introduction to software countermeasures for …heydeman/sca2019/cours6_dvigilant.pdfif the guess is...

Introduction to SoftwareCountermeasures For EmbeddedCryptography

David Vigilant

UMPC Master, 30

th November, 2018

Outline

1 Context and Motivations

2 Basic Rules and Countermeasures ExamplesRegarding Timing AttacksRegarding SPA-SEMARegarding Statistical Side-Channel AttacksRegarding Fault Attacks

3 Application Examples for some Cryptographic AlgorithmsApplication examples for RSA-CRTApplication examples for AES-128

4 Conclusion

30

th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 2 / 89

Outline




4 Conclusion

30


Resistance of Embedded Implementations

Given a key size, the cryptographic algorithm has an inherenttheoretical resistance to cryptanalysis

But

One implementation on one machine has its own resistanceregarding implementation attacks

30


Attacks on Embedded Implementations

Different techniques may be use to infer sensitive data of acryptographic implementation:

Timing Attacks (TA)

Simple Side-Channel Attacks (SSCA)

Statistical Side-Channel Attacks (DSCA)

Fault Attacks (FA)

) Attack set up may be easier to put in place on embeddedimplementation, since the attacker has the device in hand

30



Timing Attacks (TA) :

Measure the crypto process timing for several input values

) From timing exploitation, sensitive data may be inferred

30



Simple Side-Channel Attacks (SSCA) :

Simple Power Analysis (SPA) : Measure power consumption ofdevices

Simple ElectroMagnetism Analysis (SEMA) : Measureelectromagnetic field emanated from devices

) From the exploitation of a trace of one execution, sensitive datamay be inferred

30



Statistical Side-Channel Attacks (DSCA) :

Differential Power Analysis (DPA/DEMA)

Correlation Power Analysis (CPA/CEMA)

Linear Regression Analysis (LRA)

Template Analysis (TPA) / Deep Learning Attacks (DLA)

) From traces of several executions, statistics may be exploited todeduce information about sensitive data

30



Fault Attacks (FA) : Disturb the computation (Program flow or Data)by different ways

TemperatureVoltage/Clock GlitchEM injectionLaser. . .

) From the exploitation of faulty (and correct) results or behaviors,sensitive data may be inferred

30


Hardware LimitationsIt seems difficult to implement protections all in hardware (HW):

Surface limitation:) Implementing insecure crypto algorithms all in HW can evenbe too costly

HW imperfection (increased under extreme conditions):) The combination of HW and software(SW)countermeasures(CMs) may give more confidence

RemarkA lot of very efficient HW countermeasures exist, they are notdiscussed here

30


Embedded Crypto - Hardware ArchitectureExample of architecture in embedded devices:

) Coprocessor may implement arithmetic operations (e.g modularmultiplication)) Coprocessor may implement block ciphers with some CMs

30


Embedded Crypto - Hardware Architecture

Embedded devices have typically limited resources:

CPU: 8, 16, or 32 bits instructions

Frequency: several dozens of Megahertz

RAM: 1 or 2 Kbytes at most for crypto implementation

NVM reserved for constants and program: several dozens ofKbytes

) The overhead added by the countermeasure must be monitoredcarefully

30


Certification and Resistance Assessment

In the context of the certification (Common Criteria, EMVCo, ...) of aproduct:

Source code may be audited to detect weaknesses

Implementation attacks may be tested in practice by mandatedlabs

Vulnerabilities may lead to the failure of certification

30


Countermeasures and Intellectual Property

Innovative countermeasures may be patented:

It may protect from counterfeit

Its usage may be licensed

30


Out of scope

DefinitionWhite Box Crypto (WBC) is the name for embedded crypto running inan environment totally manageable by the attacker. In particular, theattacker has access to and has control of:

Every processor register (including Program Counter)Every memory cellCode execution (i.e. complete debuging capability)

)WBC implementations need dedicated countermeasures

)WBC countermeasures are out of the scope of this presentation

30


Outline




4 Conclusion

30


Avoid Vulnerabilities regarding TA

RuleAvoid any timing difference linked to input data and/or internalsensitive data that could lead to the secret recovery

CountermeasureBalanced Branches: Balance sensitive "if . . . then . . ." branches byinjecting events

CountermeasureNo Branch: Eliminate branches and design programs with constanttiming

30



Example:

A user must be authenticated by entering a 8�byte keyThe program grants access to the user only if the key value is theexpected oneThe program runs on an 8-bit CPU

Remark: The expected security strength is 2

64

30



Example (continued):

Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7

Naive program:if x0 = k0 then

if x1 = k1 thenif x2 = k2 thenif x3 = k3 then

if x4 = k4 thenif x5 = k5 then


"user granted"else "failure"

Each byte is compared one byone by the program

30










The attacker tries the 2

8 possiblevalues for the ith byte, i startingfrom 0

The attacker measures theprocess timing

30













30


Avoid Vulnerabilities regarding TAExample (continued):










If the guess is incorrect, theprogram ends after thecomparisonShorter timing

30


Avoid Vulnerabilities regarding TAExample (continued):










If the guess is correct, theprogram executes the nextcomparisonLonger timing

30













) The security strength can bedecreased to 8 ⇤ 2

8 = 2

11 !!

