Computer Security Side Channel Analysis, Lecture Notes - Engineering, Study notes of Advanced Computer Architecture

Cryptographic devices Smart Cards Pin Layout Chip Layout HArdware Security modules simple time analysis differential timing attack power analysis attacks AES DES DPA

Typology: Study notes

2010/2011

Uploaded on 09/07/2011

home-alone
home-alone 🇬🇧

4

(1)

18 documents

1 / 51

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Side Channel Analysis
E. Oswald and N.P. Smart
Computer Science Department
Crypto Group
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33

Partial preview of the text

Download Computer Security Side Channel Analysis, Lecture Notes - Engineering and more Study notes Advanced Computer Architecture in PDF only on Docsity!

Side Channel Analysis

E. Oswald and N.P. SmartComputer Science Department

Crypto Group

Cryptographic devices

© Picture: BemroseBoothBemroseBooth

© Picture: SecureGSM

TM

© Picture: Lenovo

© IACR

A cryptographic device is an (electronic) device thatimplements a cryptographic algorithm and stores acryptographic key. It is capable of performing

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

2/

yp

g

p

y

p

p

g

cryptographic operations using that key.

Smart Cards

ƒ

Smart Cards

Bank cardsBank cards

SIM cards

Access Cards

Ticketing

ƒ

The microprocessor itself can be removed with a sharp knife. This is

f

d

i^

d l

referred to as a micromodule.

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

4/

Smart Card — Pin Layout

1.7mm

2mm

10.25mm

Vcc

Gnd

Vcc Reset

Gnd Vpp

Clock

I/O

RS

RS

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

5/

RS

RS

Active implementation attacks typically work byintroducing errors in a device.

g

ƒ

Active attacks are often called fault attacks or tamper attacks.

p

ƒ

A fault attack is an attack in which information about the message or theinformation about the message or thesecret key is leaked from the output oferroneous computations. ƒ

There are several ways to introduce an error during the computation performed bythe cryptographic device:

yp

g

p

spike attacks

glitch attacks

© Hagai Bar-El et al.

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

7/

optical attacks

Practical fault attacks on smart cards.

In order to induce glitches (power or clock) it is often(power or clock) it is oftenuseful to put the smartcard ICin another package. ƒ

Larger packages offer more accessible connections. ƒ

Picture: a very old smartcard IC that we removed from theIC that we removed from thecard and glued into anotherpackage, only the bondingwires are missing.

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

8/

wires

are missing.

Modern (high-end security) smart cards are reasonablywell protected.

p

Most vendors use hardware countermeasures like (citing nowfrom the SLE66 documentation)from the SLE66 documentation)

Low and high voltage sensors

Frequency sensors and filtersFrequency sensors and filters

Light Sensor

Glitch Sensor

Temperature Sensor

Life Test Function for Sensors

But also software countermeasures are typically implementedBut

also software countermeasures are typically implemented

Smart cards without these security features are still

l^

bl

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

10/

vulnerable.

Recent Smart Cards

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

11/

Passive attacks were used in certain communities for along time.

g

Reported by P. Wright in “Spy Catcher”

Spy Catcher. ƒ

They placed a microphone in the vicinity of thein the vicinity of themachine.

Th

li k

d

ll

d t

Th

e click sound allowed to

determine some of therotors’ initial position.

A rotor machine of the Hagelin type.

They only monitored the “emissions” of a device

© IACR

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

13/

emissions

of a device

Side channel analysis

In 1996 side-channel analysis was brought to thepublic attention in an article by P. Kocher.p

y

Although it was known that sensitive information is likely to betransmitted over the various side channels of devices it tooksome time before the broad scientific cryptographiccommunity saw side-channel attacks as a thread.

In 1996, Paul Kocher published an article that detailed timingattacks.

Soon the first practical timing attacks were implemented.

In 1998, Kocher, Jun and Jaffe published an article thatdetailed different types of power attacks E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

14/

detailed

different types of power attacks.

Simple timing analysis, cont.

The previous example was stupid but

If you would program something that checks the correctness of a certain

If you would program something that checks the correctness of a certaincombination, wouldn‘t you also check each item in the combination?

Wouldn‘t you also try write efficient code?

A large number of access systems did the checking of the codeword in thisA large number of access systems did the checking of the codeword in thismanner (who knows how many still do...)

A simple countermeasure

A simple countermeasure

Ensure that the response time is fixed

A fi

l^

i

A

first conclusion

Defending against such attacks requires us to write less efficient code

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

16/

Simple timing attack on RSA

ƒ

Can reveal the private key of RSA (decryption, signature verification)

ƒ

RSA Decryption: m=c^d mod n:

(decryption, signature verification) ƒ

Assume that a simple top-down square and multiply algorithm is

ƒ

d={d

w

,d

w-

,d

w-

,…,d

1

,d

0

}

2

ƒ

s = 1; ƒ

For i = w to 0

square and multiply algorithm isused for decryption (signatureverification)

ƒ

For i = w to 0 ƒ

s = s • s mod n

ƒ

if (bit i of d) = 1

ƒ

Then in step i a multiplication is only performed iff d

i^

=

Timing depends on the bits of the key

ƒ

then s = s • y mod n

ƒ

Return s

Timing depends on the bits of the key

ƒ

A simple timing attack reveals the Hamming weight of the key

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

17/

Hamming

weight of the key

Principle of a differential timing attack

Model of

Data

Data

Key Hypothesis

Device

under Attack

(Key)

Model of the Device

underAttack

(

y)

Real

E

i^

Ti

HypotheticalExecution Time

Execution Time

Execution Time

StatisticalAnalysisAnalysis

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

19/

Decision about Key Hypothesis

A differential timing attack recovers the key bit by bit.

Choose a set of ciphertexts

Model:

d={d

w

,d

w-

,d

w-

,…,d

1

,d

0

}

2

ƒ

s

= 1;

guess one bit of the key (key hypothesis)

calculate one iteration of the square andmultiply algorithmf^

h

i h

t^

t^

h

k

h th

t

s

1;

ƒ

For i = w to 0 ƒ

s = s • s mod nif (bit i

f d)

1

for each ciphertext check whether an extrareduction has occured during themultiplication

-^

Hypothetical execution time

ƒ

if

(bit i of d) = 1

ƒ

then s = s • y mod n

ƒ

Return s

Device: decrypt the same set of ciphertexts

Analysis: compare the hypothetical timing of the modelwith the actual execution time

E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis

20/

If similar then key hypothesis was correct