fault based cryptanalysis on block ciphers
play

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE - PowerPoint PPT Presentation

Oct 07, 2023 •486 likes •1.19k views

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

  1. Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore

  2. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 1/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  3. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 2/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  4. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Context Since the 90’s, increasing use of secure embedded devices I 9G smartcard ICs sold in 2013 (SIM cards, credit cards ) Strong cryptography from a mathematical point of view used to manage sensitive data I 3 DES, AES, RSA, ECC, SHA-2-3 3/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  5. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Classical Cryptanalysis Black-Box Model assumed in classical cryptanalysis: I key(s) stored in the device I cryptographic operations computed inside the device               The attacker has only access to pairs of plaintexts / ciphertexts. 4/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  6. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Secure Cipher - Unsecure Implementation (1/2) Kocher 1996 exploitation of physical leakages I cryptosystems integrated in CMOS technology I physical leakages correlated with computed data                          The attacker has also access to physical leakages New class of attacks Side-Channel Attacks (SCA) 5/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  7. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Secure Cipher - Unsecure Implementation (2/2) Boneh 1997 exploitation of faulty encryptions I the attacker can generate faulty encryptions                          the attacker has access to correct & faulty ciphertexts New class of attacks Fault Attacks (FA) 6/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  8. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 7/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  9. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Fault based Cryptanalysis FA consist in perturbing the execution of the cryptographic operation in order to get faulty results leaking information on the secret Hypotheses are made on: I the targeted intermediate value I the effect of the injection on the intermediate value The attacker can then apply algorithmic methods to extract the secret from the obtained (correct and/or faulty) results 8/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  10. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Fault Zoology (1/2) Different ways to generate a fault: I electrical glitch on pins (VCC, CLK, I/O, ) I electrical glitch on the die (FBBI) I light injection I ElectroMagnetic (EM) field injection The duration of the fault can be: I transient I permanent 9/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  11. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Fault Zoology (2/2) Different effects: I modification of operation flow I modification of operands Different goals: I Bypassing a security mechanism e.g. PIN verification, file access right control, secure bootchain, I Generating faulty encryptions/signatures fault-based cryptanalysis I Combined Attacks JavaCard based, FA + SCA 10/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  12. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Global Faults| Local Faults| Other Tools| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 11/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  13. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Global Faults| Local Faults| Other Tools| Electrical glitch on Power Supply (1/3) Principle: under/over-power a device during a very short time Over-powering cause unexpected electrical phenomenoms inside the IC e.g. local shortcuts, Under-powering slows down the processing of the IC e.g. bad memory read/write, Low/medium-cost attack ex. of equipment: custom electronic board, pulse generator, 12/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  14. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Global Faults| Local Faults| Other Tools| Electrical glitch on Power Supply (2/3) Adversary can control: I Amplitude of the glitch I Duration of the glitch I Shape of the glitch Generally no control of the fault precision: I On a microcontroller running code, modification of the current executed opcode and/or operand(s) I On a hardware coprocessor, modification of (some of) the current processed words (e.g. registers) 13/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics Intro Attack on iterated ciphers Differential cryptanalysis

1.27k views • 77 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Introduction Equations Solvers Advanced Techniques Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases Martin R. Albrecht Team SALSA, UPMC, Paris 6, . . . June 2nd, 2011 @ ECrypt 2 PhD Summer school,

1.09k views • 46 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam

Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam

Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam Bhasin, Wei He, Ruyi Ding, Samiya Qureshi and Kui Ren Zhejiang University CHES2018, Amsterdam, The Netherlands, 09/12/2018 OUTLINE 1 Introduction

505 views • 33 slides
Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
MOMENTUM MOVING FORWARD TO THE FUTURE Safe Routes to School National Partnership Moving Forward

MOMENTUM MOVING FORWARD TO THE FUTURE Safe Routes to School National Partnership Moving Forward

MOMENTUM MOVING FORWARD TO THE FUTURE Safe Routes to School National Partnership Moving Forward Because of Strong Leadership Moving Forward Because of Strong Leadership STAFF DIRECTORS AND MANAGERS Margo Pedroso Deb Hubsmith Robert Ping

603 views • 9 slides
15-112 Fundamentals of Programming Week 4 - Lecture 3: Intro to Object Oriented Programming (OOP)

15-112 Fundamentals of Programming Week 4 - Lecture 3: Intro to Object Oriented Programming (OOP)

15-112 Fundamentals of Programming Week 4 - Lecture 3: Intro to Object Oriented Programming (OOP) June 10, 2016 Important terminology data type (type) data object class instance Create an object/instance of type/class set. s = set() s is

714 views • 59 slides
Public or private sector prisons Professor Alison Liebling and Dr Ben Crewe Cambridge Institute

Public or private sector prisons Professor Alison Liebling and Dr Ben Crewe Cambridge Institute

Public or private sector prisons Professor Alison Liebling and Dr Ben Crewe Cambridge Institute of Criminology 6 March 2012 1 ESRC-funded 30 month study of public and private sector prisons FOREST BANK (Sept-Oct 07) Local, private

458 views • 12 slides
Reconfigurable and Adaptive Systems (RAS) New Directions in FPGA Design A. Grudnitsky, L. Bauer,

Reconfigurable and Adaptive Systems (RAS) New Directions in FPGA Design A. Grudnitsky, L. Bauer,

Institut fr Technische Informatik Chair for Embedded Systems - Prof. Dr. J. Henkel Vorlesung im SS 2010 Reconfigurable and Adaptive Systems (RAS) New Directions in FPGA Design A. Grudnitsky, L. Bauer, J. Henkel Carbon Nanotube Based

1.06k views • 58 slides
Page 1 ibenik, Croatia, June 2014 Outline Transistor CMOS circuits: operation Power

Page 1 ibenik, Croatia, June 2014 Outline Transistor CMOS circuits: operation Power

ibenik, Croatia, June 2014 Goal Digital Circuits: why they leak, how to counter Fundamental understanding of CMOS circuits So as to build models Ingrid Verbauwhede Ingrid.verbauwhede-at-esat.kuleuven.be And understand short

588 views • 12 slides
S-Plus workshop 7-9 and 14-16 January students.washington.edu/arnima/s Syllabus Tue 7

S-Plus workshop 7-9 and 14-16 January students.washington.edu/arnima/s Syllabus Tue 7

S-Plus workshop 7-9 and 14-16 January students.washington.edu/arnima/s Syllabus Tue 7 Introduction Import data, summarize, regression, plots, export graphs Wed 8 Basic statistics Descriptive statistics, significance tests, linear models

516 views • 22 slides
Symmetries of black holes and index theory George Papadopoulos Kings College London Geometry

Symmetries of black holes and index theory George Papadopoulos Kings College London Geometry

Symmetries of black holes and index theory George Papadopoulos Kings College London Geometry of Strings and Fields Conference GGI, 8-13 September 2013 Based on J. Grover, J. B. Gutowski, GP, and W. A. Sabra arXiv:1303.0853; J. B. Gutowski,

729 views • 34 slides

More recommend