30



CountermeasureBalanced Branches: Balance sensitive "if . . . then . . ." branches byinjecting events

Equal = 0, Difference = 1, Status = 0for (i from 0 to 7) do{

if xi = ki thenStatus |= Equal

elseStatus |= Difference

}if Status = Equal then

"user granted"else

"failure"(Timing balance to be verified practically)

30



CountermeasureNo Branch: Eliminate branches and design programs with constanttiming

Status = 0for (i from 0 to 7) do

Status = Status | (xi � ki)

if Status = 0 then"user granted"

else"failure"

30


Avoid Vulnerabilities regarding SPA-SEMARuleAvoid any flow difference (leading to a difference in the trace)linked to input data and/or internal sensitive data that could leadto the secret recovery

CountermeasureBalanced Branches: Introduce or Modify events to remove differencesin the flow

CountermeasureNo Branch: Eliminate branches and design programs with constantflow

30


Avoid Vulnerabilities regarding SPA-SEMA

Example: Implementation of a binary exponentiation algorithmCompute S = md

mod N, d = (d0

, d1

, . . . , dL�1

)2

Naive Binary Algorithm:A = 1

for (i from 0 to L� 1) do{

A = A⇥ A mod N

if di = 1 thenA = A⇥ m mod N

}return(A)

30




mod N, d = (d0

, d1

, . . . , dL�1

)2

Naive Binary Algorithm Trace:

30


Avoid Vulnerabilities regarding SPA-SEMAExample (Continued):

CountermeasureBalanced Branches: Introduce events to remove differences in theflow

Square and Multiply Always Algorithm:A = 1

for (i from 0 to L� 1) do {A = A⇥ A mod Nif di = 1 then

A = A⇥ m mod Nelse

B = A⇥ m mod N} (Dummy Multiplication)return(A)

⇡ +33% process timing compared to naive method(Flow balance to be verified practically)

30


Avoid Vulnerabilities regarding SPA-SEMAExample (Continued):

CountermeasureNo Branch: Design programs with constant flow

Montgomery Ladder Algorithm:A

0

= 1,A1

= mfor (i from 0 to L� 1) do{

Ad̄i= Ad̄i

⇥ Adi mod NAdi = A2

dimod N

}return(A

0

)

⇡ +33% process timing compared to naive method(Flow balance to be verified practically)

30


Avoid Vulnerabilities regarding DSCA

RuleGiven the power of an attacker, detect and remove theappearance of all intermediate sensitive values, that could leadto the secret recovery

30



Example:

The attacker is able to exploit a hamming weight leakage by CPAThe attacker can choose the value of a byte X

In the algorithm, X should be XORed with a sensitive byte Y

1 The attacker acquires power traces for different input values2 The attacker localizes the targeted XOR, and synchronizes

curves on this operation3 For each of the 2

8 guesses, the attacker calculates thecorrelation coefficient between the hamming weight of XORresult, and the samples of the power traces acquired

4 The attacker can reduce the space of possible values for Y, if thecorrect guess gives one of the best scores

30



CountermeasureSecret Sharing:

If the attacker has the power to realize a DSCA of order n� 1

If a sensitive value X is targetedThe sensitive value X can be split in n random shares, X

0

,X1

,Xn�1

30






0

,X1

,Xn�1

Example: Additive sharingX = X

1

+ X2

, where X1

and X2

are random valuesOnly X

1

and X2

are manipulated in the implementation

30






0

,X1

,Xn�1

Example: Boolean sharingX = X

1

� X2

� X3

, where X1

, X2

and X3

are random valuesOnly X

1

, X2

and X3

are manipulated in the implementation

30



Example:

The attacker is able to exploit a hamming weight leakage by CPAThe attacker can choose the value of a byte X


Program using the secret sharing countermeasure:Generate a random byte Z

0

Z1

= Y � Z0

Z1

= Z1

� Xstore Z

0

in RAMstore Z

1

in RAM. . .

