Añadir a la recogida (s) Añadir a salvo
  1. Ninguna Categoria
Subido por Raul Garcia Baizan

Implementation Attacks

Anuncio 
Lecture 7, Implementation Attacks
Elisabeth Oswald
IAIK
Outline
•
•
•
•
IAIK
TUG
Active and Passive Implementation Attacks
Side-Channels
Statistics
Some power and EM traces
1
Elisabeth Oswald
IAIK
Implementation Attacks
TUG
Attacks, that can retrieve information about secret and private keys without breaking the
algorithm! Two classes:
Active Attacks: An attacker actively manipulates a device (i.e.
intended/standard way). For example, by inducing faults.
uses it NOT in the
Passive Attacks: An attacker monitors side-channel information which is emitted by the device.
EM, power, timing, error messages. Side-channel information is information that leaks
unintentional information about the key.
Almost all algorithms known have properties that can be exploited in such attacks.
algorithms have properties that facilitate the implementation of countermeasures.
IAIK
Some
2
Elisabeth Oswald
IAIK
Active Attacks – Fault Attacks
TUG
Characterization of fault attacks according to different criteria:
•
•
•
•
control on the fault location;
control on the fault occurrence time;
control on the number of faulty bits induced;
fault model.
On the three first items, an attacker can have no control, loose control or precise control. Fault
models include stuck at model, random fault model, bit flip model, bit set or reset model.
Attacks can be either invasive (intrusive) or non-invasive (non-intrusive).
IAIK
3
Elisabeth Oswald
IAIK
Active Attacks - Fault Injection
TUG
• Electrical perturbation on the standard ISO contact of the smart card
– Vcc glitch
– Clock duty cycle and/or frequency alteration
• Light-beam perturbation (contact-less)
– Global light-beam (wide spectrum)
– Focalized light-beam (wide spectrum)
– Laser-beam (single wavelength)
• Electro-Magnetic Field perturbation (contact-less)
Lesson learned from fault attacks: always check the results of the computation for correctness!!
Fault attacks have been especially popular for smart cards!
IAIK
4
Elisabeth Oswald
IAIK
Types of Smart Cards
TUG
Smart cards or Integrated Circuit Cards can be distinguished into two types:
Memory Cards: typically have some EEPROM and some security logic and a read/write memory.
Microprocessor Cards: typically contain a full microprocessor and optionally some cryptographic
modules ((T)RNG, RSA accelerator, DES)
Most smart cards are equipped with a serial interface (the metallic contacts) but some smart
cards are equipped with a RF-interface.
High-End smart cards that are used today can have up to a 32-bit CPU, several Kbytes of ROM,
EEPROM and up to 1 Kbyte of RAM. The SLE66 Series even comes with 136 Kbyte ROM , 5052
bytes of RAM and 4Kbyte of XRAM.
IAIK
5
Elisabeth Oswald
IAIK
ISO 7816
Part 1: defines the physical characteristics
Part 2: defines the location, purpose and
electrical characteristics of the metallic
contacts
Part 3: defines the voltage and current
requirements for the electrical contacts
and the half-duplex character transmission
protocol T = 0
Vss
TUG
Vdd
Reset
Vpp
Clock
IO
Name
Cardnumber
Figure 1: Smart Card
Part 4: defines interindustry commands . . .
Part 5-14: define
crypto, . . .
commands,
biometrics,
IAIK
6
Elisabeth Oswald
IAIK
Answer to Reset – ATR
TUG
After each reset, a smart card which is compliant to ISO 7816 must send an Answer to Reset
(ATR). An ATR consists of:
TS
T0
Interface Character
Section
Historical Character
Section
Check Character
Section
Figure 2: ATR
T S indicates the bit-signaling and bit-ordering, T 0 indicates the structure of the ATR. The
interface characters are used to select the protocol and the parameters used for the higherlevel communication between the smart card and the reader. The historical characters contain
information provided by the OS developer (can be chip type, name of OS). The last element, the
check character T CK is calculated such that performing a bit-wise XOR on all bytes of the ATR
results in 0.
IAIK
7
Elisabeth Oswald
IAIK
Command Structure
TUG
Smart card commands (or responses) are coded in Application Protocol Data Units (APDUs):
CLA
INS
P1
P2
Lc
Data
Le
Figure 3: Structure of a command APDU
The Class Byte (CLA) defines the general type of commands, for example, ISO commands have
CLA = 0x00. The Instruction Byte (INS) specifies the command, for example 0xA4 for
select file. The parameters P 1 and P 2 are used to choose between different options which the
selected command might offer. Lc defines the length of the command, Data the data bytes
being transmitted and Le the length of the expected response data.
