Camellia访问驱动Cache计时攻击研究  被引量：13

作　　者：赵新杰[1] 王韬[1] 郑媛媛[1] 

机构地区：[1]军械工程学院计算机工程系,石家庄050003

出　　处：《计算机学报》2010年第7期1153-1164,共12页Chinese Journal of Computers

基　　金：国家自然科学基金(60772082);河北省自然科学基金数学研究专项(08M010)资助~~

摘　　要：Camellia是NESSIE计划中128位分组密码的最终获胜者.现有的针对Camellia的Cache计时攻击大多基于时序驱动模型,需百万计的样本在几十分钟内完成.文中研究表明,由于频繁的查找表操作,Camellia对访问驱动Cache计时攻击也是脆弱的,攻击所需样本量比时序驱动要小.首先,基于访问驱动方式,给出了一种通用的针对对称密码S盒的分析模型,指出Camellia加密过程中的轮函数易泄露初始密钥和轮密钥的异或结果值,密钥扩展中的左移函数使得Camellia安全性大大降低.然后,给出了多例针对Camellia-128/192/256的访问驱动Cache计时攻击,实验结果表明:500和900个随机明文样本可恢复Camellia-128、Camellia-192/256密钥,文中的攻击可被扩展到针对已知密文条件下的解密过程或远程环境中进行实施,3000个随机明文可在局域网和校园网环境下恢复Camellia-128/192/256密钥.最后,分析了Camellia易遭受Cache计时攻击的原因,并为密码设计者提出了防御该攻击的一些有效措施.Camellia is the final winner of 128-bit block cipher in NESSIE. Most of the previous Cache timing attacks on Camellia are all based on timing driven model, our research shows that, due to its frequent S-box lookup operations, Camellia is also vulnerable to access driven Cache timing attacks. Firstly, this paper provides a general analysis model for symmetric ciphers using S-box based on access driven Cache timing attack model, points out that the F function of the Camellia can leak the result of encryption key XORed with expand-key, and the left circular rotating operation of the key schedule in Camellia has serious designing problem. Next, this paper pres- ents several Cache timing attacks on Camellia-128/192/256. Experiment results demonstrate： 500 random plaintexts are enough to recover Camellia-128 key; 900 random plaintexts are enough to recover Camellia-192/256 key; also, the attacks can be expanded to known ciphertext conditions by attacking the Camellia decryption procedure; besides, the attacks are quite easy to be expand- ed to remote scenarios, 3000 random plaintexts are enough to recover Camellia-128/192/256 key in both local and campus networks. Finally, this paper discusses the reason why Camellia is weak in this type of attack, and provides some advices to cipher designers for hardening ciphers against Cache timing attacks.

关 键 词：Camellia-128/192/256 分组密码 访问驱动 CACHE计时攻击 旁路攻击 远程攻击 F函数 查找S盒 左移函数 密钥扩展 已知密文 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]