A Study on Smart Card Security A Study on Smart Card Security - - PDF document

a study on smart card security a study on smart card
SMART_READER_LITE
LIVE PREVIEW

A Study on Smart Card Security A Study on Smart Card Security - - PDF document

Mar 08, 2023 132 likes •410 views

[ICCSA 2004] 2004] [ICCSA A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation Criteria for Side Channel Attacks Side Channel Attacks Presented at the workshop ICCSA ICCSA 200 2004 4, ,

slide-1
SLIDE 1

1

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 1 1

[ICCSA [ICCSA’ ’2004] 2004]

A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation Criteria for Side Channel Attacks Side Channel Attacks

Presented at the workshop Presented at the workshop ICCSA ICCSA 200 2004 4, , May May 1 14 4-

  • 1

17 7, 200 , 2004 4, , Assisi Assisi, , Italy Italy

slide-2
SLIDE 2

2

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 2 2

1.

  • 1. Introduction

Introduction 2.

  • 2. Preliminaries

Preliminaries 3.

  • 3. Experiments of power analysis attacks

Experiments of power analysis attacks

  • The MESD

The MESD-

  • DPA attacks

DPA attacks for RSA for RSA

4.

  • 4. The propose of the smart card security

The propose of the smart card security evaluation criteria for side channel attacks evaluation criteria for side channel attacks

  • AVA

AVA-

  • SCA

SCA assurance family and 3 components assurance family and 3 components

Agenda Agenda

slide-3
SLIDE 3

3

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 3 3

  • 1. Introduction
  • 1. Introduction
  • In Practical

In Practical

  • A

A small small cryptographic module cryptographic module leaks out leaks out the the unwilling unwilling information information: :

  • Timing

Timing

  • Power

Power

  • Electromagnetic

Electromagnetic Radiations Radiations

  • Fault etc..

Fault etc..

  • In the power analysis attacks

In the power analysis attacks

  • The power trace is measured for an execution

The power trace is measured for an execution

  • f a cryptographic operation
  • f a cryptographic operation
  • The power analysis is more powerful than

The power analysis is more powerful than

  • thers
  • thers

“ “Side Channel Information Side Channel Information” ” “ “Side Channel Attacks Side Channel Attacks” ”

slide-4
SLIDE 4

4

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 4 4

  • 1. Introduction
  • 1. Introduction
  • Proposal

Proposal -

  • t

the smart card security he smart card security evaluation criteria for side channel attacks evaluation criteria for side channel attacks

  • The vulnerability assessment activities in

The vulnerability assessment activities in Security Assurance Requirements Security Assurance Requirements

AVA_SCA assurance family and 3 components

  • The side channel analysis (SCA) is different to the

The side channel analysis (SCA) is different to the covert channel analysis (CCA) covert channel analysis (CCA)

  • Much stronger than the CCA for smartcard

Much stronger than the CCA for smartcard

slide-5
SLIDE 5

5

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 5 5

2.

  • 2. Preliminaries

Preliminaries

  • Common Criteria

Common Criteria (CC) (CC) & Protection Profile & Protection Profile (PP) (PP)

  • CC

CC : : Single international (common) IT product & system

Single international (common) IT product & system security criteria security criteria

  • Develops Protection Profiles (PP) and Security Targets

Develops Protection Profiles (PP) and Security Targets (ST) (ST)

  • Evaluation of products and systems against known

Evaluation of products and systems against known requirements requirements

  • PP : a detailed level of security requirements and

PP : a detailed level of security requirements and standards standards

slide-6
SLIDE 6

6

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 6 6

Part 3

Security

Assurance Requirements

  • Assurance Classes
  • Assurance Families
  • Assurance

Components

  • Detailed Requests
  • Eval. Assur. Levels

Part 2

Security

Functional Requirements

  • Functional Classes
  • Functional Families
  • Functional

Components

  • Detailed Requests

Part 1

Introduction & Model

  • Introduction to

Approach

  • Terms & Model
  • Requirements for

Protection Profiles & Security Targets

Part 4

Registry of Protection Profiles

2.

