1. Technical Field
The present invention relates to a system and method to provide CPU smoothing of cryptographic function timings.
More particularly, the present invention relates to a system and method to smooth a cryptographic function's “timing footprint” by injecting instructions and/or adjusting clock speed in order to prevent malicious attacks.
2. Description of the Related Art
Computer users have used techniques for protecting computer data from malicious attackers for many years. Before the Internet, a user was most concerned with a malicious attacker obtaining computer data by locating an unattended computer, and using the computer's keyboard or pointing device to retrieve data from its hard drive. In order to combat this threat, login password protection mechanisms were installed that required a user to enter a password in order to gain access to the computer. This approach prevented a malicious attacker from simply entering an area and retrieving data from the unattended computer.
The Internet has changed the entire data security landscape because a malicious attacker no longer needs to be present at the same location as the targeted computer. Rather, the malicious attacker may be in a different country than the target computer and extract the data through an Internet connection. Especially with the onset of e-commerce, a malicious attacker has much to gain by breaking into a user's computer. In turn, data protection mechanisms were put in place to prevent such attacks. However, malicious attack technology has become more sophisticated. Although high-speed Internet connections are a benefit to a user, the high-speed Internet connections also provide a mechanism for a malicious attacker to quickly break into a user's computer.
Therefore, as malicious attack technology becomes more sophisticated, attack prevention technology becomes more sophisticated. The Advanced Encryption Standard (AES) is the next generation standard for private key cryptography. AES scrambles a 16-byte input “n” using a 16-byte key “k” and two constant 256-byte tables. AES inserts n, k, and the 256 byte tables in various forms into arrays with array indexes in order to perform the encryption. A challenge found, however, is that it is extremely difficult to write constant-time high-speed AES software for use with a general-purpose processor. In particular, the underlying challenge is that it is extremely difficult to load an array entry in time that does not depend on the array entry's index.
It has been shown that the amount of time that an AES variable-index array lookup consumes, which is performed at the beginning of the AES computation, is dependent upon on the array index. Furthermore, the amount of time that is consumed for the entire AES computation is well correlated to the time for this array lookup. Consequently, these AES timing values “leak” information about the input “n” and the key “k.” Therefore, a malicious attacker is able to deduce a key from the distribution of AES timings as a function of n. In short, a malicious attacker may monitor the amount of time that a processor requires to perform a cryptographic function, and deduce an encryption key and the data from the timing footprint.
What is needed, therefore, is a system and method to mask the amount of time that a processor requires to perform a cryptographic function in order to prevent malicious attacks.