attacks and defenses
play

Attacks and Defenses Dr. Falko Strenzke fstrenzke@cryptosource.de - PowerPoint PPT Presentation

Dec 07, 2022 •220 likes •531 views

Attacks and Defenses Dr. Falko Strenzke fstrenzke@cryptosource.de cryptosource Cryptography. Security. Falko Strenzke 2020 For evaluation purposes only Please do not distribute August 4, 2020 Dr. Falko Strenzke Attacks and Defenses For

  1. Attacks and Defenses Dr. Falko Strenzke fstrenzke@cryptosource.de cryptosource Cryptography. Security. � Falko Strenzke 2020 For evaluation purposes only Please do not distribute August 4, 2020 Dr. Falko Strenzke Attacks and Defenses For evaluation purposes only

  2. Attacks and Attack Resistance 1 Hardware Security Solutions 2 Dr. Falko Strenzke 2/30 For evaluation purposes only

  3. Attacks on Cryptographic Implementations � normal 1010 ❆ 1001 MCU � hacking 1010 ➍ 1001 � timing attack � � fault attack power analysis � probing, crypto MCU reverse engineering Dr. Falko Strenzke 3/30 For evaluation purposes only

  4. Software Attacks no physical access required – remote attacks “hacking” exploit implementation flaws, e.g. buffer overflows software fault attacks (decryption oracle attacks) timing attacks scales well for attacker with low risk of detection some cryptography-specific software attacks exist Dr. Falko Strenzke 4/30 For evaluation purposes only

  5. Decryption Oracle Attacks c Alice Bob c = E ( m ) � classical attack scenario in cryptography: passive attacks c Alice Bob c = E ( m ) c ′ � Around 2000: active attacks Dr. Falko Strenzke 5/30 For evaluation purposes only

  6. Padding Oracle Attacks 0 ∣ ... ∣ X ∣ 1 ∣ 1 CBC mode encrypts full multiples of ⊕ the block length C f − 1 C f requires filling up of final block with padding bytes: PKCS#7 Padding: D D E k (< data > ∣ 4 ∣ 4 ∣ 4 ∣ 4 ) . . . ⊕ ⊕ Padding Oracle Attack: Attacker manipulates P f − 1 P f CBC-encrypted ciphertext triggers decryption s ∣ e ∣ c ∣ r ∣ e ∣ t ∣ 2 ∣ 2 data . . . well-formed padding: no error corrupted s ∣ e ∣ c ∣ r ∣ e ∣ t ∣ 3 ∣ 3 malformed padding: error indicated valid padding → X ⊕ t = 3 Dr. Falko Strenzke 6/30 For evaluation purposes only

  7. Symmetric Decryption Oracle Attacks in Practice Powerful attack which leads to total decryption of the plaintext Many vulnerabilities SSL, IPsec: padding oracle (2002) TLS: “Lucky 13” (2015), a timing attack variant XML Encryption: application oracle (2011) authenticity (MAC, signature) must be verified prior to decryption Dr. Falko Strenzke 7/30 For evaluation purposes only

  8. Public-key Decryption Oracle Attacks in Practice PKCS#1 v1.5 encryption encoding for RSA RSA encryption 2048 bit. This must be input into primitive < RSA modulus size > (RSA exponentiation) message padding this is what is encrypted by application ( or a hash value to be signed ) Dr. Falko Strenzke 8/30 For evaluation purposes only

  9. Public-key Decryption Oracle Attacks in Practice PKCS#1 v1.5 encryption encoding for RSA RSA decryption 2048 bit. This comes out of < RSA modulus size > the primitive (RSA exponentiation) message padding must be parsed this is what is returned to application Dr. Falko Strenzke 9/30 For evaluation purposes only

  10. Public-key Decryption Oracle Attacks in Practice RSA target ciphertext learns plaintext 1993: RSA-PKCS#1 v1.5 encryption modify trial ciphertext � accoring to error code 1998: Bleichenbacher describes attack RSA trial ciphertext decryption of ciphertext after many queries 2008: TLS 1.2 released uses vulnerable PKCS#1 v1.5 RSA decryption specifies complicated countermeasures (2012: Attacks against XML Encryption) < RSA modulus size > 2017: ROBOT (“Return Of Bleichenbacher’s message padding Oracle Threat”) many affected network devices different error codes for different invalid formats (different running times) Dr. Falko Strenzke 10/30 For evaluation purposes only

  11. Timing Side-Channel Attacks Timing attacks are side-channel attacks Trivial timing attack: byte-wise MAC comparison Kocher 1996: Cryptographic timing attacks Running time of RSA decryption is dependent on the private key Many measurements and sophisticated statistical analysis may allow extraction of the private key Dr. Falko Strenzke 11/30 For evaluation purposes only

