embedding crypto in socs threats and protections
play

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand - PowerPoint PPT Presentation

Feb 04, 2023 •203 likes •1.87k views

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory GDR SoC17, Bordeaux Summary Introduction & Cryptographic Background Side Channel Attacks Fault Injection Attacks Protections

  1. RSA Asymmetric Cryptosystem (2/2) Private key (Alice): d Public key (all): ( n , e ) Encryption (Bob side): • convert the message M to an integer m (1 < m < n and gcd( m , n ) = 1) • compute the cipher text c = m e mod n Decryption (Alice side): • compute m = c d mod n • convert the integer m to the message M Theoretical security : integer factorization, i.e. computing ( p , q ) knowing n , is not possible when n is large enough Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 10/62

  2. Modular Exponentiation Computation of operations such as : a b mod n a b = a × a × a × a × . . . × a × a × a � �� � a appears b times Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 11/62

  3. Modular Exponentiation Computation of operations such as : a b mod n a b = a × a × a × a × . . . × a × a × a � �� � a appears b times Order of magnitude of exponents: 2 size of exponent � 2 1024 . . . 2 2048 . . . 2 4096 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 11/62

  4. Modular Exponentiation Computation of operations such as : a b mod n a b = a × a × a × a × . . . × a × a × a � �� � a appears b times Order of magnitude of exponents: 2 size of exponent � 2 1024 . . . 2 2048 . . . 2 4096 Fast exponentiation principle: a b = b ( a 2 ) when b is even 2 b − 1 a × ( a 2 ) = when b is odd 2 Least significant bit of the exponent: bit = 0 � even and bit = 1 � odd Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 11/62

  5. Square and Multiply Algorithm input : a , b , n where b = ( b t − 1 b t − 2 . . . b 1 b 0 ) 2 output : a b mod n r = 1 for i from 0 to t − 1 do b i = 1 then i f r = r · a mod n endif a = a 2 mod n endfor return r This is the right to left version (there exists a left to right one) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 12/62

  6. Hardware Accelerators for Elliptic Curve Crypto. protocol level encryption signature etc [ k ] P curve level P + P ADD ( P , Q ) DBL ( P ) field level x ± y x × y . . . Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62

  7. Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4 x + 20 over GF(1009) protocol level points: P , Q = ( x , y ) or ( x , y , z ) or . . . encryption signature etc [ k ] P curve level P + P ADD ( P , Q ) DBL ( P ) field level x ± y x × y . . . Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62

  8. Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4 x + 20 over GF(1009) protocol level points: P , Q = ( x , y ) or ( x , y , z ) or . . . encryption signature coordinates: x , y , z ∈ GF ( · ) etc GF ( p ), GF (2 m ), t : 200–600 bits k = ( k t − 1 k t − 2 . . . k 1 k 0 ) 2 ∈ N [ k ] P curve level P + P ADD ( P , Q ) DBL ( P ) field level x ± y x × y . . . Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62

  9. Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4 x + 20 over GF(1009) protocol level points: P , Q = ( x , y ) or ( x , y , z ) or . . . encryption signature coordinates: x , y , z ∈ GF ( · ) etc GF ( p ), GF (2 m ), t : 200–600 bits k = ( k t − 1 k t − 2 . . . k 1 k 0 ) 2 ∈ N Scalar multiplication operation [ k ] P for i from 0 to t − 1 do curve level if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) P + P ADD ( P , Q ) DBL ( P ) field level x ± y x × y . . . Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62

  10. Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4 x + 20 over GF(1009) protocol level points: P , Q = ( x , y ) or ( x , y , z ) or . . . encryption signature coordinates: x , y , z ∈ GF ( · ) etc GF ( p ), GF (2 m ), t : 200–600 bits k = ( k t − 1 k t − 2 . . . k 1 k 0 ) 2 ∈ N Scalar multiplication operation [ k ] P for i from 0 to t − 1 do curve level if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) P + P Point addition/doubling operations ADD ( P , Q ) DBL ( P ) sequence of finite field operations DBL : v 1 = z 2 1 , v 2 = x 1 − v 1 , . . . ADD : w 1 = z 2 1 , w 2 = z 1 × w 1 , . . . field level x ± y x × y . . . Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62

