42:\n 56:d2:b4:1c:47:69:6e:fc:f0:e6:26:04:0e:e2:63:\n ed:06:0f:fb:a8:a9:94:73:e1:41:e0:6b:5a:b4:d9:\n 86:cd:7b:46:d3:39:ba:18:13:da:f2:3a:7b:dc:41:\n 21:83:e8:0d:25:13:31:90:5d:bd:82:41:9b:ea:6b:\n 8a:ba:8a:48:b1:1d:d2:3d:5e:c4:1b:29:5e:7f:b6:\n 56:1b:e6:91:65:ec:84:82:c2:f6:a1:b0:14:1b:0b:\n 08:d8:2b:2a:06:17:d7:2a:9b:c3:aa:fb:28:26:14:\n 3f:5d:0a:48:1a:48:45:c0:fd:ea:ec:90:6c:ec:93:\n c8:af:a3:31:4b:3a:d8:cd:20:ae:8f:14:58:26:49:\n 18:1f:7a:99:c9:da:c3:f0:76:b8:52:8d:eb:b2:e2:\n 98:6b:a5:47:15:c3:ff:c8:e7:6c:d3:db:c7:fb:4c:\n 36:3e:15:eb:45:e1:4a:5d:01:ed:3b:87:f7:69:c1:\n 31:59\nQ:\n 00:ca:6d:df:fc:7b:96:2e:35:30:27:4f:1f:cf:57:\n 2f:e9:4c:40:97:53:a1:fa:d0:89:56:8d:2c:25\nG:\n 43:26:04:66:b3:80:c3:3f:8d:f5:5a:29:79:58:7a:\n 0b:8c:72:b9:cb:23:61:5d:c1:45:c5:38:7f:33:4e:\n 93:63:75:8a:b0:44:61:8f:59:df:fd:2f:3f:1f:22:\n 73:66:ba:53:65:53:2a:57:5b:d9:40:34:be:4c:78:\n 22:4a:bf:94:5d:23:15:65:66:e1:1f:6b:93:12:00:\n f0:ac:f5:64:0d:6d:6c:a3:eb:26:83:6d:68:95:e0:\n 2c:bf:75:62:fa:5f:95:0f:b0:40:68:ce:66:3b:58:\n ed:c1:63:e3:d8:35:5c:cc:db:b8:12:e6:62:e4:63:\n b6:29:e0:86:75:79:bc:95:27:74:d1:fd:94:b9:7f:\n 6e:57:b4:e5:39:a2:15:41:94:3f:47:90:43:a5:da:\n dd:08:a4:92:c5:bf:ef:34:4e:2e:7e:82:5c:07:0e:\n dc:5d:6b:79:10:04:53:cc:b2:8e:bd:65:61:80:49:\n ad:c7:dd:5f:5a:9b:74:ae:bc:e0:49:f1:ad:4c:1e:\n 8f:4e:9d:39:e9:fe:57:4d:39:b7:ba:69:03:e3:7e:\n 4d:0d:9b:65:c3:55:77:ff:2c:86:27:21:c7:3e:60:\n a3:23:a5:e8:7e:0d:29:15:1c:5e:04:91:91:25:03:\n f3:97:77:6c:11:24:34:58:c9:ec:b7:ca:ce:74:cd:\n a7This shows the keys indeed match (JSON x,y, above priv,pub):
$ grep --max-count=1 '\"x\"' remote_timings.json\n\"x\": \"0x1F8768EB57E1F4F129A6C8CA03C8DB491D8E2B81BD7292640C1CD66D\",\n$ grep --max-count=1 '\"y\"' remote_timings.json\n\"y\": \"0x9DFABC4700CB11FA5145C1BDB1882DDDA2795BC3430AAFBB83E2D584D10701ABF9AE762DDDF2A575F53E944D3BC6F6CE17C660095B493DCBA0DBEC2991858BC3F56C6A3C01871285AEFC9EBF67811B1DB19D12BD798C54084811136DABB016EF114A27A70A80B3DB72C1CC1EE84A39B700CA97B73A6EE925222E5C57EE62BE23D05E53A39F05D47D7FB5B6CB4B2790147972A54397C66A7DF732B3675890FCC3653457891B4328684324125EF143763CE9BC9C5D7DAED63A3132CADFA40788A2556EA48CDA13C830B72A1C230F32DA9E7FE1F73D2D1C58F51DF27DFB67458DDD84EB83C4B000A6C209B04848F94EA8D7ABE1C6E8BF5CFAE3F2CDC6F1E7F22C90\",This shows the DSA parameters match (JSON p,q,g, above P,Q,G):
$ grep --max-count=1 '\"p\"' remote_timings.json\n\"p\": \"0xE54EF432F84AEC283CDD32A805E35AFAA5814798D9A794BA34B0F97B20C5FB52123E82D76E6FF550BE5E9FDF829B4E0C9DA29F3F0AF372C2557C466EFE480088B64E4F9B198C983B714256D2B41C47696EFCF0E626040EE263ED060FFBA8A99473E141E06B5AB4D986CD7B46D339BA1813DAF23A7BDC412183E80D251331905DBD82419BEA6B8ABA8A48B11DD23D5EC41B295E7FB6561BE69165EC8482C2F6A1B0141B0B08D82B2A0617D72A9BC3AAFB2826143F5D0A481A4845C0FDEAEC906CEC93C8AFA3314B3AD8CD20AE8F14582649181F7A99C9DAC3F076B8528DEBB2E2986BA54715C3FFC8E76CD3DBC7FB4C363E15EB45E14A5D01ED3B87F769C13159\",\n$ grep --max-count=1 '\"q\"' remote_timings.json\n\"q\": \"0xCA6DDFFC7B962E3530274F1FCF572FE94C409753A1FAD089568D2C25\",\n$ grep --max-count=1 '\"g\"' remote_timings.json\n\"g\": \"0x43260466B380C33F8DF55A2979587A0B8C72B9CB23615DC145C5387F334E9363758AB044618F59DFFD2F3F1F227366BA5365532A575BD94034BE4C78224ABF945D23156566E11F6B931200F0ACF5640D6D6CA3EB26836D6895E02CBF7562FA5F950FB04068CE663B58EDC163E3D8355CCCDBB812E662E463B629E0867579BC952774D1FD94B97F6E57B4E539A21541943F479043A5DADD08A492C5BFEF344E2E7E825C070EDC5D6B79100453CCB28EBD65618049ADC7DD5F5A9B74AEBCE049F1AD4C1E8F4E9D39E9FE574D39B7BA6903E37E4D0D9B65C35577FF2C862721C73E60A323A5E87E0D29151C5E0491912503F397776C11243458C9ECB7CACE74CDA7\",Example: Extract a single entry
\n\nHere we use the python script pickone.py to extract the entry at index 2 (starting from 0).
