evaluating the security of implementations against side
play

Evaluating the Security of Implementations Against Side Channel - PowerPoint PPT Presentation

Nov 04, 2023 •100 likes •790 views

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

  1. Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S´ ecurit´ e des Syst` emes d’Information Summer School, ˇ Sibenik, Croatia – June, 17-21, 2019 E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  2. ANSSI Presentation LSC Missions ANSSI Core Missions Prevent threats by supporting the development of trusted products and services for Governmental entities and economic actors Provide reliable advice and support to Governmental entities and operators of Critical Infrastructure Keep companies and the general public informed about information security threats and the related means of protection through an active communication policy Give support to security evaluation labs (ITSEF) and to the french national certification center (CCN). E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  3. ANSSI Presentation LSC Missions Certification Body Certification Body: 10 agents List of certified products available on the ANSSI website: www.ssi.gouv.fr Some statistics about french Common Criteria evaluations: ◮ 50% smartcard evaluations ◮ 35% microcontroller evaluations ◮ 15% softwares, network, misc ... E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  4. ANSSI Presentation Certification Certification Labels for Security Products CSPN - certification for first level security black-box ◮ fast and easy procedure (for ex. allow to label freewares) ◮ evaluation made by ITSEFs ◮ compliance with security target ◮ efficiency of security functionalities ◮ 25-35 man/day Common Criteria - CC certification white-box ◮ longer procedure, recognized outside of France ◮ evaluation made by ITSEFs ◮ compliance with security target ◮ eval. of each security functionality ◮ different assurance levels: EAL1, . . . , EAL7 E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  5. Security Evaluation Industry Security Evaluation in the Industry Context Mandatory for some security products (e.g. banking cards, ePassport or secure platforms for embedded systems) Not always Mandatory but Economical Advantage for many others (e.g. USIM or access control) General Framework ◮ Developers implement countermeasures against SoA attacks (passive, semi-invasive or invasive) ◮ Independent Labs evaluate the security w.r.t SoA attacks (e.g. listed by the JHAS group) ◮ Certification authorities (e.g. ANSSI or BSI or EMV-CO) validate the evaluation and deliver the certificates. E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  6. Security Evaluation Industry Security Evaluation in the Industry Facts Attacks are each year more and more powerful ◮ Semi-invasive attacks with multiple faults ◮ Template Attacks, Second-Order SCA or Horizontal SCA ◮ Use of HPC ... each year more numerous ( ≃ 100 publications / year) Security is costly: development/testing time, decreasing of the performances, loss of genericity for the codes, expertise cost How to increase coverage and accuracy of the evaluation while decreasing the cost? E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  7. Security Evaluation Needs Security Evaluation in the Industry Some needs... Automatize evaluations without quality loss Increase trust in evaluation results ◮ Failure due to countermeasures or to evaluator weakness? Quantify the security instead of testing a set of attacks ◮ Too many attacks, too many parametrizations, etc. ◮ Need to always stay up-to-date ◮ Failure with 10 6 measurements but what if 10 7 are available? Measure the information leakage ◮ Portability gain ◮ Allow for comparison between evaluations Identify Points of Interest ◮ Exchange ”experts How-To” for sound and repeatable techniques To sum-up: Estimate the efficiency of the most powerful attacks in a minimum of time. E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  8. Security Evaluation Needs Security Evaluation in the Industry Some needs... Automatize evaluations without quality loss Increase trust in evaluation results ◮ Failure due to countermeasures or to evaluator weakness? Quantify the security instead of testing a set of attacks ◮ Too many attacks, too many parametrizations, etc. ◮ Need to always stay up-to-date ◮ Failure with 10 6 measurements but what if 10 7 are available? Measure the information leakage ◮ Portability gain ◮ Allow for comparison between evaluations Identify Points of Interest ◮ Exchange ”experts How-To” for sound and repeatable techniques To sum-up: Estimate the efficiency of the most powerful attacks in a minimum of time. E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  9. Security Evaluation Needs What we do at ANSSI related to these subjects? Some Examples... Define generic frameworks to encompass most of the SoA attacks Use the latter frameworks to build generic and modular testing libraries Define methods to accurately measure the information leakage from a chip Define methods to evaluate the success rate of SoA attacks based on the latter measure Adapt methods from Machine Learning to identify PoI E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  10. Side-Channel Attacks Generic Framework Advanced Side Channel Attacks (DPA like attacks) Side Channel Analysis: General Framework. Statistical Tools Implementation AES Adversary Channel Secrets Side Channel Chip Model Optionnal E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  11. Side-Channel Attacks Generic Framework Advanced Side Channel Attacks Side Channel Analysis: General Framework (Theoretical) Context: attack during the manipulation of S ( X + k ) . 1 Measurement : ◮ get a leakages sample ( ℓ k , i ) i related to a sample ( x i ) i of plaintexts. 2 Model Selection : ◮ Design/Select a function m ( · ). 3 Prediction : ◮ For every ˆ k , i = m ( S ( x i + ˆ k , compute m ˆ k )). 4 Distinguisher Selection : ◮ Choose a statistical distinguisher ∆. 5 Key Discrimination : ◮ For every ˆ k , compute the distinguishing value ∆ ˆ k : � � ∆ ˆ k = ∆ ( ℓ k , i ) i , ( m ˆ k , i ) i . 6 Key Candidate Selection : ◮ Deduce ˆ k from all the values ∆ ˆ k . E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  12. Side-Channel Attacks Generic Framework Advanced Side Channel Attacks Side Channel Analysis: attack Description Sheet Attack Description Sheet Type of Leakage: e.g. power consumption or electromagnetic emanation Model Function: e.g. one bit of Z or its Hamming weight Statistical Distinguisher: e.g. difference of means, correlation or entropy Key Candidate Selection: e.g. the candidate the maximizes the scores E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  13. Leakage Assessment for Designers A designer/evaluator POV Security of a device against SCA is tested by designers/evaluators. Large set of SCA to test: CPA, MIA, LRA, DPA, ML, etc. Little time, limited means, constrained resources. Strong knowledge of my device. ML LRA CPA DPA MIA E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  14. Leakage Assessment for Designers A designer/evaluator POV Security of a device against SCA is tested by designers/evaluators. Large set of SCA to test: CPA, MIA, LRA, DPA, ML, etc. Little time, limited means, constrained resources. Strong knowledge of my device. ML LRA CPA DPA MIA E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  15. Leakage Assessment for Designers A designer/evaluator POV Security of a device against SCA is tested by designers/evaluators. Large set of SCA to test: CPA, MIA, LRA, DPA, ML, etc. Little time, limited means, constrained resources. Strong knowledge of my device. ML LRA CPA DPA MIA E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  16. Leakage Assessment for Designers A designer/evaluator POV Security of a device against SCA is tested by designers/evaluators. Large set of SCA to test: CPA, MIA, LRA, DPA, ML, etc. Little time, limited means, constrained resources. Strong knowledge of my device. ML LRA CPA DPA MIA E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