) the sensitive value Z is shared among Z0

and Z1

30



Example:

The attacker is able to exploit a hamming distance (HD) leakageby CPAThe attacker can choose the value of a byte X


Program using the secret sharing countermeasure:Generate a random byte Z

0

Z1

= Y � Z0

Z1

= Z1

� Xstore Z

0

in RAMstore Z

1

in RAMZ

0

and Z1

transit on the BUS successively, BUS would pass from Z0

to Z1

, HD = Z. . .

30



CountermeasureBlinding - Randomization (Mathematical Context): Randomize avariable X into a random data X0 such that good mathematicalproperties are kept (result can be recovered), and the targeted valuedoes not appear.

30



Example:Group exponentiation in ((Z/NZ)⇤,⇥), S = md

mod N, d is sensitive

The attacker is able to choose values for m

The attacker is able to exploit a hamming weight model leakageon successive powers of m mod N

The attacker performs a DPA for each bit of d, building 2 setsdepending on the hamming weight (high or small) of some bytes ofthe targeted intermediate powers of m

Program using the Blinding countermeasure:Generate R a random numberN0 = N ⇥ RS0 = md

mod N0

S = S0mod N

30


Avoid Vulnerabilities regarding DSCAExample:

We define a group G as follows:✏ : { (x, y) 2 (Fp ⇥ Fp) | y2 = x3 + ax + b mod p }with p prime, and 4a3 + 27b2

mod p 6= 0

We define an addition law over ✏ : P + Q = Rif P 6= Q, �R is the intersection of the line passing through P andQ with ✏, R is the opposite of �R regarding the x axisif P = Q, �R is the intersection of the tangent of ✏ in P, R is theopposite of �R regarding the x axis

We define1 such that P +1 = P, 8P 2 ✏. If the line passing throughP and Q has no other intersection with ✏, then P + Q =1 (orP + P =1)

G ⇢ ✏, G =< g > , s.t. n.g =1 , n large primeThese groups are commonly used in cryptography

30


Avoid Vulnerabilities regarding DSCAExample (continued):We consider the point multiplication S = d.M, M 2 G, d 2 Nd is a sensitive value

The attacker is able to choose values for the point MThe attacker is able to exploit a hamming weight model leakageof the x-coordinate of successive multiples of M

The attacker performs a DPA for each bit of d, building 2 setsdepending on the x-coordinate hamming weight (high or small) onsome bytes of the targeted intermediate multiples of M

Program using the Blinding countermeasure:Generate r a random numberd0 = d + (n⇥ r)S = d0.M

30



Coming back to Previous Example:

1 The attacker acquires power traces for different input values2 The attacker localizes the targeted XOR operation, and

synchronizes curves on this operation3 For each of the 2

8 guesses, the attacker calculates thecorrelation coefficient between the hamming weight of XORresult, and the power traces acquired

4 The attacker can reduce the space of possible values for Y, if thecorrect guess gives one of the best scores

) One critical step for the attacker is the timing localization of aspecific sensitive operation, and its synchronization overmultiple traces

30



RuleRemove the possibility for an attacker to find "easily" a sensitivemanipulation. Remove also the possibility to synchronize"easily" this manipulation over multiple traces

30



CountermeasureDesynchronization: Introduce dummy events of random duration,before and/or after the targeted manipulation.

Example:Program using the desynchronization (sensitive XOR X � Y):Generate a random Ri = 0while ((+ + i)! = R)”dummy operation”

Z = X � Y. . .

30



CountermeasureOrder Randomization of Operations: Perform operations in anunpredictable order, different each time, to avoid an easysynchronization on sensitive events

Example:Program using the Order Randomization of Operations (sensitiveXORs Xi � Yi, i = 0 . . . 7):for i from 0 to 7 in random order

Zi = Xi � Yi

) Harder for the attacker to locate the XOR for a specific index

30


Avoid Vulnerabilities regarding FA-DFA

Example: Program disturbance

Program for a PIN verification:if ENTERED_PIN = STORED_PIN then

GrantAccess()else

Mute()

30




Normal behavior: The user enters a wrong PIN

Program for a PIN verification:if ENTERED_PIN = STORED_PIN then

GrantAccess()else

Mute()

30




Faulty behavior: The user enters a wrong PIN, program is disturbed

Program for a PIN verification:if ENTERED_PIN = STORED_PIN then( Fault injected

GrantAccess()else

Mute()

30



RuleRemove the possibility for an attacker to find "easily" the keytiming in the program for an exploitable fault injection

See previous countermeasures

30



RuleWarning when executing or not fake operations depending onthe secret value

30



Example:Square and Multiply Always Algorithm:A = 1


A = A⇥ A mod Nif di = 1 then


B = A⇥ m mod N}return(A)

