Implementation Guidance for the PKCS #1 RSA Cryptography Specification

7.1. General recommendations

It's especially important to make sure that all values that are secret to the attacker are stored in memory buffers that have sizes determined by the public modulus.¶

For example, the private exponents should be stored in memory buffers that have sizes determined by the public modulus value, not the numerical values of the exponents themselves.¶

Similarly, the size of the output buffer for multiplication should always be equal to the sum of buffer sizes of multiplicands. The output size of the modular reduction operation should similarly be equal to the size of the modulus and not depend on bit size of the output.¶

7.2. Montgomery ladder

For the modular exponentiation algorithm to be side-channel free every step of the calculation MUST NOT depend on the bits of the exponent. In particular, use of simple square and multiply algorithm will leak information about bits of the exponent through lack of multiplication operation in individual exponentiation steps.¶

The recommended workaround against it, is the use of the Montgomery ladder construction.¶

While that approach ensures that both the square and multiply operations are performed, the fact that the results of them are placed in different memory locations based on bits of the secret exponent will provide enough information for an attacker to recover the bits of the exponent. To counteract it, the implementation should ensure that both memory locations are accessed and updated on every step.¶

7.3. Montgomery reduction in multiplication

As multiplication operations quickly make the intermediate values in modular exponentiation large, performing a modular reduction after every multiplication or squaring operation is a common optimisation.¶

To further optimise the modular reduction, the Montgomery modular multiplication is used for performing the combined multiply-and-reduce operation. The last step of that operation is conditional on the value of the output. A side-channel free implementation should perfom the subtraction in all cases and then copy the result or the first operand of the subtraction based on sign of the result of the subtraction in side-channel free manner.¶

11.1. IRPRF

For the calculation of the random message for implicit rejection we define a Pseudo-Random Function (PRF) as follows:¶

IRPRF( KDK, label, length )¶

Input:¶

KDK the key derivation key¶

label a label making the output unique for a given KDK¶

length requested length of output in octets¶

Output: derived key, an octet string¶

Steps:¶

1. If KDK is not 32 octets long, or if length is larger than 8192 return error and stop.¶

2. The returned value is created by concatenation of subsequent calls to a SHA-256 HMAC function with the KDK as the HMAC key and following octet string as the message:¶

     P_i = I || label || bitLength
   

   ¶

3. Where the I is an iterator value encoded as two octet long big endian integer, label is the passed in label, and bitLength is the length times 8 (to represent number of bits of output) encoded as two octet big endian integer. The iterator is initialised to 0 on first call, and then incremented by 1 for every subsequent HMAC call.¶

4. The HMAC is iterated until the concatenated output is shorter than length¶

5. The output is the length left-most octets of the concatenated HMAC output¶

11.2. Implicit rejection

For implementations that cannot remove support for the RSAES-PKCS-v1_5 encryption scheme nor provide a usage-specific API, it's possible to implement an implicit rejection algorithm as a protection measure. It should be noted that implementing it correctly is hard, thus it's RECOMMENDED instead to disable support for RSAES-PKCS-v1_5 padding instead.¶

To implement implicit rejection, the RSAES-PKCS1-V1_5-DECRYPT from section 7.2.2 of RFC 8017 needs to be implemented as follows:¶

1. Length checking: If the length of the ciphertext C is not k octets (or if k < 11), output "decryption error" and stop.¶

2. RSA decryption:¶

   1. Convert the ciphertext C to an integer ciphertext representative c:¶

        c = OS2IP (C).
      

      ¶

   2. Apply the RSADP decryption primitive to the RSA private key (n, d) and the ciphertext representative c to produce an integer message representative m:¶

        m = RSADP ((n, d), c).
      

      ¶

      Note: the RSADP MUST be constant-time with respect of message m.¶

      If RSADP outputs "ciphertext representative out of range" (meaning that c >= n), output "decryption error" and stop.¶

   3. Convert the message representative m to an encoded message EM of length k octets:¶

        EM = I2OSP (m, k).
      

