in the Industry Benoit Feix 3 rd June 2011 Albena, Bulgaria, 29 May - - PowerPoint PPT Presentation

Daily Life for a Secure Product in the Industry

Benoit Feix 3rd June 2011

1 Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Outline

• Product Overview
• Product Design Cycle
• Evaluations and Certifications of Products (Functional, Security)
• Intellectual Property
• Some Classical Countermeasures
• Some attacks and future …

2/xxpages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Who are we?

• French company with offices all over the world

─ Former name: Inside Contactless ─ Recently acquired Atmel Secure Microcontroller Solutions activity ─ ~340 employees in the world ─ Fabless company

• Secure microcontrollers for cards, tokens, readers, etc.
• NFC chip maker and solution provider

3/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Basics Product Contain

Integrated Circuit

Appli 1 Appli 2

Operating System Hardware Abstract Layer Cryptographic Libraries

4/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Security Process to have a full secure product:

1)

Identify assets to protect in integrity and confidentiality

2)

Identify threats (possible attacks) and vulnerabilities

3)

Define appropriate countermeasure software and/or hardware

Security Flow

5/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Secure Platform

• Platform Assets to protect:
• Secret keys: for encryption, authentication, signature
• Private data
• Issuer data
• IPs: algorithms, code
• Life cycle

Integrated Circuit

Appli 1 Appli 2

Operating System Hardware Abstract Layer

S E C U R I T Y

• Many protections to implement

 Circuit size (cost) is increased  Efficiency/performances decreases

Cryptographic Libraries

6/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Life Cycle – Steps of Design and Manufacture

OS Development Integrated Circuit Development CRYPTO Development Applications Development Securisation Tests Production Preparation Photomask Manufacture Foundry Tests Initialisation Pre personnalisation Product Personnalisation SPECIFICAT CIFICATIO IONS NS

7/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Life Cycle Market Life – End of Life

• Deactivation,
• Product broken

Product on the Field

• Transactions Management
• Updates

Field management

• Replacement
• Loss, cancellation, robbery

End of Life

8/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Integrated Circuit Architecture

9/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

• Processors:

─ CISC or RISC ─ Harvard or Von Neumann ─ 8 bit (CISC): 8051, AVR ─ 16 bits (RISC): proprietary cores ─ 32 bits (RISC): MIPS, ARM7, ARM9, SC100 … new ARM families

• ROM: Read Only Memory
• RAM: Random Access Memory
• EEPROM: Electrically Erasable Programmable Read Only Memory
• FLASH
• RNG: Random Number Generator
• Coprocessors for:

─ DES ─ AES ─ CRC ─ Long Integer Arithmetic

• MMU: Memory Management Unit
• Security Logic: sensors, noise generators …

Integrated Circuit Architecture

10/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Cryptographic Algorithm most used in embedded …

• Symmetric

─ DES/TDES: NIST only recommends TDES ─ AES

• Hash functions

─ SHA-1, SHA-2 ─ RIPEMD 160 ─ Later .. (2012) SHA-3: competition ongoing

• Asymmetric

─ RSA CRT – RSA SFM ─ DSA / ECDSA ─ DH / ECDH ─ OBKG

• Stream Ciphers: not so used …
• Examples: cf. Oberthur presentation on Thursday morning.

11/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Operating Systems

• Two kinds of operating system in smart cards :

─ ‘’Closed’’ or dedicated systems

• Generally mono applicative; dedicated to a unique usage; for instance

banking cards, health cards, SIM cards for mobile

─ Open systems

• Not dedicated to a specific application, it is possible to download some

software (applets) after the ROM mask step and the personalization; for instance the Java Cards, or the MultOS operating system…

12/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Operating System

• Different functionalities

─ Input / Output data and associated protocol management ─ Memory Management in work areas

─ Basic and principle services for applicative codes

• Secure Management of memory copies and transfers
• Cryptogram calculation, random number generation, CRC …
• Integrity of elements
• Authentication
• Session key management
• Protocol, command management …

─ Multi applicative mode management ─ Access control management for reading and writing at each memory area ─ Life Cycle Management with security

• Initialization
• Pre-personalization
• Personalization
• Applicative mode

13/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Operating System

• Different languages

─ C ─ Assembly: native and dedicated to each microprocessor ─ C++ ─ Java Card

• Examples of code sizes

─ Banking Card (native):

• RAM ~ 2 to 4 Kbytes
• ROM ~ 32 to 96 Kbytes
• NVM ~ 8 to 32 Kbytes

─ SIM Card

• RAM ~ 2 to 8 Kbytes
• ROM ~ 128 to 256 Kbytes
• NVM ~ 128 to 256 or more Kbytes

─ Multi applicative or open product

• Can be more … big NVM allow to download a lot of applets.