  11. Hardware Accelerators for Elliptic Curve Crypto. E : y 2 = x 3 + 4 x + 20 over GF(1009) protocol level points: P , Q = ( x , y ) or ( x , y , z ) or . . . encryption signature coordinates: x , y , z ∈ GF ( · ) etc GF ( p ), GF (2 m ), t : 200–600 bits k = ( k t − 1 k t − 2 . . . k 1 k 0 ) 2 ∈ N Scalar multiplication operation [ k ] P for i from 0 to t − 1 do curve level if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) P + P Point addition/doubling operations ADD ( P , Q ) DBL ( P ) sequence of finite field operations DBL : v 1 = z 2 1 , v 2 = x 1 − v 1 , . . . ADD : w 1 = z 2 1 , w 2 = z 1 × w 1 , . . . field level GF ( p ) or GF (2 m ) operations x ± y x × y . . . operation modulo large prime ( GF ( p )) or irreducible polynomial ( GF (2 m )) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 13/62

  12. Attacks attack Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62

  13. Attacks observation attack perturbation invasive Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62

  14. Attacks timing analysis power analysis EMR analysis observation attack perturbation fault injection invasive reverse engineering probing EMR = Electromagnetic radiation Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62

  15. Attacks timing analysis power analysis EMR analysis observation attack perturbation theoretical fault injection invasive reverse engineering probing EMR = Electromagnetic radiation Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62

  16. Attacks timing analysis power analysis EMR analysis observation attack perturbation theoretical fault injection invasive reverse engineering advanced algorithms probing optimized programming EMR = Electromagnetic radiation Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 14/62

  17. Side Channel Attacks (SCAs) (1/2) Attack : attempt to find, without any knowledge about the secret: • the message (or parts of the message) • informations on the message • the secret (or parts of the secret) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 15/62

  18. Side Channel Attacks (SCAs) (1/2) Attack : attempt to find, without any knowledge about the secret: • the message (or parts of the message) • informations on the message • the secret (or parts of the secret) “Old style” side channel attacks : + good value clic clac bad value Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 15/62

  19. Side Channel Attacks (SCAs) (2/2) E D E k ( M ) D k ( E k ( M )) = M M A B k k General principle: measure external parameter(s) on running device in order to deduce internal informations Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 16/62

  20. Side Channel Attacks (SCAs) (2/2) E D E k ( M ) D k ( E k ( M )) = M M A B k k measure attack k , M ??? E General principle: measure external parameter(s) on running device in order to deduce internal informations Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 16/62

  21. What Should be Measured? Answer : everything that can “enter” and/or “get out” in/from the device • power consumption • electromagnetic radiation • temperature • sound • computation time • number of cache misses • number and type of error messages • ... The measured parameters may provide informations on: • global behavior (temperature, power, sound...) • local behavior (EMR, # cache misses...) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 17/62

  22. Power Consumption Analysis General principle: 1. measure the current i ( t ) in the cryptosystem 2. use those measurements to “deduce” secret informations crypto. secret key = 962571. . . i ( t ) R V DD traces Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 18/62

  23. Simple Power Analysis (SPA) Source: [11] Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 19/62

  24. Simple Power Analysis (SPA) Source: [11] Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 19/62

  25. Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62

  26. Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 1111111111111111 0000000000000001 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62

  27. Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 1111111111111111 0000000000000001 Important : a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question : what can be done when differences are too small? Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62

  28. Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 1111111111111111 0000000000000001 Important : a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question : what can be done when differences are too small? Answer : use statistics over several traces Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 20/62

  29. Differential Power Analysis (DPA) cryptosystem Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  30. Differential Power Analysis (DPA) cryptosystem internal state Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  31. Differential Power Analysis (DPA) cryptosystem internal state select bit b to attack b = 1 b = 0 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  32. Differential Power Analysis (DPA) cryptosystem implementation internal state select bit b to attack b = 1 b = 0 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  33. Differential Power Analysis (DPA) cryptosystem implementation internal state power model select bit b to attack b = 1 b = 0 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  34. Differential Power Analysis (DPA) cryptosystem implementation internal state power model select bit b to attack power( H b =1 ) b = 1 power( H b =0 ) b = 0 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  35. Differential Power Analysis (DPA) cryptosystem implementation internal state measures power model select bit b to attack power( H b =1 ) b = 1 power( H b =0 ) b = 0 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  36. Differential Power Analysis (DPA) cryptosystem implementation internal state measures power model select bit b to attack power( H b =1 ) b = 1 comparison power( H b =0 ) b = 0 correct hypothesis Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 21/62

  37. Template Attack cryptosystem Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62

  38. Template Attack cryptosystem internal state Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62

  39. Template Attack cryptosystem internal state select variable v to attack v = 0 v = 1 v = 2 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62