$ python3 pickone.py remote_timings.json 2 | jq . > 2.json\n$ cat 2.json \n{\n \"latency\": \"399901598\",\n \"y\": \"0x9DFABC4700CB11FA5145C1BDB1882DDDA2795BC3430AAFBB83E2D584D10701ABF9AE762DDDF2A575F53E944D3BC6F6CE17C660095B493DCBA0DBEC2991858BC3F56C6A3C01871285AEFC9EBF67811B1DB19D12BD798C54084811136DABB016EF114A27A70A80B3DB72C1CC1EE84A39B700CA97B73A6EE925222E5C57EE62BE23D05E53A39F05D47D7FB5B6CB4B2790147972A54397C66A7DF732B3675890FCC3653457891B4328684324125EF143763CE9BC9C5D7DAED63A3132CADFA40788A2556EA48CDA13C830B72A1C230F32DA9E7FE1F73D2D1C58F51DF27DFB67458DDD84EB83C4B000A6C209B04848F94EA8D7ABE1C6E8BF5CFAE3F2CDC6F1E7F22C90\",\n \"g\": \"0x43260466B380C33F8DF55A2979587A0B8C72B9CB23615DC145C5387F334E9363758AB044618F59DFFD2F3F1F227366BA5365532A575BD94034BE4C78224ABF945D23156566E11F6B931200F0ACF5640D6D6CA3EB26836D6895E02CBF7562FA5F950FB04068CE663B58EDC163E3D8355CCCDBB812E662E463B629E0867579BC952774D1FD94B97F6E57B4E539A21541943F479043A5DADD08A492C5BFEF344E2E7E825C070EDC5D6B79100453CCB28EBD65618049ADC7DD5F5A9B74AEBCE049F1AD4C1E8F4E9D39E9FE574D39B7BA6903E37E4D0D9B65C35577FF2C862721C73E60A323A5E87E0D29151C5E0491912503F397776C11243458C9ECB7CACE74CDA7\",\n \"h\": \"0xC7DEAC64C95157992CB0D77CF944CB107C756F3E30D1C49C0C48A6EA\",\n \"k\": \"0x742A7562E2A192996440AE2A4FDF5D37E1A532E1E6A50BCA3964BBDA\",\n \"q\": \"0xCA6DDFFC7B962E3530274F1FCF572FE94C409753A1FAD089568D2C25\",\n \"p\": \"0xE54EF432F84AEC283CDD32A805E35AFAA5814798D9A794BA34B0F97B20C5FB52123E82D76E6FF550BE5E9FDF829B4E0C9DA29F3F0AF372C2557C466EFE480088B64E4F9B198C983B714256D2B41C47696EFCF0E626040EE263ED060FFBA8A99473E141E06B5AB4D986CD7B46D339BA1813DAF23A7BDC412183E80D251331905DBD82419BEA6B8ABA8A48B11DD23D5EC41B295E7FB6561BE69165EC8482C2F6A1B0141B0B08D82B2A0617D72A9BC3AAFB2826143F5D0A481A4845C0FDEAEC906CEC93C8AFA3314B3AD8CD20AE8F14582649181F7A99C9DAC3F076B8528DEBB2E2986BA54715C3FFC8E76CD3DBC7FB4C363E15EB45E14A5D01ED3B87F769C13159\",\n \"s\": \"0x79FD73D901BB077D14334D8CC714804577515A1E0ADC9F995BB7534C\",\n \"r\": \"0x61F949D772E22EA9EFBB36442BC229767B28BE2A8061FA7339AFDDC8\",\n \"msg\": \"0x318198301A06092A864886F70D010903310D060B2A864886F70D0109100104301C06092A864886F70D010905310F170D3230303432343131333135375A302B060B2A864886F70D010910020C311C301A30183016041470AD64D33E65A855E6C332AA52736F71D58E7527302F06092A864886F70D0109043122042090C90BFC7A8C459EDB5AF58A8878EE826B6FD02A20E2BAAF2C73984FA380FDD2\",\n \"x\": \"0x1F8768EB57E1F4F129A6C8CA03C8DB491D8E2B81BD7292640C1CD66D\",\n \"id\": \"335451053151725\",\n \"k_len\": \"223\"\n}Example: Dump message to binary file
\n\nExtract the msg field from the target JSON and dump it as binary.
$ sed -n 's/^ \"msg\": \"0x\\(.*\\)\",$/\\1/p' 2.json | xxd -r -p > 2.msg\n$ xxd -g1 2.msg\n00000000: 31 81 98 30 1a 06 09 2a 86 48 86 f7 0d 01 09 03 1..0...*.H......\n00000010: 31 0d 06 0b 2a 86 48 86 f7 0d 01 09 10 01 04 30 1...*.H........0\n00000020: 1c 06 09 2a 86 48 86 f7 0d 01 09 05 31 0f 17 0d ...*.H......1...\n00000030: 32 30 30 34 32 34 31 31 33 31 35 37 5a 30 2b 06 200424113157Z0+.\n00000040: 0b 2a 86 48 86 f7 0d 01 09 10 02 0c 31 1c 30 1a .*.H........1.0.\n00000050: 30 18 30 16 04 14 70 ad 64 d3 3e 65 a8 55 e6 c3 0.0...p.d.>e.U..\n00000060: 32 aa 52 73 6f 71 d5 8e 75 27 30 2f 06 09 2a 86 2.Rsoq..u'0/..*.\n00000070: 48 86 f7 0d 01 09 04 31 22 04 20 90 c9 0b fc 7a H......1\". ....z\n00000080: 8c 45 9e db 5a f5 8a 88 78 ee 82 6b 6f d0 2a 20 .E..Z...x..ko.* \n00000090: e2 ba af 2c 73 98 4f a3 80 fd d2 ...,s.O....Note the xxd output matches the msg byte string from the target JSON.
