side-channel attacks on smartcards
TRANSCRIPT
18
SMART CARDS
Two-factor authentication uses a combi-nation of security mechanisms:• Something the user has, for example
a smartcard.• Something the user knows, for exam-
ple a PIN number.
The use of smartcards and PINs is becoming an increasingly popular and cost-effective method of two-factor authentication. Users must be in a pos-session of a smartcard as well as know the PIN number in order to gain access to any resources on the network. The risk of unauthorised access to network resources is significantly reduced since an attacker would have to steal the smart-card itself as well as obtaining the PIN.
One of the greatest advantages of smartcards compared to other storage media is that they can store data such as a digital certificate used for logon credentials securely, so that it is kept secret. Smartcards do this using tamper resistant hardware designed specifically for the purpose, as well as using cryp-tographic algorithms to protect secret information. However, security is not solely dependent on the complexity of the cryptographic algorithms being used. It should not be forgotten that physical crypto-systems have their own vulner-abilities, and that smartcards are not tamper-proof, merely tamper-resistant.
Common attacks on smartcardsThe common attacks on smartcards can be broken down into three main classes:• Logical• Physical• Side-channel
Logical attacksSoftware attacks on smartcards attempt to exploit implementation vulnerabilities in the card through its own commu-nication interface. This kind of attack can involve exploiting buffer overflows or other logic bugs to execute arbitrary code on the card. On certain cards it may also involve using trojans to inject malicious code into the card. In the past, poor implementations have allowed brute forcing of PIN numbers.
“One of the greatest advantages of smart-cards compared to other storage media is that they can store data such as a digital certificate used for logon credentials securely, so that it is kept secret.”
Physical attacksEarly smartcards used a dedicated con-nection to receive a programming volt-age; this gave rise to some very simple attacks. For example, by placing tape over the programming voltage contact on a phone card your credit would not be decremented when you used the card.
Nowadays physical attacks are usually invasive, for example rewiring a circuit on the chip. This often involves add-ing tracks to the chip in order to restore circuitry used in the production process. If these circuits can been restored an attacker may gain access to functional-ity used to test the chip before it has
been finalized, such as being able to dump the contents of the chip’s memory. Alternatively, tracks on the chip may be cut in order to damage circuitry. For example an attacker may attempt to interfere with random number generation helping them to break the encryption used on the card. A further possibility is to insert probe pins into the chip to monitor data on the chip’s buses.
Environmental attacks involve alter-ing the physical environment around the card, such as temperature, UV radiation, light, or x-ray, in order to induce faults. Inducing faults and causing the chip to behave abnormally can sometimes allow an attacker to bypass security measures, or gain extra information from the behaviour of the card which may infer secrets.
In general physical attacks are time consuming and destructive. It is likely that a large number of sample chips will be destroyed before an attack is success-ful. In order to modify the circuitry on a chip, special equipment such as Focused Ion Beam (FIB), and probe stations are required, which are only available to very wealthy attackers.
Side-channel attacksSide-channel attacks exploit information leaked by the physical characteristics of the card during execution of the algo-rithm. This extra information can be used to infer secrets, and can come in the form of timing, power, or radiation.
Timing attacks are based on the prin-ciple that the time it takes for the card to execute the cryptographic algorithm depends on the value of the secret data. By measuring and analysing small dif-ferences in processing time, an attacker can infer secret data. Timing attacks can be very effective against carelessly imple-mented algorithms.
Power analysis attacks use information leaked by a card’s power consumption. When this class of attack was first discov-ered by Paul Kocher and his colleagues nearly all of the cards on the market were vulnerable. Simple Power Analysis (SPA) attacks rely on detailed knowledge of the cryptographic algorithm that has been implemented and visual inspection of the power consumption curve, to extract the cryptographic key. Differential Power
Side-channel attacks on smartcardsAdam Matthews, Security Consultant, NGS Software
The much-discussed problem of single-secret authentication for accessing network resources can be overcome by using two-factor authentication systems. But the use of smartcards brings with it risks of its own.
Network Security December 2006
19
SMART CARDS
Analysis (DPA) is a more powerful attack based on SPA, it adds the power of sta-tistical techniques to separate signal from noise, and requires less detailed knowledge of the implementation of the cryptograph-ic algorithm on the card.
Electromagnetic Analysis (EMA) attacks are very similar to DPA, but they exploit the information leaked in the electromag-netic emanations from the card while it is running. EMA can have several advantages over other side-channel attacks.