  40. Template Attack cryptosystem implementation internal state select variable v to attack v = 0 v = 1 v = 2 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62

  41. Template Attack cryptosystem implementation internal state measures select variable v to attack v = 0 power( v = 0) power( v = 1) v = 1 power( v = 2) v = 2 training step Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62

  42. Template Attack cryptosystem implementation internal state measures measures select variable v to attack v = 0 power( v = 0) power( v = 1) v = 1 power( v = 2) v = 2 training step Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62

  43. Template Attack cryptosystem implementation internal state measures measures select variable v to attack v = 0 power( v = 0) power( v = 1) comparison v = 1 power( v = 2) v = 2 training step correct hypothesis Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 22/62

  44. Electromagnetic Radiation Analysis General principle : use a probe to measure the EMR V DD circuit GND EMR measurement : Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 23/62

  45. Electromagnetic Radiation Analysis General principle : use a probe to measure the EMR V DD circuit GND EMR measurement : • global EMR with a large probe Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 23/62

  46. Electromagnetic Radiation Analysis General principle : use a probe to measure the EMR V DD circuit GND EMR measurement : • global EMR with a large probe • local EMR with a micro-probe Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 23/62

  47. Side Channel Attack on ECC protocol level encryption signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62

  48. Side Channel Attack on ECC protocol level encryption signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62

  49. Side Channel Attack on ECC protocol level DBL DBL DBL DBL DBL DBL encryption signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62

  50. Side Channel Attack on ECC protocol level DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62

  51. Side Channel Attack on ECC protocol level DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc 0 0 0 1 1 0 [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) • simple power analysis (& variants) field level . . . x ± y x × y Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62

  52. Side Channel Attack on ECC protocol level DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc 0 0 0 1 1 0 [ k ] P curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) • simple power analysis (& variants) field level . . . x ± y x × y • differential power analysis (& variants) • horizontal/vertical/templates/. . . attacks Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 24/62

  53. Fault Injection Attacks Objective : alter the correct functioning of a system “from outside” Fault effects examples : • modify a value in a register • modify a value in the memory hierarchy • modify an address (data location or code location) • modify a control signal (e.g. status flag, branch direction) • skip/modify the instruction decoding • delay/advance propagation of internal control signals • etc. Also called perturbation attacks Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 25/62

  54. Fault Injection Techniques Typical techniques : • perturbation in the power supply voltage • perturbation of the clock signal • temperature (over/under-heating the chip) • radiation or electromagnetic (EM) disturbances • exposing the chip to intense lights or beams • etc Accuracy : • time: part of clock cycle, clock cycle, code block (instruction sequence) • space: gate, block, unit, core, chip, package • value: set to a specific value, bit flip, stuck-at 0 or 1, random modification Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 26/62

  55. Perturbation on the Power Supply Principle : controlled power supply voltage time • Nominal power supply (e.g. ≈ [0 . 7 , 1 . 2] V for current technologies) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 27/62

  56. Perturbation on the Power Supply Principle : V DD controlled device power under supply attack GND voltage time • Nominal power supply (e.g. ≈ [0 . 7 , 1 . 2] V for current technologies) • Non-nominal constant power supply (e.g. 0 . 7 V instead of 1 . 2 V) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 27/62

  57. Perturbation on the Power Supply Principle : V DD power controlled device device glitch power under under generator supply attack attack GND voltage time • Nominal power supply (e.g. ≈ [0 . 7 , 1 . 2] V for current technologies) • Non-nominal constant power supply (e.g. 0 . 7 V instead of 1 . 2 V) • Glitches (dips, spikes) in the power supply at some selected moments Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 27/62

  58. Under Powering Example Source : paper [19] presented at EDCC 2008 conference Setup : 130 nm smart card (1.2 V nominal V DD ) with AES crypto-processor Measurement campaign : triples (msg, key, cypher) recorded for 100 V DD in [775, 825] mV over 20,000 encryptions with comparison to a (RTL) simulation for one byte corruption in the state matrix at various rounds Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 28/62

  59. Under Powering Example Source : paper [19] presented at EDCC 2008 conference Setup : 130 nm smart card (1.2 V nominal V DD ) with AES crypto-processor Measurement campaign : triples (msg, key, cypher) recorded for 100 V DD in [775, 825] mV over 20,000 encryptions with comparison to a (RTL) simulation for one byte corruption in the state matrix at various rounds Observed behavior is compatible with setup violation model on a critical path (bell shape due to only one or multiple paths) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 28/62

