securizarea avansata a sistemelor de calcul · a sistemelor de calcul marios choudary upb...
TRANSCRIPT
![Page 1: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/1.jpg)
Securizarea avansata a sistemelor de calcul
Marios Choudary UPB
Side-channel attacks
![Page 2: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/2.jpg)
Smartcards used in many applications (e.g. banking)
Other examples: Pay-TV, transport
2
![Page 3: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/3.jpg)
Microcontroller in smartcards
microcontroller
3
![Page 4: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/4.jpg)
Microcontrollers “leak” information via physical side-channel
example of leakage: EM, power
4
![Page 5: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/5.jpg)
Microcontrollers “leak” information via physical side-channel
• We may target:
• cryptographic algorithms (secret keys)
• instructions (reverse engineering)
• data (bus eavesdropping)
5
![Page 6: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/6.jpg)
CMOS leakage
A
B
A
B
VDDIDD
ZCL
Pull upNetwork
Pull downNetwork
Typical NAND gateA = 0 or B = 0:
CL charges => current flows out
![Page 7: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/7.jpg)
CMOS leakage
A
B
A
B
VDDIDD
ZCL
Pull upNetwork
Pull downNetwork
Typical NAND gateA = B = 1:
CL discharges => current flows in
![Page 8: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/8.jpg)
CMOS leakage
A
B
A
B
VDDIDD
ZCL
Pull upNetwork
Pull downNetwork
Typical NAND gateA = B = 1:
CL discharges => current flows in
CL may be input of next gate or bus lines (large capacitance)
![Page 9: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/9.jpg)
Use an oscilloscope to measure power consumption of a microcontroller
Trigger signal
USB to PC
Clock signal
Atmel XMEGA
Power supply Active probe
![Page 10: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/10.jpg)
Transition of all CMOS gates affect overall power consumption
1125 1126 1127 1128 1129 1130 1131 11325
5.5
6
6.5
Sample index
mA
k=0k=255
(loading a value into a register, when the previous value on the bus was 0)
![Page 11: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/11.jpg)
Power consumption of loading one byte with different values
k = 0, 1, …, 9
3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 4.8 50
0.5
1
1.5
2
2.5
Milliamps
0123456789
Leakage for one sample
11
![Page 12: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/12.jpg)
Beginnings of power analysisPaul Kocher, 1997
(see “Differential Power Analysis”, Kocher et al., CRYPTO ’98)
![Page 13: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/13.jpg)
Differential power analysis
13
1. Select target computation: typically the S-box lookup in a block cipher (DES, AES)
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
![Page 14: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/14.jpg)
Differential power analysis
14
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
2. Apply “divide et impera”:
a good block cipher cannot be brute-forced due to large key size:
=> we target one byte at a time: reduce brute-force from 2128 to 16*28 (in best case)
(AES ≥128 bits)
![Page 15: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/15.jpg)
Differential power analysis
15
3. Take a large number (thousands, millions) of leakage traces 0 2 4 6 8 10
0
2
4
6
8
Time [µs]
Current
[mA]
Typically interested in a single sample
0 2 4 6 8 100
2
4
6
8
Time [µs]
Current
[mA]
0 2 4 6 8 100
2
4
6
8
Time [µs]
Current
[mA]
ti
x1
x2
xN
…
![Page 16: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/16.jpg)
Differential power analysis
16
4. Split samples based on the value of some bit b that is a function of k and p
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
b = f (k, p)e.g. b = MSB(S-box(p k)) for AES
Dan$Boneh$
AES$is$a$Subs\Perm$network$(not$Feistel)$
inpu
t$
⨁$
S1$S2$S3$
S8$
�
output$
subs.$layer$
perm.$layer$ inversion$
k1$
⨁$
S1$S2$S3$
S8$
�
k2$S1$S2$S3$
S8$
�
⨁$
�$
kn$
![Page 17: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/17.jpg)
5. Find k for which difference between average power consumption in the two groups is largest:
Differential power analysis
17
�k = (powerb=0 � powerb=1)
1
CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29
k �
p
S-box
u
v
Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.
the task of finding the full master key into smaller tasks of attacking only small parts k
of the entire key.