Electromagnetic Analysis (EMA)When a bit is flipped from 0 to 1 or vice-versa, the device’s transistors are on for a short period of time resulting in a current pulse. The more circuits change their state, the more power is dissipated. This is why information leaks when data flips, and why the power curve correlates to the number of bits that flip during an operation. This current pulse causes variation in the EM field surrounding the chip, which can be measured by an inductive probe.
The EM side-channel, although experi-mentally more complicated, has several advantages over other side-channel attacks. Despite being more noisy, the measure-ments have a higher signal to noise ratio than those collected from the power side-channel, and therefore give better differential curves making the correct key guess easier to identify, and requiring fewer samples.
Another advantage is that EMA does not suffer from the problem of ‘false alarms’. In a DPA attack it is expected that the differential curve with the highest peaks will represent the correct sub key guess, however, experimentally this is not always the case; large peaks can sometimes be observed for incorrect guesses. This false alarm problem can be attributed to the fact the power consumption relates to the power consumption of all the components of the chip, and not just those processing the algorithm, it may be due to the way the algorithm is implemented in code. EMA is less prone to these false alarms since the data collected is better correlated to the processing of secret information, as it is possible to isolate the various compo-nents of the chip for individual analysis.
Mounting a side-channel attackIt is relatively cheap to mount a side-channel attack on a smartcard, and only a limited amount of equipment and technical knowledge is required. Using a DES access control card as an example, I outline the process of mounting an EMA side-channel attack.
There are several requirements that must be first met in order to carry out a successful EMA attack. The attacker must be able to take precise EM meas-urements, they must have detailed knowledge of the algorithm being com-puted, and they must also have knowl-edge of the plain-text corresponding to each encryption operation captured.
The first step is to capture EM meas-urements of the first round of DES encryption operations, and the corre-sponding plain-texts. The EM signal col-lected is a sampled version of the EM ema-nations from the target area of the chip during the first round of DES execution. Next, a selection function is chosen, which splits the data into two sets depending on the value of a single bit. An average EM trace is constructed from each set, and the EMA bias signal is obtained by calculating the differential between the average traces. Because of the selection function we have chosen the resulting EMA bias signal can be used to verify the correct key guess.
The selection function is chosen because at some point during the DES implementation, the software must cal-culate the value of this bit. When this calculation occurs, or whenever this bit is manipulated, there will be a slight dif-ference in the amount of power dissipat-ed by the chip, depending on whether this bit is a zero or a one.
One of the inputs to the selection function is the 6-bit sub key input to the DES S-box. These bits are not available to the attacker, so all 26 possible sub key bits must be guessed. For each guess, a new partition is created for the power signatures, and a new differential trace is calculated. The trace for the correct guess will show biases wherever the selec-tion bit was manipulated. If the wrong guess was made, then the differential trace will show no biases.
With this approach the attacker can determine the 6-bit sub key input to S-box 1 in the first round of DES. By repeating these steps he can find inputs for the seven other S-boxes, which gives him the entire round one sub key. This gives 48 bits of the secret key, and the remaining 8 bits can be found by brute force. Using the extra information leaked by the EM side-chan-nel, and breaking the encryption algorithm in this way takes far less time than a brute force attack on the entire 56-bit key.
CountermeasuresModern cards manufactured by well established vendors incorporate counter-measures that protect against side-chan-nel attacks such as EMA.
Hardware countermeasures to protect chips against EM attack include adding a metal layer to the chip, to contain radia-tion, and placing an active grid on top of the chip to introduce more noise into the EM field, blurring the emanations. Radiation can also be reduced by shrinking the technology, and using smaller transis-tors in the construction of the chip. All of these measures will reduce the leakage of useful information via the EM side-chan-nel, which will greatly increase the amount of samples needed to perform a successful attack, making the attack less feasible. An attacker with infinite samples could still perform an EMA attack on the reduced signal. It is possible that in the future, alter-natives to semiconductor technology will be developed that do not leak information, and semiconductors will no longer be used.
Since EMA requires the attacker to know the time at which a certain bit is manipulated, inserting random time delays in the execution of the algorithm would help prevent against the attack. An even more effective measure would be to intro-duce random clock-cycles, which would mean the EM traces were not synchro-nized, and calculating average and differen-tial traces would be far more difficult.
Other measures such as nonlinear key updates can help prevent attackers from being able to correlate power traces with encryption operations. Also key use counters can be used to prevent attackers collecting the large samples necessary in order to perform the attack.