  • 2. Preliminaries

Preliminaries

  • Common Criteria

Common Criteria (CC) (CC)

slide-7
SLIDE 7

7

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 7 7

PP (or) ST

Introduction TOE Description PP Claims IT Security Requirements Security Objectives Security Environment TOE Summary Specification

TOE IT Security Functions TOE Assurance Measures CC Conformance Claim (ST only) TOE IT Functional & Assurance Requirements Requirements for IT environment Environmental Security Objectives TOE IT Security Objectives Secure Usage Assumptions Threats Security Policies

Security Target Additions >> Protection Profile & Security Target Common Contents

2.

  • 2. Preliminaries

Preliminaries

  • Protection Profiles (PP) or Security Targets (ST)

Protection Profiles (PP) or Security Targets (ST)

slide-8
SLIDE 8

8

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 8 8

2.

  • 2. Preliminaries

Preliminaries

  • Vulnerability assessment

Vulnerability assessment ( (class AVA class AVA) in CC/PP ) in CC/PP

  • Covert channel analysis

Covert channel analysis (AVA_CCA) (AVA_CCA)

  • Misuse (AVA_MSU)

Misuse (AVA_MSU)

  • Strength TOE security functions (AVA_SOF)

Strength TOE security functions (AVA_SOF)

  • Vulnerability analysis (AVA_VLA)

Vulnerability analysis (AVA_VLA)

  • The threat

The threats s in relation to side channel attacks in relation to side channel attacks

  • T.P_Probe

T.P_Probe (Physical probing) (Physical probing)

  • T.P_Alter

T.P_Alter

  • T.Flt_Ins

T.Flt_Ins

  • T.I_Leak

T.I_Leak

  • T.link

T.link

  • T.Env_Str

T.Env_Str

slide-9
SLIDE 9

9

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 9 9

C r y p t o g r a p h ic p r o c e s s in g ( E n c r y p t /D e c r y p t /S ig n /e t c .) S e c r e t K e y s

I n p u t O u t p u t

Cryptographic processing (Encrypt/Decrypt/Sign/etc.) Secret Keys

Input Output Leaked Information

In IDEAL crypto system Secret keys are keep in secret In REAL crypto system

Timing Power consumption(RSA, ECC Power consumption(RSA, ECC … …) ) Fault Insertion Fault Insertion Electromagnetic radiation …..

3.

  • 3. The experiments

The experiments

slide-10
SLIDE 10

10

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 10 10

CPU CPU Reset Reset Clock Clock I/O I/O Memory Memory BUS BUS ROM ROM RAM RAM EEPROM EEPROM

S ma r t C a r d – I

n t e r n a l S t r u c t u r e

  • C1 : power supply input ( Vcc )
  • C2 : RST for reset signal to card
  • C3 : CLK ( clock )
  • C4 : not defined
  • C5 : GND ( ground )
  • C6 : Vpp
  • C7 : communication
  • C8 : not defined

C1 C2 C4 C6 C7 C8 C3 C5

3.

  • 3. The experiments

The experiments

slide-11
SLIDE 11

11

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 11 11

3.

  • 3. The experiments

The experiments

  • The Power analysis attack

The Power analysis attack configurations configurations

slide-12
SLIDE 12

12

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 12 12

3.

  • 3. The experiments

The experiments

∑ ∑

− = − =

− =

1 1

] [ 1 ] [ 1 ] [

K j j K j j

r T K r S K r D

  • The Power analysis attacks

The Power analysis attacks

  • In RSA, L

In RSA, L-

  • R method

R method

  • It is possible to distinguish multiplication from squar

It is possible to distinguish multiplication from squaring ing

  • MESD

MESD-

  • RSA DPA differential signals:

RSA DPA differential signals:

slide-13
SLIDE 13

13

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 13 13

3.

  • 3. The experiments

The experiments

  • The MESD

The MESD-

  • DPA attacks

DPA attacks (RSA, L (RSA, L-

  • R method)

R method)

  • Secret Card

Secret Card:

: The correct secret digits The correct secret digits { 1,0, { 1,0,1 1,0…} ,0…}

  • Guessing Card

Guessing Card:

: The guessed digits The guessed digits { 1,0, { 1,0,0 0,…} ,…}

peak (3

peak (3rd

rd bit is miss

bit is miss-

  • guessed!!)

guessed!!)

slide-14
SLIDE 14

14

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 14 14

3.