IAIK
8
Elisabeth Oswald
IAIK
Response APDU
TUG
A response APDU has a simpler structure (see figure 4). After a conditional body, two status
words SW 1 and SW 2 (the return code) are transmitted. If a command has been processed
successfully, then the return code 0x90 00 is responded.
Data
SW1
Sw2
Figure 4: Structure of a response APDU
IAIK
9
Elisabeth Oswald
IAIK
File Structure
TUG
elementary files: contain data
dedicated files: group other files.
master file: is the root dedicated file
file identifier: used for file selection. The master file has always the file identifier 0x3F 00 and
is selected automatically after a reset of the smart card. The file identifiers must be unique
within each dedicated file.
short FID: Elementary files may also have that. Such short file identifiers are used for the
implicit selection of files.
IAIK
10
Elisabeth Oswald
IAIK
Commands for Authentication
TUG
Internal Authenticate: is used by the card reader to verify the smart cards identity. The card
reader sends therefore a challenge (and a key identifier) to the smart card. The smart card
uses the key identifier to choose one of its keys. This key is then used to encrypt the received
challenge. The response of the smart card contains the result which is checked by the card
reader.
External Authenticate: is used by the smart card to verify the identity of the card reader.
The card sends a challenge (and a key identifier) to the card reader, which in turn encrypts
the challenge and sends it back to the smart card which checks the result. To achieve
mutual authentication, an external authenticate followed by an internal authenticate must be
executed.
IAIK
11
Elisabeth Oswald
IAIK
De-packaging of Smart Cards
It is relatively simple to extract the microprocessor from a given smart card. Then,TUG
the
microprocessor can be depackaged and placed into a more suitable medium in order to perform
some experiments.
Figure 5: An old smart card processor which has been put in another package (bonding is not
complete here).
IAIK
12
Elisabeth Oswald
IAIK
Simple Attacks on Smart Cards
TUG
Various simple types of tamper attacks have been popular for smart cards.
• The very first generations of smart cards still used an external programming voltage to
read and write contents to its memory. By cutting of this external programming voltage, an
attacker could freeze the contents of the memory.
• Manufacturers test circuits led to other attacks on smart cards. Such test circuits are used
during the testing phase after the fabrication of the smart card. After the testing phase, the
test circuits are disconnected from the microprocessor. An attacker has to find and repair the
disconnected wires to use the test circuit.
Most of these simpler attacks on smart cards were not only active attacks, but were also intrusive.
In modern smart cards, the components of the processor are covered by a protective mesh. This
mesh reports when it is damaged, at which point the smart card destroys its memory contents or
stops functioning.
IAIK
13
Elisabeth Oswald
IAIK
Fault Attacks on RSA Implementations
TUG
In many real world implementations, the so-called CRT (chinese remainder theorem) version of
RSA is implemented. An RSA exponentiation S = M d mod n, where n = pq , consists then of
the following steps:
Sp
=
M
dp
mod p,
dp = d mod p − 1
Sq
=
M
dq
mod q,
dq = d mod q − 1
S
=
aSp + bSq mod n, with
a
=
q(q
b
=
p(p
−1
−1
mod p)
mod q)
Note that a ≡ 1 mod p and a ≡ 0 mod q while for b it is the other way around b ≡ 0 mod p
and b ≡ 1 mod q .
IAIK
14
Elisabeth Oswald
IAIK
Fault Attacks on RSA Implementations, cont.
TUG
Assume that an attacker gets two signatures for the same message of which one signature is
faulty:
Ŝ1
=
aŜp + bSq
S2
=
aSp + bS q.
Then we have that:
S2 = Ŝ1 mod q (because a ≡ 0 mod q ). But,
S2 = Ŝ1 mod p (because b ≡ 0 mod p).
Hence, q is a divisor of S2 − Ŝ1 but not p.
This means we can factor n by calculating the greatest common divisor (gcd) of S2 − Ŝ1 and n,
q = gcd(n, S2 − Ŝ1).
IAIK
15
Elisabeth Oswald
IAIK
Fault Attacks on RSA Implementations, cont.
Assume that the attacker gets one faulty signature Ŝ = aSp + bŜq for a given message MTUG
.
We have a look at Ŝ e. We know that
e
M
=
Ŝ mod p, hence,
e
=
0 mod p.