2.1.3 Side-channel attacks
I now briefly describe the most common side-channel attacks evaluated in the academic
community.
Simple Power Analysis (SPA)
Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-
troller, it is possible to reveal the sequence of instructions being executed. This may be
used to extract the secret key of a cryptographic algorithm by targetting the key schedule
if this involves conditional branching, by targetting comparison operations, or by target-
ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].
Simple and e�cient countermeasures for SPA rely on preventing the use of secret data
for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA
will probably fail on most hardware implementations of block ciphers due to their small
power consumption variation. As a result SPA is not considered a major security threat
if simple precautions are taken, but the following attacks are.
Di↵erential Power Analysis (DPA)
Kocher et al. [58] also showed a much more powerful attack against DES (which also
works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits
a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),
2This assumes knowledge of the target algorithm.
![Page 18: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/18.jpg)
Differential power analysis
18
current [mA]0
k=0
b==0b==1
avg( ) - avg( ) 0 ≈
5. Find k for which difference between average power consumption in the two groups is largest:
�k = (powerb=0 � powerb=1)
1
b = f (k, p)
![Page 19: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/19.jpg)
Differential power analysis
19
current [mA]0
k=1
b==0b==1
avg( ) - avg( ) 0 ≈
5. Find k for which difference between average power consumption in the two groups is largest:
�k = (powerb=0 � powerb=1)
1
b = f (k, p)
![Page 20: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/20.jpg)
Differential power analysis
20
current [mA]0
k=42 (correct)
b==0b==1
avg( ) - avg( ) max=�k = (powerb=0 � powerb=1)
1
5. Find k for which difference between average power consumption in the two groups is largest:
b = f (k, p)
![Page 21: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/21.jpg)
Differential power analysis
21
393Differential Power Analysis
[Kocher et al. ’99]
![Page 22: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/22.jpg)
Correlation Power Analysis
• Test correlation between actual leakage samples (e.g. obtained with an oscilloscope) and hypothetical leakage (e.g. with Hamming Weight model and key candidate)
• Most common candidate: HW(S-box(p k))
![Page 23: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/23.jpg)
Correlation Power Analysis• Pearson’s correlation for 2 variables X, Y:
• When X, Y are correlated, then is high
• Idea for side-channel attacks:
• Use actual leakage for X
• Use expected leakage from HW model with candidate k for Y:Y = HW(S-box(p k))
• Compute for all possible byte values k and choose k with highest
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
⇢XY =
PNi=1(xi � x)(yi � y)
qPNi=1 (xi � x)2 ·
qPNi=1 (yi � y)2
1
![Page 24: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/24.jpg)
Correlation Power AnalysisExample from attack on real cryptographic ASIC
Left: correlation with good key as function of number of traces (N) Right: correlation as a function of key candidate for fixed N
Figure from https://iis-people.ee.ethz.ch/~kgf/acacia/c3.html
![Page 25: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/25.jpg)
Defences andSecure IC industry
![Page 26: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/26.jpg)
Countermeasures
26
• Noise generation: try to keep the data-dependent signal below the noise floor
• Randomise computations: make it hard to align traces
• Masking: split data into several shares and compute on those such that leakage does not depend on key/data but on random values
• Dual rail and other special hardware architectures
![Page 27: Securizarea avansata a sistemelor de calcul · a sistemelor de calcul Marios Choudary UPB Side-channel attacks. Smartcards used in many applications (e.g. banking) Other examples:](https://reader030.vdocuments.us/reader030/viewer/2022040201/5e600411fb95bc023a615861/html5/thumbnails/27.jpg)
Industrial impact• Development of countermeasures (hardware,
software) - see Infineon, Gemalto, NXP, etc.
• Common Criteria evaluation
• Evaluation and certification laboratories
• National security evaluations
• One evaluation may cost > 100.000 EUR