      ¶

      Note: I2OSP MUST be constant-time with respect of m.¶

3. Derivation of alternative message¶

   1. Derive the Key Derivation Key (KDK)¶

      1. Convert the private exponent d to a string of length k octets:¶

           D = I2OSP (d, k).
         

         ¶

      2. Hash the private exponent using the SHA-256 algorithm:¶

           DH = SHA256 (D).
         

         ¶

         Note: This value MAY be cached between the decryption operations, but MUST be considered private-key equivalent.¶

      3. Use the DH as the SHA-256 HMAC key and the provided ciphertext C as the message. If the ciphertext C is not k octets long, it MUST be left padded with octets of value zero.¶

           KDK = HMAC (DH, C, SHA256).
         

         ¶

   2. Create the candidate lengths and the random message¶

      1. Use the IRPRF with key KDK, "length" as six octet label encoded with UTF-8, to generate 256 octet output. Interpret this output as 128 two octet long big-endian numbers.¶

           CL = IRPRF (KDK, "length", 256).
         

         ¶

      2. Use the IRPRF with key KDK, "message" as a seven octet label encoded with UTF-8 to generate k octet long output to be used as the alternative message:¶

           AM = IRPRF (KDK, "message", k).
         

         ¶

   3. Select the alternative length for the alternative message.¶

      Note: this must be performed in side-channel free way.¶

      1. Iterate over the 128 candidate CL lengths. For each zero out high order bits so that they have the same bit length as the maximum valid message size (k - 11).¶

      2. Select the last length that's not larger than k - 11, use 0 if none are. Save it as AL.¶

4. EME-PKCS1-v1_5 decoding: Separate the encoded message EM into an octet string PS consisting of nonzero octets and a message M as¶

     EM = 0x00 || 0x02 || PS || 0x00 || M.
   

   ¶

   If the first octet of EM does not have hexadecimal value 0x00, if the second octet of EM does not have hexadecimal value 0x02, if there is no octet with hexadecimal value 0x00 to separate PS from M, or if the length of PS is less than 8 octets, the check variable must remember if any of those checks failed. Irrespective of the check variable value, the code should also return length of message M: L. If there is no octet with hexadecimal value 0x00 to separate PS from M, then L should equal 0.¶

   Note: All those checks MUST be performed irrespective if previous checks failed or not. A common technique for that is to have a check variable that is OR-ed with the results of subsequent checks.¶

5. Decision which message to return: in case the check variable is set, the code should return the last AL octets of AM, in case the check variable is unset the code should return the last L octets of EM.¶

   Note: The decision which length to use MUST be performed in side-channel free manner. While the length of the returned message is not considered sensitive, the read memory location is. As such, when returning message M both EM and AM memory locations MUST be read.¶

13.1. Random delays

Commonly proposed workaround for timing attacks is to add a random delay to procesing of encrypted data. For such mitigation to be effective in practice (raise attacker's work factor to gain meaningful safety margin) it would need to be in the order of at least few seconds if not tens of seconds. Effective sizes and distributions of delays have not been subject of extensive study.¶

It should also be noted that such a delay would need to be applied in addition to the regular mitigation (generate random key, use it in case RSAES-PKCS-v1_5 padding checks). That is, it needs to be implemented in the calling code, not in the depadding code.¶

At the same time, performing a simple wait masks only the timing side channel. It doesn't mitigate other side-channels, like ones that depend on power usage or memory access pattern.¶

13.2. Returing random value from API

A simpler variant of the proposed implicit rejection algorithm, where the decryption API returns a random message in case the padding check fails or the decrypted message has unexpected length, as described in [RFC5246], isn't a universal mitigation.¶

In case of a Bleichenbacher like attack, the attacker is trying to differentiate two classes of ciphertexts: ones that decrypt to message of specific size and ones that have invalid padding or decrypt to a message of unexpected size. That translates to two kind of values being returned to calling code: either the same message always for every decryption, or a different message for every decryption.¶

If that message is later used in any operation that is not side-channel free (key derivation, symmetric padding removal, message parsing), then the attacker will be able to observe two kinds of behaviour: consistent one for static messages and erratic one for randomly generated messages.¶

Use of such a message as a key with block cipher modes that require padding, like AES-CBC with PKCS #7 padding, is particularly leaky as it has about 1 in 256 chance of successful decryption with random key.¶

The simple implicit rejection with random message may be implemented safely in TLS 1.2 because both static messages and randomly generated messages are mixed together with the random nonce generated by the server, thus the attacker is unable to differentiate if the randomness originates in the nonce or in the randomisation of the message.¶

17.1. Normative References

[RFC8017]

Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, <https://www.rfc-editor.org/info/rfc8017>.