M − Sp
In contrary if the take the same equation modq we have that:
e
M
=
Ŝ mod q, hence,
e
=
0 mod q.
M − Sp
Consequently, only p is a divisor of M − Ŝ e, but not q .
As in the example before, we can factor n by calculating gcd(n, M − Ŝ e).
IAIK
16
Elisabeth Oswald
IAIK
Passive Attacks – Side Channels
TUG
Have been known in the military (espionage) world for some time, but have been discovered by
the public only in 1996 (P. Kocher).
Figure 6: Hagelin Machine
The click-sound of the rotors of this machine led to an attack (P. Wright, Spy Catcher).
IAIK
17
Elisabeth Oswald
IAIK
Passive Attacks – Side Channels
TUG
Execution Time Leakage
Often, a device takes slightly different amounts of time to execute an algorithm:
• different input data might cause some instructions to take different amounts of time for their
executions,
• performance optimizations, or
• branching instructions.
Practical implementations for attacks using this kind of information leakage indicate that such
attacks are challenging to realize in practice due to the difficulty of getting precise timing
measurements. Countermeasures appear to be easy to implement, and to work efficiently in
practice.
IAIK
18
Elisabeth Oswald
IAIK
Passive Attacks – Side Channels
TUG
Power Consumption
Most commonly used cryptographic devices are implemented in CMOS logic. The power
consumption characteristics of CMOS circuits can be summarized shortly as follows:
• Whenever a circuit is clocked, the circuit’s gates change their states simultaneously.
• This leads to a charging and discharging, resp., of the internal capacitors and this in turn
results in a current flow which is measurable at the outside of the device.
The measurements can be conducted easily. One needs either a data acquisition card or a digital
oscilloscope to acquire the measurements. The current flow can be measured directly with a
current probe, or by putting a small resistor in series with the devices ground-input or power-input.
Power analysis attacks are the most popular attacks at the time writing due to their effectiveness
and simplicity.
IAIK
19
Elisabeth Oswald
IAIK
Passive Attacks – Side Channels
TUG
Electromagnetic Radiation Leakage
The same charging and discharging which occurs whenever a circuit is clocked creates besides the
current flow also a certain electromagnetic field.
• Direct emanations are caused by intentional current flow which is caused by the execution
of an algorithm.
• Unintentional emanations are caused by the miniaturization and complexity of modern
CMOS devices. This miniaturization and complexity results in coupling effects between
components in close proximity.
EM attacks are becoming more and more popular at the time writing because of the high amount
of information of this side-channel and because due to the fact that the information can be
exploited also in farther proximity of the attacked device.
IAIK
20
Elisabeth Oswald
IAIK
Passive Attacks – Side Channels
TUG
Error Message Leakage
• An error message attack usually targets a device implementing a decryption scheme.
• We make the assumption that there is a one-bit feed-back from the device to tell whether or
not the message has been successfully decrypted.
If the attacker can somehow know the reason why the decryption operation failed, he might gain
some information about the secret key or a plaintext by sending well chosen ciphertexts to the
device.
IAIK
21
Elisabeth Oswald
IAIK
Passive Attacks – Practical Realization
TUG
• Power-analysis attacks are the ones that have been demonstrated on all kinds of platforms
(software and hardware implementations on smart cards, general ASICs, FPGAs and DSPs).
• EM attacks have been demonstrated on smart cards and ASICs.
• Timing attacks have been demonstrated on software implementations, smart cards and ASICs.
• Error message attacks have been applied to the PKCS #1 padding.
IAIK
22
Elisabeth Oswald
IAIK
Power and EM Measurements at IAIK
TUG
EM Probe
ATMEL Microcontroller
be
ti
en
r
iffe
Pro
al
D
Figure 7: Measurement Setup for the ATMEL microcontroller-board
We have setups for smart card readers and FPGA boards as well.
IAIK
23
Elisabeth Oswald
IAIK
Passive Attacks – Simple Side-Channel Attacks
TUG
A trace refers to a measurement taken for one execution of the attacked cryptographic
operation. In a simple side-channel attack, only one single measurement is used to gain
information about the devices secret key.
• Obviously, to perform such an attack, the side-channel information needs to be strong enough
to be directly visible.
• Additionally, the secret key needs to have some simple, exploitable relationship with the
operations visible in the side-channel trace.
• Such an attack typically targets implementations which use key dependent branching in the
implementation.