  • 3. The experiments

The experiments

  • In the results of the DPA attack,

In the results of the DPA attack,

  • Two hundred traces were analyzed at the

Two hundred traces were analyzed at the target bit position target bit position

  • Because the attacker guessed wrongly, the

Because the attacker guessed wrongly, the peak signal present at the fourth digit position peak signal present at the fourth digit position

  • f the right picture
  • f the right picture
  • The MESD attack is in success easily

The MESD attack is in success easily

slide-15
SLIDE 15

15

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 15 15

4.

  • 4. The propose of side channel

The propose of side channel analysis family analysis family

  • Side channel analysis family (AVA_SCA)

Side channel analysis family (AVA_SCA)

  • T

The side channel a he side channel analysis (SCA) nalysis (SCA) is different to is different to a a covert channel a covert channel analysis (CCA) nalysis (CCA)

  • SCA is much stronger than CCA for smartcard

SCA is much stronger than CCA for smartcard

  • S

Separate the side eparate the side channel analysis channel analysis (AVA_SCA) (AVA_SCA) from AVA_CCA and AVA_VLA from AVA_CCA and AVA_VLA

slide-16
SLIDE 16

16

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 16 16

Side channel analysis family Side channel analysis family

  • Side channel analysis family (AVA_SCA)

Side channel analysis family (AVA_SCA)

  • Assurance family separated from AVA_CCA and

Assurance family separated from AVA_CCA and AVA_VLA AVA_VLA

slide-17
SLIDE 17

17

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 17 17

Side channel analysis family Side channel analysis family

  • AVA_SCA

AVA_SCA combines: combines:

  • Side channel timing analysis family (SCA.T)

Side channel timing analysis family (SCA.T)

  • Side channel power analysis family (SCA.P)

Side channel power analysis family (SCA.P)

  • Side channel fault analysis family (SCA.F)

Side channel fault analysis family (SCA.F)

  • Side channel E

Side channel E-

  • magnetic analysis family (SCA.E)

magnetic analysis family (SCA.E)

slide-18
SLIDE 18

18

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 18 18

Side channel analysis family Side channel analysis family

  • The proposed assurance components for side

The proposed assurance components for side channel analysis channel analysis

AVA_SCA.3 AVA_SCA.3 (Exhaustive SCA) (Exhaustive SCA) AVA_SCA.2 AVA_SCA.2 (Systematic SCA) (Systematic SCA) AVA_SCA.1 AVA_SCA.1 (Side (Side-

  • Channel

Channel Analysis) Analysis) Assurance Assurance Components Components Exhaustive Exhaustive SPA/ DPA SPA/ DPA An exhaustive An exhaustive search for side search for side channels channels Advanced Advanced SPA/ DPA SPA/ DPA A systematic A systematic search for side search for side channels channels Basic Basic SPA/ DPA SPA/ DPA An informal search An informal search for side channels for side channels AVA_SCA AVA_SCA AVA AVA Relationship Relationship Definition Definition Assurance Assurance Family Family Assurance Assurance Class Class

slide-19
SLIDE 19

19

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 19 19

Side channel analysis family Side channel analysis family

  • The proposed evaluation assurance level

The proposed evaluation assurance level in assurance family of class AVA in assurance family of class AVA

slide-20
SLIDE 20

20

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 20 20

Assurance component Assurance component

  • AVA_SCA:

AVA_SCA: The development of assurance The development of assurance component for side channel attacks component for side channel attacks

  • Objectives

Objectives

  • The AVA_SCA is carried out to determine the existence and

The AVA_SCA is carried out to determine the existence and potential capacity of unintended signalling channels (i.e. illic potential capacity of unintended signalling channels (i.e. illicit it information flows) that may be attacked during the operation information flows) that may be attacked during the operation

  • f TOE. The assurance requirements address the threat that
  • f TOE. The assurance requirements address the threat that

unintended and attackable signalling paths exist that may be unintended and attackable signalling paths exist that may be exercised to violate the SFP. exercised to violate the SFP.