  12. Cache-Timing Attacks on AES Efficient software implementations of AES use lookup tables for the SubBytes operation input key table lookup The indexing into the lookup table depends on a key byte x = Table [ k 3 ⊕ y ] where y is a known input Dr. Falko Strenzke 12/30 For evaluation purposes only

  13. CPU Cache Dr. Falko Strenzke 13/30 For evaluation purposes only

  14. Cache-Timing Attacks on AES The indexing into the lookup table depends on a key byte x = Table [ k 3 ⊕ y ] where y is a known input [0] [16] [32] cache line 1 cache line 2 cache line 3 repeated indexing into the same cache line: faster statistical analysis reveals key highly relevant for embedded systems with more deterministic timing behaviour (Note: cache-timing is used as a covert channel in Meltdown) Dr. Falko Strenzke 14/30 For evaluation purposes only

  15. Timing Attack Countermeasures constant time implementations no conditional branching based on secret values hard to verify – interplay with compiler does not help against other side channel attacks executing operations on randomly transformed inputs random delays specifically against cache-attacks: cache warming effectiveness depends on exact context Dr. Falko Strenzke 15/30 For evaluation purposes only

  16. Physical Attacks scenario: attacker has (temporary) access to a device a (stolen) smart card “lunch-time” or “evil maid” attack attacker can trigger cryptographic operation perform measurements known in the smart card industry for decades Dr. Falko Strenzke 16/30 For evaluation purposes only

  17. Power Analysis Attacks Basics Power Analysis Attacks Power consumption of a CPU is dependent on instruction type: higher for multiplication than addition on the data: switching a register from 0 x 00 ... 00 to 0 xFF .. FF requires more energy than to flipping a single bit Dr. Falko Strenzke 17/30 For evaluation purposes only

  18. Simple Power Analysis against RSA r = 1 f o r i = | d | down to 0 r = r ∗ r mod n i f d [ i ] == 1 r = r ∗ m mod n r e t u r n r as c Courtesy of Dr. Falko Strenzke 18/30 For evaluation purposes only

  19. Differential Power Analysis attack a single key byte in AES at a time x = k i ⊕ y y part of the input many different inputs with all 256 values of y measure power traces find points of greatest variation formulate hypotheses, e.g. x = 0 lowest / highest power consumption t determine trace with lowest/highest power consumption → candidate for k i repeat for all key bytes Dr. Falko Strenzke 19/30 For evaluation purposes only

  20. Electromagnetic Emanation measure electromagnetic emanation (EM) instead of power consumption directly on the chip locate interesting functional block, e.g. register measure EM emanation locally measurements from distance less effective Dr. Falko Strenzke 20/30 For evaluation purposes only

  21. Power/EM Analysis Attacks Countermeasures add random noise add random delays masking internal values instead of x = k i ⊕ y compute x ′ = ( m ⊕ k i ) ⊕ y dual rail implementation: compensate differences shielding against EM emanation Dr. Falko Strenzke 21/30 For evaluation purposes only

  22. Hardware Fault Attacks Active attacks locate targeted functional unit on the chip input data: 11010011 use EM pulse or laser during a cryptographic operation effects � � step over instruction alter register values goals: output data: 001001011 dump keys dump intermediate values � evade security checks single run with low success probability many repetitions, automation Dr. Falko Strenzke 22/30 For evaluation purposes only

  23. Example: Fault Attack against AES early termination enforced, input premature output “key ⊕ input” is dumped key Dr. Falko Strenzke 23/30 For evaluation purposes only

  24. Countermeasures against Hardware Fault Attacks Redundant hardware layouts repeat operations and compare counter operations: verify encryption by decryption attack detection (and reaction) HW/SW checksums Dr. Falko Strenzke 24/30 For evaluation purposes only

  25. Probing Attacks / Reverse Engineering Probing Attack / Reverse Engineering “there are no secrets in silicon” Chemical and mechanical removal of layers Analysing the gate structure Data extraction costly! Typical gains for the attacker learning IP (firmware) learning proprietary cryptographic algorithms breaking them e.g. DECT (*) learn system-wide master keys find software bugs that allow remote exploitation (*) https://dedected.org/trac/raw-attachment/wiki/ DSC-Analysis/FSE2010-166.pdf Dr. Falko Strenzke 25/30 For evaluation purposes only

  26. Hardware Security Security against physical attacks only with dedicated security modules a.k.a. “security MCU” “crypto chip” “hardware security module” “secure element” speed-up of cryptographic operations Typical features of security controllers hardware random number generator symmetric cryptographic engine (AES, Hash) public-key support: modular arithmetic (RSA, ECC) Fault attack and side-channel countermeasures protection against probing attacks Dr. Falko Strenzke 26/30 For evaluation purposes only

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1

Advanced Man-at-the-end Attacks and Defenses Bjorn De Sutter ISSISP 2018 Canberra 1 Lecture Overview 1. Advanced MATE attacks models tools &amp; techniques 2. Protected code comprehension processes 3. Advanced MATE defenses 4.