  60. Under Powering Example Source : paper [19] presented at EDCC 2008 conference Setup : 130 nm smart card (1.2 V nominal V DD ) with AES crypto-processor Measurement campaign : triples (msg, key, cypher) recorded for 100 V DD in [775, 825] mV over 20,000 encryptions with comparison to a (RTL) simulation for one byte corruption in the state matrix at various rounds Observed behavior is compatible with setup violation model on a critical path (bell shape due to only one or multiple paths) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 28/62

  61. Power Glitching Example Source : FDTC 2008 conference paper [18] Setup : AVR microcontroller with RSA implementation Attack result : a power glitch causes to skip some instruction Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 29/62

  62. Perturbation on the External Clock Principle : voltage CLK time • Normal clock (at a given frequency, duty cycle ≈ 50%) Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 30/62

  63. Perturbation on the External Clock Principle : voltage MCLK CLK time • Normal clock (at a given frequency, duty cycle ≈ 50%) • Clock with a modified duty cycle Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 30/62

  64. Perturbation on the External Clock Principle : voltage glitches GCLK MCLK CLK time • Normal clock (at a given frequency, duty cycle ≈ 50%) • Clock with a modified duty cycle • Glitched clock • Etc. Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 30/62

  65. Glitchy Clock Generation Example Source : paper [10] published in J. Crypto. Eng. 2011 Setup : Virtex-II Pro FPGA (on SASEBO card) used to generate a “glitchy” clock for several programmable time parameters Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 31/62

  66. Clock Glitch Attack Example Source : paper [1] presented at FDTC 2011 conference Setup : AVR ATMega 163 microcontroller @ 1MHz mode glitch period cycle instruction opcode (bin) normal - 0000 0000 0000 0000 i NOP normal - i + 1 EOR R15,R5 0010 0100 1111 0101 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62

  67. Clock Glitch Attack Example Source : paper [1] presented at FDTC 2011 conference Setup : AVR ATMega 163 microcontroller @ 1MHz mode glitch period cycle instruction opcode (bin) normal - 0000 0000 0000 0000 i NOP normal - i + 1 EOR R15,R5 0010 0100 1111 0101 glitch 59 ns i + 1 NOP 0000 0000 0000 0000 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62

  68. Clock Glitch Attack Example Source : paper [1] presented at FDTC 2011 conference Setup : AVR ATMega 163 microcontroller @ 1MHz mode glitch period cycle instruction opcode (bin) normal - 0000 0000 0000 0000 i NOP normal - i + 1 EOR R15,R5 0010 0100 1111 0101 glitch 59 ns i + 1 NOP 0000 0000 0000 0000 mode glitch period cycle instruction opcode (bin) normal - 0000 0000 0000 0000 i NOP normal - i + 1 SER R18 1110 1111 0010 1111 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62

  69. Clock Glitch Attack Example Source : paper [1] presented at FDTC 2011 conference Setup : AVR ATMega 163 microcontroller @ 1MHz mode glitch period cycle instruction opcode (bin) normal - 0000 0000 0000 0000 i NOP normal - i + 1 EOR R15,R5 0010 0100 1111 0101 glitch 59 ns i + 1 NOP 0000 0000 0000 0000 mode glitch period cycle instruction opcode (bin) normal - 0000 0000 0000 0000 i NOP normal - i + 1 SER R18 1110 1111 0010 1111 glitch 61 ns i + 1 LDI R18,0xEF 1110 1110 0010 1111 glitch 60 ns i + 1 0000 1000 0010 1111 SBC R12,R15 glitch 59 ns i + 1 NOP 0000 0000 0000 0000 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 32/62

  70. mode glitch period cycle instruction opcode (bin) normal - 0010 0000 1100 1100 i TST R12 normal - i + 1 BREQ PC+0x02 1111 0000 0000 1001 normal - i + 2 1110 1111 1010 1111 SER R26 Arnaud Tisserand. CNRS – Lab-STICC. Embedding Crypto in SoCs: Threats and Protections 33/62

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Marijuana Threats to Smokefree Air Protections Liz Williams &amp; Cynthia Hallett Oregon Tobacco

Marijuana Threats to Smokefree Air Protections Liz Williams &amp; Cynthia Hallett Oregon Tobacco