30






A = A⇥ m mod N ( Fault Injectedelse

B = A⇥ m mod N}return(A)

If the attacker introduces a fault in a real multiplication, result is faulty

30







B = A⇥ m mod N ( Fault Injected}return(A)

If the attacker introduces a fault in a fake multiplication, result is safe

30



RulePut error detectors in the code to guarantee the correctexecution of the program

30



CountermeasureConsistency check: Use verifications of consistency. Check that theprogram executes and ends as expected

Example:Program using consistency check (inverse operation):C = AES� 128 encrypt(P,K)X = AES� 128 decrypt(C,K)if X 6= P

"Fault Detected"

There are many ways of checking consistency

30


Outline




4 Conclusion

30


RSA-CRT system

RSA-CRT parameters:(N, e) Public key(p, q, dp, dq, iq) Private key

such that

8>>>>>>>><

>>>>>>>>:

N = p⇥ q, (p, q large primes)

gcd((p� 1), e) = 1

gcd((q� 1), e) = 1

dp = e�1

mod (p� 1)

dq = e�1

mod (q� 1)

iq = q�1

mod p

30


Application examples for RSA-CRT

Process of a naive RSA-CRT signature

Input: m, p, q, dp, dq, iq,Nmp = m mod pSp = mdp

p mod pmq = m mod qSq = mdq

q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S

30







30




Input: m, p, q, dp, dq, iq,Nmp = m mod p Vulnerability to TASp = mdp

p mod pmq = m mod q Vulnerability to TASq = mdq


An attacker could proceed by dichotomy to find min(p, q)) If m < min(p, q), no modular reduction) If m � min(p, q), modular reduction

30



Process of a naive RSA-CRT signature (+Vulnerability Corrected)

Input: m, p, q, dp, dq, iq,Nm = m + Nmp = m mod pSp = mdp



) whatever m, modular reduction

30






q mod q� = iq ⇥ (Sp � Sq) mod pS = Sq + q⇥ �RETURN(S)

30






q mod q� = iq ⇥ (Sp � Sq) mod pS = Sq + q ⇥ � ( Let us considering sensitivity to DSCARETURN(S)

30


Application examples for RSA-CRTDSCA on the recombination in RSA-CRT

1 The attacker makes several acquisitions and collects thesignature results

2 The attacker tries to discover q byte per byte from MSB to LSB(most to least significant)

3 The attacker makes an hypothesis for the ith byte :b = 2

8 ⇤ b + hypothesis(qi) (Starting from b = 0)

4 The attacker computes ! = S/b

5 The attacker tries to correlate ! with � when it is manipulated inthe recombination

6 If the guess for the byte is correct, ! values are highly correlatedwith �

30


Application examples for RSA-CRTProcess of a naive RSA-CRT signature (+Vulnerability Corrected)

Input: m, p, q, dp, dq, iq,N, emp = m mod pSp = mdp


q mod qip = p�1

mod qS = p⇥ ip ⇥ Sq + q⇥ iq ⇥ Sp mod NRETURN(S)

) Remove the appearance of � by using Gauss’ formula for therecombination

30







30



Process of a naive RSA-CRT signature (with FA effect)

Input: m 2 ZN , p, q, dp, dq, iqmp = m mod pSp = mdp

mod p( Fault Injectionmq = m mod qSq = mdq

mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S

) Vulnerability to FA: gcd(S� S mod N,N) = q

30



Process of a naive RSA-CRT signature (with FA effect)

Why gcd(S� S mod N,N) = q ??

S is s.t.

(S ⌘ S mod qS 6= S mod p

S� S mod N is s.t.

(S� S mod N ⌘ 0 mod qS� S mod N 6= 0 mod p

) S� S mod N is a multiple of q

30


Application examples for RSA-CRTProcess of a naive RSA-CRT signature (+Vulnerability Corrected)

Input: m, p, q, dp, dq, iq,N, emp = m mod pSp = mdp


q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)if (Se

mod N = m)RETURN(S)

else"Fault Detected"

Use a consistency check with inverse operation

30


Application examples for RSA-CRTProcess of a naive RSA-CRT signature (+ Shamir CM FA), e notavailable

Input: m, p, q, dp, dq, iq,Nselect t a small randomCompute d s.t. d mod (p� 1) = dp and d mod (q� 1) = dq

mp = m mod ptSpt = md

p mod ptmq = m mod qtSqt = md

q mod qtSp = Spt mod p, Sq = Sqt mod q,S = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)if (Spt mod t = Sqt mod t)