17.2. Informative References

[Aciicmez05]

Acıiçmez, O., Schindler, W., and Ç. K. Koç, "Improving Brumley and Boneh timing attack on unprotected SSL implementations", Proceedings of the 12th ACM conference on Computer and communications security CCS '05, 2005, <https://doi.org/10.1145/1102120.1102140>.

[Aciicmez07]

Acıiçmez, O. and W. Schindler, "A Major Vulnerability in RSA Implementations due to MicroArchitectural Analysis Threat", Cryptology ePrint Archive Paper 2007/336, 2007, <https://eprint.iacr.org/2007/336>.

[Aciicmez08]

Acıiçmez, O. and W. Schindler, "A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL", Lecture Notes in Computer Science vol 4964, 2007, <https://doi.org/10.1007/978-3-540-79263-5_16>.

[Bauer12]

Bauer, S., "Attacking Exponent Blinding in RSA without CRT", Lecture Notes in Computer Science vol 7275, 2012, <https://doi.org/10.1007/978-3-642-29912-4_7>.

[Bleichenbacher98]

Bleichenbacher, D., "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1", Lecture Notes in Computer Science vol 1462, <https://doi.org/10.1007/BFb0055716>.

[Bock18]

Böck, H., Somorovsky, J., and C. Young, "Return Of Bleichenbacher's Oracle Threat (ROBOT)", 27th USENIX Security Symposium USENIX Security 18, 2018, <https://www.usenix.org/conference/usenixsecurity18/presentation/bock>.

[Brumley03]

Brumley, D. and D. Boneh, "Remote timing attacks are practical", Computer Networks Volume 48, Issue 5, 2003, <https://doi.org/10.1016/j.comnet.2005.01.010>.

[Dhem98]

Dhem, J., Koeune, F., Leroux, P., Mestré, P., Quisquater, J., and J. Willems, "A Practical Implementation of the Timing Attack", Lecture Notes in Computer Science vol 1820, 1998, <https://doi.org/10.1007/10721064_15>.

[Kario23]

Kario, H., "Everlasting ROBOT: the Marvin Attack", 28th European Symposium on Research in Computer Security , 2023, <https://eprint.iacr.org/2023/1442>.

[Kocher96]

Kocher, P. C., "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.", Lecture Notes in Computer Science vol 1109, 1996, <https://doi.org/10.1007/3-540-68697-5_9>.

[RFC2119]

Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC5246]

Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <https://www.rfc-editor.org/info/rfc5246>.

[RFC6979]

Pornin, T., "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 2013, <https://www.rfc-editor.org/info/rfc6979>.

[Schindler00]

Schindler, W., "A Timing Attack against RSA with the Chinese Remainder Theorem", Lecture Notes in Computer Science vol 1965, 2000, <https://doi.org/10.1007/3-540-44499-8_8>.

[Schindler01]

Schindler, W., Koeune, F., and J. Quisquater, "Improving Divide and Conquer Attacks against Cryptosystems by Better Error Detection / Correction Strategies.", Lecture Notes in Computer Science vol 2260, 2001, <https://doi.org/10.1007/3-540-45325-3_22>.

[Schindler11]

Schindler, W. and K. Itoh, "Exponent Blinding Does Not Always Lift (Partial) Spa Resistance to Higher-Level Security", Lecture Notes in Computer Science vol 6715, 2011, <https://doi.org/10.1007/978-3-642-21554-4_5>.

[Schindler14]

Schindler, W. and A. Wiemers, "Power attacks in the presence of exponent blinding.", Journal of Cryptographic Engineering 4, 2014, <https://doi.org/10.1007/s13389-014-0081-y>.