Example: Dump hash to binary file
\n\nExtract the h field from the target JSON and dump it as binary.
$ sed -n 's/^ \"h\": \"0x\\(.*\\)\",$/\\1/p' 2.json | xxd -r -p > 2.hash\n$ xxd -g1 2.hash\n00000000: c7 de ac 64 c9 51 57 99 2c b0 d7 7c f9 44 cb 10 ...d.QW.,..|.D..\n00000010: 7c 75 6f 3e 30 d1 c4 9c 0c 48 a6 ea |uo>0....H..Note the xxd output matches the h byte string from the target JSON.
Example: Hash is consistent
\n\n$ sha256sum 2.msg\nc7deac64c95157992cb0d77cf944cb107c756f3e30d1c49c0c48a6ea809e6d58 2.msgNote the first 28 bytes of sha256sum output match the h byte string from the target JSON. (DSA maps to GF(q) with truncation.)
Example: Dump signature to DER
\n\nThe hex2der.sh script takes as an argument the target JSON filename, and outputs the DER-encoded DSA signature to stdout by extracting the r and s fields from the target JSON.
$ ./hex2der.sh 2.json > 2.der\n$ openssl asn1parse -in 2.der -inform DER\n 0:d=0 hl=2 l= 60 cons: SEQUENCE\n 2:d=1 hl=2 l= 28 prim: INTEGER :61F949D772E22EA9EFBB36442BC229767B28BE2A8061FA7339AFDDC8\n 32:d=1 hl=2 l= 28 prim: INTEGER :79FD73D901BB077D14334D8CC714804577515A1E0ADC9F995BB7534CNote the asn1parse output contains a sequence with two integers, matching the r and s fields from the target JSON.
Example: Verify the signature (post-hash)
\n\nWe use pkeyutl here to verify the raw hash directly.
$ openssl pkeyutl -in 2.hash -inkey public.pem -pubin -verify -sigfile 2.der\nSignature Verified SuccessfullyNote it fails for other hashes (messages), a fundamental security property for digital signatures:
\n\n$ dd if=/dev/urandom of=bad.hash bs=1 count=28\n28+0 records in\n28+0 records out\n28 bytes copied, 0.000647097 s, 43.3 kB/s\n$ openssl pkeyutl -in bad.hash -inkey public.pem -pubin -verify -sigfile 2.der\nSignature Verification FailureExample: Verify the signature (pre-hash)
\n\nWe use dgst here to verify by recomputing the hash.
