











































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Cryptographic devices Smart Cards Pin Layout Chip Layout HArdware Security modules simple time analysis differential timing attack power analysis attacks AES DES DPA
Typology: Study notes
1 / 51
This page cannot be seen from the preview
Don't miss anything!












































E. Oswald and N.P. SmartComputer Science Department
Crypto Group
© Picture: BemroseBoothBemroseBooth
© Picture: SecureGSM
TM
© Picture: Lenovo
© IACR
A cryptographic device is an (electronic) device thatimplements a cryptographic algorithm and stores acryptographic key. It is capable of performing
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
2/
yp
g
p
y
p
p
g
cryptographic operations using that key.
Smart Cards
Bank cardsBank cards
SIM cards
Access Cards
Ticketing
The microprocessor itself can be removed with a sharp knife. This is
f
d
i^
d l
referred to as a micromodule.
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
4/
1.7mm
2mm
10.25mm
Vcc
Gnd
Vcc Reset
Gnd Vpp
Clock
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
5/
Active attacks are often called fault attacks or tamper attacks.
p
A fault attack is an attack in which information about the message or theinformation about the message or thesecret key is leaked from the output oferroneous computations.
There are several ways to introduce an error during the computation performed bythe cryptographic device:
yp
g
p
spike attacks
glitch attacks
© Hagai Bar-El et al.
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
7/
optical attacks
In order to induce glitches (power or clock) it is often(power or clock) it is oftenuseful to put the smartcard ICin another package.
Larger packages offer more accessible connections.
Picture: a very old smartcard IC that we removed from theIC that we removed from thecard and glued into anotherpackage, only the bondingwires are missing.
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
8/
wires
are missing.
Most vendors use hardware countermeasures like (citing nowfrom the SLE66 documentation)from the SLE66 documentation)
Low and high voltage sensors
Frequency sensors and filtersFrequency sensors and filters
Light Sensor
Glitch Sensor
Temperature Sensor
Life Test Function for Sensors
But also software countermeasures are typically implementedBut
also software countermeasures are typically implemented
Smart cards without these security features are still
l^
bl
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
10/
vulnerable.
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
11/
Reported by P. Wright in “Spy Catcher”
Spy Catcher.
They placed a microphone in the vicinity of thein the vicinity of themachine.
Th
li k
d
ll
d t
Th
e click sound allowed to
determine some of therotors’ initial position.
A rotor machine of the Hagelin type.
They only monitored the “emissions” of a device
© IACR
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
13/
emissions
of a device
Side channel analysis
Although it was known that sensitive information is likely to betransmitted over the various side channels of devices it tooksome time before the broad scientific cryptographiccommunity saw side-channel attacks as a thread.
In 1996, Paul Kocher published an article that detailed timingattacks.
Soon the first practical timing attacks were implemented.
In 1998, Kocher, Jun and Jaffe published an article thatdetailed different types of power attacks E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
14/
detailed
different types of power attacks.
The previous example was stupid but
If you would program something that checks the correctness of a certain
If you would program something that checks the correctness of a certaincombination, wouldn‘t you also check each item in the combination?
Wouldn‘t you also try write efficient code?
A large number of access systems did the checking of the codeword in thisA large number of access systems did the checking of the codeword in thismanner (who knows how many still do...)
A simple countermeasure
A simple countermeasure
Ensure that the response time is fixed
A fi
l^
i
first conclusion
Defending against such attacks requires us to write less efficient code
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
16/
Can reveal the private key of RSA (decryption, signature verification)
RSA Decryption: m=c^d mod n:
(decryption, signature verification)
Assume that a simple top-down square and multiply algorithm is
d={d
w
,d
w-
,d
w-
,…,d
1
,d
0
}
2
s = 1;
For i = w to 0
square and multiply algorithm isused for decryption (signatureverification)
For i = w to 0
s = s • s mod n
if (bit i of d) = 1
Then in step i a multiplication is only performed iff d
i^
=
Timing depends on the bits of the key
then s = s • y mod n
Return s
Timing depends on the bits of the key
A simple timing attack reveals the Hamming weight of the key
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
17/
Hamming
weight of the key
Model of
Data
Data
Key Hypothesis
Device
under Attack
(Key)
Model of the Device
underAttack
(
y)
Real
E
i^
Ti
HypotheticalExecution Time
Execution Time
Execution Time
StatisticalAnalysisAnalysis
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
19/
Decision about Key Hypothesis
Choose a set of ciphertexts
Model:
d={d
w
,d
w-
,d
w-
,…,d
1
,d
0
}
2
s
= 1;
guess one bit of the key (key hypothesis)
calculate one iteration of the square andmultiply algorithmf^
h
i h
t^
t^
h
k
h th
t
s
1;
For i = w to 0
s = s • s mod nif (bit i
f d)
1
for each ciphertext check whether an extrareduction has occured during themultiplication
-^
Hypothetical execution time
if
(bit i of d) = 1
then s = s • y mod n
Return s
Device: decrypt the same set of ciphertexts
Analysis: compare the hypothetical timing of the modelwith the actual execution time
E. Oswald and N.P. SmartCOMSM0213: Side Channel Analysis
20/
If similar then key hypothesis was correct