December 2006 Network Security
...continued on page 20
20
18-21 December 2006International Conference on High Performance ComputingLocation: Bangalore, IndiaWebsite: www.hipc.org
5-9 February 2007RSA Conference USA 2007Location: San Francisco, USAWebsite: www.rsaconference.com
11-15 March 2007 22nd Annual ACM Symposium on Applied Computing Location: Seoul, Korea Website: http://comp.uark.edu/%7Ebpanda /sac-cf.htm
12-15 March 2007Architecture of Computing SystemsLocation: Zurich, SwitzerlandWebsite: http://arcs07.ethz.ch
18-21 March 2007ISACA EuroCACSLocation: Vienna, AustriaWebsite: www.isaca.org
16-20 April 20075th Intl. Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless NetworksLocation: Limassol, CyprusWebsite: www.wiopt.org/
17-19 AprilCSRC 6th Annual PKI R&D ConferenceLocation: Gathersburg, MD, USAWebsite: http://csrc.nist.gov/events
24-26 April 2007Infosecurity EuropeLocation: London, UKWebsite: www.infosec.co.uk
30 April - 3 May 2007New Technologies, Mobility and Security 2007Location: Beirut, LebanonWebsite: www.ntms2007.org
NEWS
EVENTS CALENDAR
Network Security December 2006
...continued from page 2
“In recent months, the focus has predominately been on targeted virus attacks and spam has hardly received any attention,” says Mark Sunner, CTO, MessageLabs but the arrival of SpamThru and Warezov has changed that. As seen in previous years, spam levels are expected to continue to climb as the spammers inten-sify their efforts around the holiday season.
The Intelligence Report showed that in October, the global ratio of spam in email traffic from new and unknown bad sources was 73% – an increase of 8.5% on the previous month. This is the sharpest rise in spam levels since January 2006, when an increase of 9% was experienced. As regards viruses, the global ratio of in email traffic from new and previously unknown sources destined for valid recipients was one in 100.3 emails in October, a tiny decrease since the month before. Despite these lower numbers, October witnessed the alarming attack from the Warezov Trojan. The overall effect of Warezov was an explosion in the number of spam-sending zombies on the Internet, further aggravat-ing an already acute spam problem.
So far as phishing goes, October showed a negligible change in the proportion of phishing attacks compared with the previ-ous month. One in 190 emails comprised some form of phishing attack. When judged as a proportion of all email-borne
threats, the number of phishing emails has stabilized after a significant increase of 31% in September. 52% of all mali-cious emails intercepted by MessageLabs in October were phishing attacks, a slight increase on the previous month. Phishing attacks continue to be targeted mostly at banks that have not yet deployed any two-factor authentication security measures.
Israel was the top country target for spam in October, with an increase of 9%, while the US has overtaken Ireland to take second position with a rise of 11.5%. The largest rise in spam was in India where spam levels increased by 49%. The country also remains the hardest hit in terms of virus activity, with one in 16 of all inbound email traffic being affected. Virus activity in the US fell slightly to one in 136 emails, pushing it to the bottom of the list in October, closely followed by the Netherlands with one in 134 of emails. Australia, previously at the bottom of the list, saw the biggest increase in viruses to rank 12th in October, increasing to one in 84 of email traffic.
Education, Manufacturing and Telecoms remain in the top five vertical listings for spam attacks, all achieving 10% or higher increases. Virus traffic destined for Business Support Services fell to one in 30 of emails, the most significant decrease of all sectors but it still retains its position as the most attacked sector.
ConclusionIt is clear that side channel-attacks on smartcards are relatively easy to mount unless proper countermeasures are imple-mented on the card, and whilst this article only discusses an EMA attack on a DES implementation, similar attacks have been carried out on cards implementing AES, RSA, and other cryptographic algorithms.
As part of a two-factor authentication system, smartcards can offer more robust security than passwords alone. However it is important to remember that smartcards are not tamper-proof, merely tamper resist-ant, and with enough time and resources they can be broken.
Smartcards are only vulnerable to this kind of attack when they are operating, so
it would be difficult to clone a card without the owner’s knowledge. However if the card is lost, stolen, or borrowed, it is feasible that an attacker could use EMA to attack the card. As with any other authentication method this risk is significantly decreased if proper procedures are in place so that in the event of a card going missing the users account is locked out, and the digital cer-tificate stored on the card is revoked.
About the authorAdam Matthews works as Security Consultant at NGS Software, and holds a masters degree in Information Security. Whilst working in the Smartcard Centre at Royal Holloway, University of London, he successfully mounted an EMA attack as part of his thesis.
SMART CARDS...continued from page 19