  17. Leakage Assessment for Designers First Order Case Leakage assessment: is there information in the traces? must be very efficient in the number of traces. must be as generic as possible: any kind information must be revealed. ֒ → independent from leakage functions. ֒ → takes into account as many intermediate variables as possible. Intuitions First focus on first-order leakages, i.e. the information is contained in the conditional mean of the traces. E [ T | Z = z ] � = E [ T ] A secure implementation would behave as manipulating random values. E. PROUFF, ANSSI Evaluating the Security of Implementations Against SCA

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Cray-1 and Graphics Processors 1 Last time TM modern implementations hide all side efgects

Cray-1 and Graphics Processors 1 Last time TM modern implementations hide all side efgects

Cray-1 and Graphics Processors 1 Last time TM modern implementations hide all side efgects speculate that there will be no confmicts 2 generalizing speculation speculation guess and check: branch prediction early loads more

557 views • 40 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt 1) Kazuhiko Sakaguchi 1)2) 1) National Institute of Advanced Industrial Science and Technology, Japan 2) University of Tsukuba Motivation

352 views • 21 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
Detecting Security Problems and Internet Measurement Evaluating Security Solutions The

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The Internet as a whole is poorly CS 239 measured Advanced Topics in Network And, hence, poorly understood Security No existing network-wide

354 views • 4 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other faces youll see Lejla Batina lectures on side-channels Anna Guinet & Niels Samwel JavaCard project & side-channel lab 2 This course:

424 views • 9 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain, Belgium Workshop on Cryptography for the Internet of Things November 20 21, 2012, Antwerp, Belgium SUMMARY Relay Attacks Distance Bounding

349 views • 21 slides
ECS 235B, Lecture 26 March 13, 2019 March 13, 2019 ECS 235B, Foundations of Computer and

ECS 235B, Lecture 26 March 13, 2019 March 13, 2019 ECS 235B, Foundations of Computer and

ECS 235B, Lecture 26 March 13, 2019 March 13, 2019 ECS 235B, Foundations of Computer and Information Security 1 State Machine Model: 2-Bit Machine Levels High , Low , meet 4 properties: 1. For every input i k , state s j , there is an element c

380 views • 22 slides
Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information

Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information

Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information system and Technology, The Arab Academy for Banking and Financial Sciences. Jordan Dr. Loai Tawalbeh summer 2006 Chapter 1 Introduction

253 views • 10 slides
Design a Cross-Layer Cognitive Engine using Cross-Layer Optimization with Case- Based Reasoning

Design a Cross-Layer Cognitive Engine using Cross-Layer Optimization with Case- Based Reasoning

Design a Cross-Layer Cognitive Engine using Cross-Layer Optimization with Case- Based Reasoning and Reinforcement Learning 4 th Workshop of COST Action IC0902 Rome, Italy 09 11, October, 2013 Ali Haider Mahdi, Andreas Mitschele-Thiel

672 views • 40 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Breaking LMAP Etvs Lornd University, Budapest, Hungary ELTECRYPT Research Group LMAP

Breaking LMAP Etvs Lornd University, Budapest, Hungary ELTECRYPT Research Group LMAP

Mihly Brsz, Balzs Boros, Pter Ligeti, Krisztina Lja, Dniel A. Nagy Breaking LMAP Etvs Lornd University, Budapest, Hungary ELTECRYPT Research Group LMAP Pedro Peris-Lopez, Julio Cesar Hernandez- Castro, Juan M. Estvez

663 views • 29 slides
Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware Wallets ? - high level overview YES NO Do you want to send 1.337 BTC to Public data 1UnREADABLE Operations on private data, with user validation

739 views • 24 slides
Wifi Wireless Encryption Unencrypted WEP WPA-2 Threat Model- Unencrypted Threat

Wifi Wireless Encryption Unencrypted WEP WPA-2 Threat Model- Unencrypted Threat

Wifi Wireless Encryption Unencrypted WEP WPA-2 Threat Model- Unencrypted Threat Model- Unencrypted SSID Hiding SSID - network name LoboGuest eduroam Default broadcast SSID SSID hiding do not broadcast SSID

552 views • 18 slides

More recommend