IAIK
24
Elisabeth Oswald
IAIK
SPA – DES
TUG
4
2.5
x 10
2
1.5
1
0.5
0
−0.5
−1
−1.5
0
1
2
3
4
5
6
7
8
9
10
5
x 10
Figure 8: A raw power measurement for an implementation of DES on a smartcard
IAIK
25
Elisabeth Oswald
IAIK
SPA – DES
TUG
4
x 10
6
5
4
3
2
1
0
−1
−2
−3
−4
0.5
1
1.5
2
2.5
3
3.5
4
x 10
Figure 9: A post-processed power measurement for an implementation of DES on a smartcard
IAIK
26
Elisabeth Oswald
IAIK
SPA – DES
TUG
4
x 10
6
5
4
3
2
1
0
−1
−2
−3
−4
LS
0.94
PC2
0.96
E
0.98
1
XOR
1.02
SBOX
1.04
P
1.06
XOR
1.08
L=R
LS
1.1
4
x 10
Figure 10: Zoom into the first round of DES
IAIK
27
Elisabeth Oswald
IAIK
SPA – DES
TUG
4
x 10
6
5
4
3
2
1
0
−1
−2
−3
−4
0
1
1
0
9660
1
0
0
1
9680
1
0
9700
0
0
0
9720
1
1
0
9740
0
1
0
9760
Figure 11: Zoom into the key schedule
IAIK
28
Elisabeth Oswald
IAIK
SPA – ECC
TUG
7
6
5
4
mA
3
2
1
0
−1
−2
0
0.56
1.08
1.63
2.3
2.89
3.56
4.1
4.69
4
0
0
1
clock cycle
x 10
1
0
0
Figure 12: A 1 in the bit-representation of the key leads to a different pattern than a 0.
IAIK
29
Elisabeth Oswald
IAIK
Passive Attacks – Differential Side-Channel Attacks
TUG
Whenever the signal is smaller than the noise, statistical methods have to be used to reconstruct
the signal. A kind of hypothetical model is used to predict the side-channel behavior of
the device under attack. These predictions are then statistically related to the real, measured
side-channel output of the device. Only if the correct key (or a part of the key) was used by the
hypothetical model, its output correlate with the real side-channel output.
Unknown/
Uncontrolled
Influences
Data
hypothetical
Key
Data
Physical Device
Model of the
Key
Physical Device
Physical Side−Channel Output
Hypothetical Side−Channel Output
Statistical Analysis
Decision
Figure 13: Differential Side-Channel Attacks
IAIK
30
Elisabeth Oswald
IAIK
Statistical Methods – Mean Value and Variance
i
i
TUG
Let X denote the i-th trace.
Then, we denote by X a set of traces X , i.e.,
1
m
X = {X , . . . , X }. The variable Xj refers to the j-th data-point of all traces X i ∈ X .
By the (empirical) mean value X̄ of X , we understand
X̄ = X̄1, . . . , X̄l =
1 i
1 i
x1, . . . ,
x
m i=1
m i=1 l
m
m
.
In the same way we define the (empirical) variance S 2 of a set X as
2
SX =
IAIK
2
2
SX1 , . . . , SX
l
=
1 i
1 i
2
2
(x1 − X̄1) , . . . ,
(xl − X̄l )
m − 1 i=1
m − 1 i=1
m
m
.
31
Elisabeth Oswald
IAIK
Statistical Methods – Correlation Coefficient
TUG
The correlation between a certain value and a set of measurements can be defined point-wise as
well. Let Y be a set of arbitrary, positive numbers (for example, this could be a value predicted
by our hypothetical model), i.e., Y = (Y 1, . . . , Y m).
Then, the covariance between Y and the set of traces X is defined as
m
m
1 i
1 i
i
i
SXY =
(x − X̄1)(Y − Ȳ ), . . . ,
(x − X̄1)(Y − Ȳ ) .
m − 1 i=1 1
m − 1 i=1 l
The (empirical) correlation coefficient R is then defined as follows
R=
SXY
.
SX SY
IAIK
32
Elisabeth Oswald
IAIK
Statistical Methods – Distance of Mean
TUG
We have two sets of measurements, and we want to know whether they are different or not.
0.4
0.4
m1
m2
0.35
0.35
0.3
0.3
0.25
0.25
s1
0.2
0.2
0.15
0.15
0.1
0.1
0.05
0.05
s2
0
0
10
20
30
40
50
60
70
80
90
100
Figure 14: The means of the two
distributions are different
IAIK
0
0
20
40
60
80
100
120
140
Figure 15: The variances of the two
distributions are different
33
Elisabeth Oswald
IAIK
Statistical Methods – Distance of Mean
TUG
• The distance-of-mean test is a parameter-test, i.e., it is a statistical test which challenges a
hypothesis H0.