Marijuana Threats to Smokefree Air Protections Liz Williams &amp; Cynthia Hallett Oregon Tobacco Prevention &amp; Education Program American Nonsmokers Rights Foundation January 15, 2020 no-smoke.org Overview 1.National overview

224 views • 21 slides
Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical Security Approaches Adam Healy, CISO State of Crypto Asset Security 2016 Market Capitalization NASDAQ 1 ~$7.8 trillion London Stock Exchange 1

291 views • 12 slides
RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

www.elvac.eu Marian Kuruc RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control, protection, data acquisition and communication Content Redesigned block of protections Global setting of measurement ranges

409 views • 10 slides
Graph Drawing Embedding Embedding For a given graph G = ( V , E ) , an embedding (into R 2 )

Graph Drawing Embedding Embedding For a given graph G = ( V , E ) , an embedding (into R 2 )

Graph Drawing Embedding Embedding For a given graph G = ( V , E ) , an embedding (into R 2 ) assigns each vertex a coordinate and each edge a (not necessarily straight) line connecting the corresponding coordinates. 0 1 3 4 1 1 0 2 5 2

541 views • 18 slides
Planarity Embedding Embedding For a given graph G = ( V , E ) , an embedding (into R 2 ) assigns

Planarity Embedding Embedding For a given graph G = ( V , E ) , an embedding (into R 2 ) assigns

Planarity Embedding Embedding For a given graph G = ( V , E ) , an embedding (into R 2 ) assigns each vertex a coordinate and each edge a (not necessarily straight) line connecting the corresponding coordinates. 0 1 3 4 1 1 0 2 5 2 5

754 views • 18 slides
Power Management in Power Management in Wireless SOCs SOCs Wireless Jan M. Rabaey Scientific

Power Management in Power Management in Wireless SOCs SOCs Wireless Jan M. Rabaey Scientific

Power Management in Power Management in Wireless SOCs SOCs Wireless Jan M. Rabaey Scientific Co-Director BWRC Director GSRC EECS Dept. Univ. of California, Berkeley With contributions of M. Sheets and H. Qin The Leakage Challenge (1) The

597 views • 25 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law Lise Johnson ljj2107@columbia.edu T-TIP Stakeholder Briefing May 21, 2014 US Law: When will a court find that the government has given an

236 views • 4 slides
Greedy embedding of a graph Greedy embedding of a graph 99 Greedy embedding Greedy embedding

Greedy embedding of a graph Greedy embedding of a graph 99 Greedy embedding Greedy embedding

Given a graph, find an embedding s.t. greedy routing works Greedy embedding of a graph Greedy embedding of a graph 99 Greedy embedding Greedy embedding Given a graph G, find an embedding of the vertices in R d , s.t. for each pair of

361 views • 23 slides
1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

INTRODUCTORY GUIDE 1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS SERVICE B A C K G R O U N D The Financial Protections Service was instigated following a recommendation of the Inquiry into the

184 views • 17 slides
TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats

TR15 2018 1 2 TR360 2016 + T h r e a t s + Typical Threats Low-Tech Malicious Threats Explosive ad incendiary Threats Bio Hazardous Powder Threats 3 Improvised mechanical Devices TR15 Smart Scan Can easily detect the component

192 views • 16 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation &amp; opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions

CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions

CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and

773 views • 39 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Information Transmission Chapter 6, Public key crypto OVE EDFORS ELECTRICAL AND INFORMATION

Information Transmission Chapter 6, Public key crypto OVE EDFORS ELECTRICAL AND INFORMATION

1 Information Transmission Chapter 6, Public key crypto OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY Learning outcomes After this lecture the student should understand the concept of one-way functions and specifically trapdoor

268 views • 25 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 2, Jan. 20, 2010 Cryptography Scope of Computer Security Jan. 20, 2010 KTH DD2395 Sonja Buchegger 2

469 views • 45 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 2, Oct. 27, 2010 Cryptography Oct. 27, 2010 KTH DD2395 Sonja Buchegger 1 Questionnaire Results Prior

602 views • 42 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Information Systems Security Dr. Ayman Abdel-Hamid College of Computing and Information

Information Systems Security Dr. Ayman Abdel-Hamid College of Computing and Information

Information Systems Security Dr. Ayman Abdel-Hamid College of Computing and Information Technology Arab Academy for Science &amp; Technology and Maritime Transport Chapter 9 Public-Key Cryptography and RSA ISS Dr. Ayman Abdel-Hamid 1

5.21k views • 19 slides

More recommend