14/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Applications / Applets

• Applications

─ Can be burned in ROM and then only instanced

• On a closed system
• In native language (assembly and C)

─ Can be downloaded during personalization or later in the life cycle in

an open system: MultOS

• Java Applets

─ Can be loaded on any product having a Java Card OS

• Developed in Java Card

─ Open platform which manages the loading in a secure manner

15/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

… So many different possible attacks

• Invasive Attacks

Reverse Engineering Probing FIB (Focused Ion beam)

• Passive Attacks

Timing Attacks Side-Channel Analysis (Power, ElectroMagnetic, RF)

• Active Attacks

Fault Attacks

… then so many competencies required !

16/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Invasive Attacks

• Techniques originate from the failure analysis domain
• Gaining access to the chip
• Reverse engineering

– Reconstitution of the layers – Reading the memories

• Read internal state

– Probing the device – Circuit modifications (FIB)

Cost = Very expensive…

17/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Reverse Engineering

– Gaining access to the chip (example)

– Remove/cut plastic with a knife – Use chemical to remove resin (nitric acid, acetone…) – Reconnect the chip in another package if needed.

– Layers reconstitution: using plasma machine or chemical

– Each layer image is obtained through an electronic microscope – Each metal level can then be observed – Whole IC reverse engineering is very complex but part of it can be done

18/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Reading / Modifying

– Reading the memories

– Depend on the kind of memory: a basic ROM can be directly read on the top metal layer – For diffused memory it is necessary to reach the bulk level and use etching techniques – Much more difficult in practice on other memories: Flash, EEPROM, RAM

– Probing

– Direct access to internal signals enables observation or modification of internal data (bits): data flow in buses …

– Focused Ion Beam (FIB)

– Can be used to add test pads (probing) on sensitive signals – To modify the internal behavior of a device  Bypass security features, modify functionalities

19/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Reading Modifying by Probing

• Need a micro probing station
• Put one or many probes on a circuit area to read or modify bits:

─ Values in a bus for instance …

• Key bits in a bus

─ other sensitive values …

20/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

FIB

• FIB stations (Focused Ion Beam ) are ordininary used for

debugging circuits.

• Allows to „‟remove‟‟ metal, and modify connexions
• Allows to „‟add‟‟ metal and then connections
• We can then:

─ Access lower signals in circuit ─ modify the chip behavior

21/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Passive Attacks

Computer Card Reader Digital Oscilloscope

– In a microprocessor thousands of logical gates switch differently depending on

• p-code or data manipulated / IC power consumption depends on it

 Power consumption contain information on IC operations and data manipulated

22/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Passive Attacks

– Analysis of power curves can then allow recovery of secret data – Simple Power Analysis (SPA): analyze and recover the secret key with a

single curve (Kocher et al.) – Examples: – DES key extraction by SPA on Key Scheduling – RSA key extraction by SPA on Exponentiation

– Differential and Correlation Power Analysis (DPA / CPA): use many

curves and statistical treatment to validate a hypothesis on k bits of key; and k- bit per k-bit recover the whole secret key.

– Template Attacks – Other improvements techniques: Mutual Information Analysis, High Order Attacks …

23/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

24

• Depending on IC properties few decades to hundreds

thousands (or millions) of curves can be needed to recover the key.

• Improvement techniques could again be used to

reduce the number of curves …

1 2 3 4 5 6 7 8 9 10

RF curve of AES 128

Ex Exam ampl ple: e: CP CPA A on

• n AE

AES

Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Active Attacks on Cryptography

– Differential Fault Analysis (DFA)

• RSA-CRT : published by Boneh, DeMillo & Lipton: one faulty ciphertext

allows retrieval of the private secrete key!

• DES : published by Biham and Shamir: two faulty ciphertexts allow

retrieval of the whole key.