• H0 refers to the prediction of one intermediate value of a cryptographic operation.
• If this prediction says low for a set of traces (we refer to this set then as Xlow ), then we
expect the mean value of the part of the trace which is corresponding to the execution of this
predicted value, to be different from the mean value resulting from a high prediction Xhigh.
H0 : µ = low
against
H1 : µ = high,
and thus
=
Xhigh − Xlow .
(1)
IAIK
34
Elisabeth Oswald
IAIK
Statistical Methods – Correlation Analysis
TUG
• The correlation coefficient R measures a linear relationship between the two given random
variables X and Y .
• It lies always in the interval −1 ≤ R ≤ 1.
• If X and Y are normally distributed, then it follows from R = 0 that X and Y are
independent.
• If X and Y are independent, then it follows, regardless of the distribution of X and Y , that
R = 0.
This means that for the correct hypothetical key, where we expect our predictions Y to meet
the actual side-channel output X , there should be a high (or at least non-zero) correlation
coefficient, whereas if the hypothetical key is wrong, the correlation coefficient between X and
Y should be close to zero.
IAIK
35
Elisabeth Oswald
IAIK
Some traces
−3
TUG
−3
x 10
x 10
6
6
4
4
2
2
0
0
−2
−2
−4
−4
−6
−6
−8
−10
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
5
Figure 16: Correct Key
2
5
x 10
x 10
Figure 17: Incorrect Key
IAIK
36
Elisabeth Oswald
IAIK
Countermeasures
TUG
There are two assumptions that we have made (implicitly):
1. the predictions of the attacker coincide with the intermediate values (states) of the device to
some extend, and
2. the side channel leakage depends on the intermediate values.
If either one of these two assumptions does not hold, an attack cannot be mounted!
Any countermeasure destroys the first or the second assumption.
IAIK
37
Elisabeth Oswald
IAIK
Countermeasures, cont.
TUG
Countermeasures which counteract assumption 1 are all based on masking (blinding,
randomizing) the intermediate values of a device. Here are two examples for RSA:
• RSA Exponent blinding: use d + kφ(n) as exponent instead of d
• RSA Message blinding: choose (vi, vf ) such that vi = (vf−1)e mod n. Blind the input by
multiplying it with vi, and remove the blinding after the exponentiation (to the power d) by
multiplying vf .
For symmetric algorithms only message blinding is possible. However, in that case, blinding is
called masking, and it means that on the input value, some random mask is added (exclusive
or-ed). In order to remove the mask, it is necessary to calculate the mask changes throughout
the whole algorithm.
IAIK
38
Elisabeth Oswald
IAIK
Countermeasures, cont.
TUG
Countermeasures which counteract assumption 2 are:
•
•
•
•
IAIK
based on special logic styles (to counter Power and EM attacks)
based on adding random noise (to counter Power attacks)
based on introducing random delays between operations
based on performing dummy operations
39
Elisabeth Oswald
IAIK
Countermeasures, cont.
TUG
To counter Simple SCAs, it is necessary to ensure that
• operations (such as square or multiply, or EC double and EC add) cannot be distinguished by
their side-channel trace
• key depending branching is avoided (or at least well hidden within the side-channel trace)
To counter error message attacks one must ensure that error messages do not hold information
that can be exploited.
IAIK
40
Elisabeth Oswald
IAIK
References
TUG
• Phd theses by T. Messerges and by E. Oswald
• Kocher’s articles on timing and power attacks
IAIK
41
Documentos relacionados
homework 3
homework 3
SET-UP Smart Energy Transition to Upgrade regional Performance
SET-UP Smart Energy Transition to Upgrade regional Performance
study less Study smart
study less Study smart
write sentences verb to be
write sentences verb to be
There is a famous expression in English
There is a famous expression in English
prueba lectura on the edge
prueba lectura on the edge
The Evolution of Urban Planning Smart Cities Dive
The Evolution of Urban Planning Smart Cities Dive
ENERGY INFORMATICS
ENERGY INFORMATICS
Note** Quorum of the Common Council and Plan
Note** Quorum of the Common Council and Plan
City of Madison Agenda - Approved JOINT PLAN COMMISSION
City of Madison Agenda - Approved JOINT PLAN COMMISSION
Descargar
Anuncio
Anuncio