$ openssl dgst -sha256 -verify public.pem -signature 2.der 2.msg\nVerified OKExample: Message analysis
\n\nThe msg JSON field is an RFC 3161 Time Stamp Request. You can examine it:
$ openssl asn1parse -in 2.msg -inform DER\n 0:d=0 hl=3 l= 152 cons: SET \n 3:d=1 hl=2 l= 26 cons: SEQUENCE \n 5:d=2 hl=2 l= 9 prim: OBJECT :contentType\n 16:d=2 hl=2 l= 13 cons: SET \n 18:d=3 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo\n 31:d=1 hl=2 l= 28 cons: SEQUENCE \n 33:d=2 hl=2 l= 9 prim: OBJECT :signingTime\n 44:d=2 hl=2 l= 15 cons: SET \n 46:d=3 hl=2 l= 13 prim: UTCTIME :200424113157Z\n 61:d=1 hl=2 l= 43 cons: SEQUENCE \n 63:d=2 hl=2 l= 11 prim: OBJECT :id-smime-aa-signingCertificate\n 76:d=2 hl=2 l= 28 cons: SET \n 78:d=3 hl=2 l= 26 cons: SEQUENCE \n 80:d=4 hl=2 l= 24 cons: SEQUENCE \n 82:d=5 hl=2 l= 22 cons: SEQUENCE \n 84:d=6 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:70AD64D33E65A855E6C332AA52736F71D58E7527\n 106:d=1 hl=2 l= 47 cons: SEQUENCE \n 108:d=2 hl=2 l= 9 prim: OBJECT :messageDigest\n 119:d=2 hl=2 l= 34 cons: SET \n 121:d=3 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:90C90BFC7A8C459EDB5AF58A8878EE826B6FD02A20E2BAAF2C73984FA380FDD2Example: Statistics
\n\nThe stats.py script shows how to extract the desired fields from the JSON. It computes the median latency over each nonce bit length.
$ python3 stats.py remote_timings.json \nLen Median\n205 121.2\n206 121.2\n207 120.6\n208 138.3\n209 122.9\n210 123.0\n211 123.0\n212 123.0\n213 125.0\n214 125.0\n215 125.0\n216 125.0\n217 127.1\n218 127.1\n219 127.1\n220 127.1\n221 129.1\n222 129.1\n223 129.1\n224 129.1You can verify these medians are consistent with Figure 1 in the paper.
\n\nThe stats.py script can be easily modified for more advanced analysis.
Credits
\n\nSome parts borrowed from this artifact.
\n\nAuthors
\n\nFunding
\n\nThis project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 804476).
\n\nLicense
\n\nThis project is distributed under MIT license.
", "funding": [ { "award": { "acronym": "SCARE", "id": "00k4n6c32::804476", "identifiers": [ { "identifier": "https://cordis.europa.eu/projects/804476", "scheme": "url" } ], "number": "804476", "program": "H2020-EU.1.1.", "title": { "en": "Side-Channel Aware Engineering" } }, "funder": { "id": "00k4n6c32", "name": "European Commission" } } ], "languages": [ { "id": "eng", "title": { "en": "English" } } ], "publication_date": "2020-08-13", "publisher": "Zenodo", "resource_type": { "id": "dataset", "title": { "de": "Datensatz", "en": "Dataset" } }, "rights": [ { "description": { "en": "A short and simple permissive license with conditions only requiring preservation of copyright and license notices. Licensed works, modifications, and larger works may be distributed under different terms and without source code." }, "id": "mit", "props": { "scheme": "spdx", "url": "https://opensource.org/licenses/MIT" }, "title": { "en": "MIT License" } } ], "subjects": [ { "subject": "side-channel analysis" }, { "subject": "applied cryptography" }, { "subject": "Digital Signature Algorithm (DSA)" }, { "subject": "Network Security Services (NSS)" }, { "subject": "timing attacks" }, { "subject": "Mozilla" }, { "subject": "Firefox" }, { "subject": "CVE-2020-12399" } ], "title": "CVE-2020-12399: research data and tooling" }, "parent": { "access": { "owned_by": { "user": "87802" } }, "communities": {}, "id": "3982270", "pids": { "doi": { "client": "datacite", "identifier": "10.5281/zenodo.3982270", "provider": "datacite" } } }, "pids": { "doi": { "client": "datacite", "identifier": "10.5281/zenodo.3982271", "provider": "datacite" }, "oai": { "identifier": "oai:zenodo.org:3982271", "provider": "oai" } }, "revision_id": 2, "stats": { "all_versions": { "data_volume": 3617500458.0, "downloads": 646, "unique_downloads": 562, "unique_views": 600, "views": 618 }, "this_version": { "data_volume": 3617500458.0, "downloads": 646, "unique_downloads": 562, "unique_views": 600, "views": 618 } }, "status": "published", "swh": {}, "updated": "2020-08-13T12:59:23.736226+00:00", "versions": { "index": 1, "is_latest": true } }