• AES : published by Piret and Quisquater.: two faulty ciphertexts allow

retrieval of the whole key

– Other efficient and powerful techniques

– Collision Fault Analysis (CFA) – Ineffective Fault Analysis (IFA, Safe Errors)

25 Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Assets vs. Threats

Assets ets

Secret Keys

(DES, AES, RSA, …)

Issuer data User data Embedded software Design Intellectual Property

Invas asive Attacks Passive e Attacks Active e Attacks

Layer reconstruction Reading memory Probing SPA/DPA/TA/EMA FA

X X X X X X X X X X X X X X (X) X X X (X)

26/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Hardware Countermeasures

Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

• Make the design more complex:
• Physical burying, use of low level layers
• Use more compact circuit
• Design special cell libraries

(to hide the type of gates used)

• Glue logic

Preventing Reverse Engineering

28/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

• Memory scrambling and encryption
• Protect memory contain even if data read
• Must be strong enough to resist cryptanalysis
• Physical active shield
• Ensure no circuit modification/cut has been done or reset (or lock)

the IC

• Don’t allow any access to metal under the shield
• Integrity on Data Flow

Preventing Reading / Modifying

29/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Preventing Passive Attacks – Modify the signal: make the signal reading difficult for the

attacker, desynchronized > Noise generators, dummy cycles, clock jitters or power filtering aim at reducing the circuit leakage

– Balanced Power Consumption

> Dual Rail techniques (or triple rail)

– Randomized/Masked power consumption

> De-correlate power consumption from data manipulated …

30/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

─

Abnormal behavior detection

• Detect when IC is out of classical functional range

─

Memory Management Unit

• Prevent non authorized memory accesses

─

Memory integrity checks

• Detect memory contain corruption

─

Redundancy on some HW blocks and operations

• Guarantee the executed operation is the expected operation

Preventing Active Attacks

31/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Software Countermeasures

Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

─

Randomize operation executions

• E.g.: Shuffle order of bytes to treat

(It is like tracks on disc player in random mode).

─

Insert dummy operations

─

Insert fake sensitive data

─

Add software encryption on sensitive data

Preventing Reading

33/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

─

Implement Constant execution time routines

─

Execute operations in random order

─

Insert dummy cycles

• To desynchronize signal.

─

Use data masking or blinding to de-correlate data operation from power consumption

─

Hide sensitive operation among fake ones

• It is like “where is the ball ?”

Preventing Passive Attacks

34/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

─

Don’t use simple values as 0 and 1 for condition results or status values.

─

Execution Redundancy on sensitive operations

─

Initialize status AND to false or exception

• Allow execution of the worst case for the attacker if a bypass of
• perations is performed.

Authentication status set to Not-OK

+

Comparison not done = Decline authentication

Preventing Active Attacks

35/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

─

Check integrity on elements

• Value is coherent with application usage

─

Verify data readings in memories

• CRC on data container
• Multiple read and compare

─

Verify cryptographic calculations

• Ensures that algorithm has not been attacked
• Algo -1 or run twice and compare result

Preventing Active Attacks

36/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Intellectual Property

37/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Intellectual Property

• Smart Cards patents:

─ patented by R. Moreno in 1974 ─ others …

• Many patents on different subjects: communication protocols …
• In security there are some specific patents, for a particular implementation of a

standard … and patents related to tamper resistance …

• Nowadays most famous patents on security in embedded devices are the

Cryptography Research (just bought by Rambus) Patents (Kocher etal.)

• All manufacturers have patents on security …
• Patents can lead to long and legal discussions … and fees to pay …
• Patents can sometimes be unknown to community as non published in conferences

…

• A patent once it is filled need many months (> 1 year) to be published.

38/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Cryptography Research

• In 1996 Kocher published the first timing attack
• In 1998 he published with Jaffe and Jun first DPA on DES and SPA techniques on

RSA

• In same period he patented some techniques:

─ Blinding of exponent (like RSA) ─ Constant timing execution methods ─ Use of unpredictable numbers to prevent product from observation analysis ─ DES masked calculation: Sbox masked recalculation, using mask values, ─ Balanced Power consumption design for chips

• For years Kocher patents were not licensed,
• Since 2009 all major actors are licensing some of these patents …
• Only smart cards today but tomorrow … any microcontrollers products… cell

phones, set top box … ?

39/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Many, many countermeasures … Patents on it ? …

• Elliptic Curve scalar randomization,
• Elliptic curves coordinates blinding,
• Message randomization methods,
• Secure exponentiation methods,
• Secure hardware implementations,
• Atomicity implementations of Exponentiation and Scalar Product,
• Efficient On Board Prime Number Generation methods,
• Dual Rail techniques,
• Side Channel countermeasures for symmetric algorithms,
• Side Channel countermeasures for public key algorithms,
• Fault countermeasures,
• … etc.