RETURN(S)else

"Fault Detected"

Use a consistency check with modulus extension30


Application examples for AES-128

Process of a naive AES-128

Input: K = 16�byte Key P = 16�byte PlaintextState PRoundKey KAddRoundKey(State,RoundKey)Round 0

while(Round < 9){

SubBytes(State)ShiftRow(State)MixColumn(State)KeySchedule(RoundKey,Round)AddRoundKey(State,RoundKey)Round ++

}SubBytes(State)ShiftRow(State)

30




Input: K = 16�byte Key P = 16�byte PlaintextState PRoundKey KAddRoundKey(State,RoundKey)( Considering sensitivity to DSCARound 0

while(Round < 9){



30



Secret sharing and AddRoundKey:

Split the state S = S0

, S1

, . . . , S15

into 2 shares:

S1 and S2 s.t. S = S1� S2

Thus AddRoundKey operation on state S = S0

, S1

, . . . , S15

can beperformed for one of the 2 shares:

e.g. S1 = S1� K

Values of S1 and S2 before and after AddRoundKey not predictable

30





while(Round < 9){



30





while(Round < 9){

SubBytes(State)( Considering sensitivity to DSCA at round 0

ShiftRow(State)MixColumn(State)KeySchedule(RoundKey,Round)AddRoundKey(State,RoundKey)Round ++


30



The SubBytes operation:

Aply 16 times (each byte) a non linear operation:{0, 1}8 ! {0, 1}8

Can be seen as an inversion composed with an affinetransformation in GF(28)

Can be implemented as a Look Up Table (LUT) of 256 bytes

30



Secret sharing and SubBytes with LUT: The basic method

Split the 16-byte state S = S0

||S1

|| . . . ||S15

into 2 shares maskedS and T:

S = maskedS� T

with 16-byte parameter T = X||X|| . . . ||X, X 2 [0, 255]

SubBytes operation on state S = S0

, S1

, . . . , S15

can be performed onthe share maskedS but with a modified Substitution Box(pre-computation):

for y from 0 to 255

Sbox0[y� X] = Sbox[y]� X

) Requires 256 extra bytes in RAM) There are much more elaborate methods

30


Outline




4 Conclusion

30


Conclusion

It is not always easy to verify that a countermeasure is efficient

By Code Audit• But Compiler could remove countermeasures• But Cache could create vulnerabilities

Practical Realization of the Attacks• May be costly to realize all possible attacks• But if no vulnerability found, was the attack set up efficient?

30


Conclusion

It is not always easy to verify that a countermeasure is efficient

Hand Methods• List exhaustively all intermediate variables (regarding DSCA)• List exhaustively all fault effects (regarding FA)• How to be confident that the list is exhaustive?

Towards the usage of Formal Methods• Use trusted provers to prove the resistance• For now, mainly used for fault resistance assessment only

) Difficult to guarantee that the abstraction level is correct) Proof isoften correct only for a specific implementation (HW specific)

30


Conclusion

It is not always easy to identify the assets

Assets may be different depending on the application

• RSA signature S = mdmod N

• RSA decipher S = mdmod N

30


Conclusion



• RSA signature S = mdmod N

• RSA decipher S = mdmod N

30


Conclusion



• RSA cipher m = Semod N

• RSA verification m = Semod N

30


Conclusion



• RSA cipher m = Semod N

• RSA verification m = Semod N Comparison that comes after

30


Conclusion

It is not always easy to identify all attack paths

All existing attacks should be considered: the list is huge

Attacks are always in motion, new ones appear regularly

30


Some must references (not exhaustive)

On the Importance of Eliminating Errors in CryptographicComputations, Boneh et al., BellCore Report, ’96Method and apparatus for protecting PK schemes from timingand fault attacks, Shamir ’97DPA, Kocher et al. CHES’99Timing Attacks on Implementations of DH, RSA, DSS, and OtherSystems, Kocher et al, ’99DES and DPA: the "Duplication" Method, Goubin et al., CHES’99Resistance against DPA for ECC, Coron et al, CHES’99

30


Some must references (not exhaustive)

PKCS#1: RSA Cryptographic Standard, RSA LaboratoryANSI X9.63, Public Key Cryptography for the financial IndustryFIPS 197: AES, NIST, ’01A Sound Method for Switching between Boolean and ArithmeticMasking, Goubin et al., CHES’01The Montgomery Powering Ladder, Joye et al., CHES’02DFA on AES, Dusart et al, ’03CPA with a leakage model, Brier et al., CHES’04. . .

30


introduction to software countermeasures for …heydeman/sca2019/cours6_dvigilant.pdfif the guess is...

Documents