  • Component levelling

Component levelling

  • The components are levelled on increasing rigour of side

The components are levelled on increasing rigour of side channel analysis. channel analysis.

slide-21
SLIDE 21

21

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 21 21

Assurance component Assurance component

  • Application notes

Application notes

  • Channel capacity estimations are

Channel capacity estimations are based upon based upon informal engineering measurements, as well as informal engineering measurements, as well as actual actual test measurements. Examples of test measurements. Examples of assumptions upon which the side assumptions upon which the side channel analysis channel analysis is based may include processor speed, system or is based may include processor speed, system or network configuration, memory size, and cache network configuration, memory size, and cache

  • size. The selective
  • size. The selective validation of the side channel

validation of the side channel analysis through testing allows the analysis through testing allows the evaluator the evaluator the

  • pportunity to verify any aspect of the side
  • pportunity to verify any aspect of the side

channel channel analysis (e.g. SPA, DPA, SEMD analysis (e.g. SPA, DPA, SEMD-

  • DPA,

DPA, MESD MESD-

  • DPA, ZEMD

DPA, ZEMD-

  • DPA, IPA,

DPA, IPA, HO HO-

  • DPA, TA, FA, DFA,

DPA, TA, FA, DFA, TEMPEST). TEMPEST).

slide-22
SLIDE 22

22

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 22 22

Assurance component Assurance component

  • AVA_SCA.1 side channel analysis

AVA_SCA.1 side channel analysis

  • The objective is to identify side channels that

The objective is to identify side channels that are are identifiable, through an identifiable, through an informal search informal search for for side channels. side channels.

  • AVA_SCA.1.1D, AVA_SCA.1.2D

AVA_SCA.1.1D, AVA_SCA.1.2D

  • AVA_SCA.1.1C ~ AVA_SCA.1.5C

AVA_SCA.1.1C ~ AVA_SCA.1.5C

  • AVA_SCA.1.1E ~ AVA_SCA.1.3E

AVA_SCA.1.1E ~ AVA_SCA.1.3E

slide-23
SLIDE 23

23

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 23 23

Assurance component Assurance component

  • AVA_SCA.2 Systematic side channel

AVA_SCA.2 Systematic side channel analysis analysis

  • The objective is to identify side channels that

The objective is to identify side channels that are are identifiable, through a identifiable, through a systematic search systematic search for side channels. for side channels.

  • AVA_SCA.2.1D, AVA_SCA.2.2D

AVA_SCA.2.1D, AVA_SCA.2.2D

  • AVA_SCA.2.1C ~ AVA_SCA.2.5C

AVA_SCA.2.1C ~ AVA_SCA.2.5C AVA_SCA.2.6C the analysis documentation AVA_SCA.2.6C the analysis documentation shall provide evidence that the method used shall provide evidence that the method used to identify side channels is systematic. to identify side channels is systematic.

  • AVA_SCA.2.1E ~ AVA_SCA.2.3E

AVA_SCA.2.1E ~ AVA_SCA.2.3E

slide-24
SLIDE 24

24

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 24 24

Assurance component Assurance component

  • AVA_SCA.3 Exhaustive side channel

AVA_SCA.3 Exhaustive side channel analysis analysis

  • The objective is to identify side channels that

The objective is to identify side channels that are are identifiable, through an identifiable, through an exhaustive search exhaustive search for side channels. for side channels.

  • AVA_SCA.3.1D, AVA_SCA.3.2D

AVA_SCA.3.1D, AVA_SCA.3.2D

  • AVA_SCA.3.1C ~ AVA_SCA.3.5C

AVA_SCA.3.1C ~ AVA_SCA.3.5C AVA_SCA.3.6C the analysis documentation AVA_SCA.3.6C the analysis documentation shall provide evidence that the method used shall provide evidence that the method used to identify side channels is exhaustive. to identify side channels is exhaustive.

  • AVA_SCA.3.1E ~ AVA_SCA.3.3E

AVA_SCA.3.1E ~ AVA_SCA.3.3E

slide-25
SLIDE 25

25

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 25 25

Summary Summary

  • A

Analyzed the side channel attacks for the smart card nalyzed the side channel attacks for the smart card

  • E

Experiment xperimented ed in power analysis in power analysis attacks attacks to to smartcard smartcard

  • MESD

MESD-

  • DPA for RSA

DPA for RSA easy to success easy to success

  • P

Proposed the smart card roposed the smart card security evaluation security evaluation criteria for side channel attacks criteria for side channel attacks

  • AVA_SCA family

AVA_SCA family

  • AVA_SCA.1, .2 & .3 components

AVA_SCA.1, .2 & .3 components

  • Our proposals could be useful to evaluate a

Our proposals could be useful to evaluate a cryptosystem cryptosystem related with information security technology. related with information security technology.

slide-26
SLIDE 26

26

2004 2004-

  • 05

05-

  • 19

19 Dongseo University Dongseo University 26 26

Thank You Very Much Thank You Very Much ! !