1.79k views • 114 slides
Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced Security Topics Name: Soteris Constantinou Instructor: Dr. Elias Athanasopoulos Authors: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart

1.65k views • 81 slides
Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide content (Vern Paxson) Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes

567 views • 24 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU Leuven COSIC Seminar - 23rd October 2017, Leuven Introduction Contents of this presentation: - PETS17: Website Fingerprinting Defenses at

658 views • 44 slides
Physical Security Attacks and Defenses for Computing Systems Steve Weingart Senior Engineer

Physical Security Attacks and Defenses for Computing Systems Steve Weingart Senior Engineer

Physical Security Attacks and Defenses for Computing Systems Steve Weingart Senior Engineer c1shw@us.ibm.com (561) 392 6100 Secure Systems and Smart Cards IBM T.J. Watson Research Center Hawthorne, NY Physical Security Attacks &amp;

334 views • 8 slides
Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Open Source Enclave Workshop 2019 Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer Science &amp; Engineering The Ohio State University Userland TEEs on Commodity Processors Application VM VM

154 views • 14 slides
Buffer Overflow Attacks &amp; Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks &amp; Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks &amp; Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000

994 views • 85 slides
FOSAD07 Low-level Software Security: Attacks and Defenses lfar Erlingsson Microsoft

FOSAD07 Low-level Software Security: Attacks and Defenses lfar Erlingsson Microsoft

FOSAD07 Low-level Software Security: Attacks and Defenses lfar Erlingsson Microsoft Research, Silicon Valley and Reykjavk University, Iceland An example of a real-world attack Exploits a vulnerability in the GDI+ rendering of

1.26k views • 113 slides
On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th

On Adaptive Attacks to Adversarial Example Defenses Florian Tramr USENIX ScAINet August 10 th , 2020 Joint work with Nicholas Carlini, Wieland Brendel and Aleksander Madry What Are Adversarial Examples? 88% Tabby Cat 99% Guacamole Biggio

360 views • 21 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

562 views • 38 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc Juarez , Sadia Afroz, Gunes Acar, Rachel Greenstadt, Mohsen Imani, Mike Perry, Matthew Wright Post-Snowden Cryptography Workshop Brussels, December

754 views • 52 slides
WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx SHAPIRO DARTMOUTH COLLEGE TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY

566 views • 13 slides
Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD

Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD

Effective Topology Tampering Attacks and Defenses in Software- Defined Networks RICHARD SKOWYRA, LEI XU, GUOFEI GU, VEER DEDHIA, THOMAS HOBSON, HAMED OHKRAVI, JAMES LANDRY Software Defined Networks Allows controller to modify network

766 views • 29 slides
Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article Jean-Philippe Aumasson, Designing and attacking Kudelski Security (NAGRA) port scan detection tools by Solar Designer (Alexander D. J. Bernstein,

1.83k views • 164 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
AuthenticationOverview(NSchapter9)

AuthenticationOverview(NSchapter9)

AuthenticationOverview(NSchapter9) Largesetofprincipalsattachedtoanopenchannel(eg,Internet). ComputerandNetworkSecurity

875 views • 20 slides
TIDE: Proactive threat detection Introduction Ph.D. student from the University of Twente

TIDE: Proactive threat detection Introduction Ph.D. student from the University of Twente

2019-06-20 Olivier van der Toorn &lt;o.i.vandertoorn@utwente.nl&gt; University of Twente, Design and Analysis of Communication Systems TIDE: Proactive threat detection Introduction Ph.D. student from the University of Twente System

1.6k views • 108 slides
Side Channel Analysis Chester Rebeiro IIT Madras CR Modern ciphers designed with very strong

Side Channel Analysis Chester Rebeiro IIT Madras CR Modern ciphers designed with very strong

Side Channel Analysis Chester Rebeiro IIT Madras CR Modern ciphers designed with very strong assumptions Kerckhoffs Principle The system is completely known to the attacker. This includes e ncryption &amp; decryption algorithms,

1.25k views • 85 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models,

Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models,

Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models, Fundamental Limitations, and Monitor Design Fabio Pasqualetti Florian D orfler Francesco Bullo Center for Control, Dynamical systems and Computation

994 views • 11 slides
You need to get into a vault Try all combinations. Try a subset of combinations.

You need to get into a vault Try all combinations. Try a subset of combinations.

4/25/08 You need to get into a vault Try all combinations. Try a subset of combinations. Exploit weaknesses in the locks design. Open the door (drilling, torch, ). Back-door access: walls, ceiling, floor. Observe

663 views • 41 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides

More recommend