40/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Evaluations and Security Certification of Products

41/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Why Evaluating and Certifying?

• FIRST reason: certificate is mandatory to sell your

product

• It allows to give confidence to the customer (banks,
• perators, governments) that his assets are protected
• Governments want to fight against frauds and hacking
• Those schemes contribute to improve year per year the

security level of the products.

42/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Risk Management

• Any product can always be broken, security is not perfect!

─ Depends on the money you spend for hacking … with millions you always can

break a product …

─ Example: months (years) of reverse, FIB … ─ BUT a product has a limited life duration

• How to evaluate basically the risk ?

Compare the cost of the attack WITH The gain the attacker can expect to obtain

• Example:

1 000 000 € to recover my own bank card key Not interesting  not dangerous ! 1 000 000 € to recover a system master key banking, Pay TV …

Interesting for the attacker  Dangerous !

43/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

How to give confidence

• Thanks to your industrial reputation
• Thanks to your know how
• Thanks to the security functions you have in your

product

• Thanks to the quality of your implementation
• By providing to the user all the information he need

for a good and secure usage of your product (environmental, use)

• Thanks to a deep vulnerability analysis which

proves all the attack paths have been covered with appropriate countermeasures

• Thanks to an expert third party analysis

44/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Some Classical Countermeasures

45/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Data Masking in SK

• ‘’DES and other cryptographic processes with leak minimization for smart cards and
• ther cryptosystems’’ from Kocher etal.

─ Message M and key K for calculation C = DES(M,K) ─ M is blinded in two messages M1 and M2 s.t. M = M1

M2

─ K is blinded in two elements K1 and K2 s.t. K = K1

K2

─ Linear calculations are protected with this blinding ─ SBoxes are not linear, then:

• They are recomputed blinded with input and output mask

─ Process the 16 rounds ─ At the end recombine to obtain the correct ciphertext C

• Can be applied on more than 2 blinded value, i.e. k for better resistance.
• In the same period papers were also published on the subject:

─ DES and Differential Power Analysis (The "Duplication" Method)., Patarin and Goubin,

CHES 1999.

─ An Implementation of DES and AES, Secure against Some Attacks, Akkar and Giraud,

CHES 2000.

• More difficult to use for high order protection … costly …
• For HOPA see Rivain and Prouff paper at CHES 2010 for AES… for instance …

46/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Constant time execution Atomicity

• B. Chevallier-Mames, M. Ciet, M. Joye, Low-Cost Solutions for Preventing Simple

Side-Channel Analysis: Side-Channel Atomicity. IEEE Trans. Computers 2004.

Not SPA resistant (conditional code operation) IN: m, d = (dk-1 … d1 d0), n OUT: s= md mod n

• a = fn(1), b=fn(m)
• For i from k-1 to 0 do

a= MontMul(a, a, n) If di = 1 then a = MontMul(a, b, n)

• a = MontMul(a, 1, n)
• Return(a)

IN: m, d = (dk-1 … d1 d0), n OUT: s= md mod n

• R0 = fn(1), R1=fn(m)
• c=0, i = k-1
• While i ≥ 0 do

R0= MontMul(R0, Rc, n) c = c di i = i -  c

• Return(R0)

But not DPA resistant

47/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Exponent Blinding (1)

• A classical countermeasure is the exponent Blinding to prevent DPA/CPA

(not SPA)

• Classical calculation for exponentiation :

S = md mod n

• Blind d:

d* = d + r.φ (n) (or d + r.λ(n) )

• Blinded exponent calculation:

md* mod n = S

 Each execution will use a ‘’different’’ exponent …

• Easy to apply to apply when EulerPhi is known, for instance in RSA CRT p

and q are primes.

• Else if e small (less than 32 bits)

─ d* = d + r.(e.d -1)

as (ed-1) = k. φ ( n) with k < e.

48/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Exponent Blinding (2)

• Split the exponent in two parts: d = d1 + d2
• Compute

S1 = md1 mod n S2 = md2 mod n Compute S = S1.S2 mod n Return S

• Drawback: 2 exponentiation instead of 1, twice slower!

49/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Message Blinding in Public Key

• Additive

m* = m + r1.n mod r2.n S = (m*d mod r2n) mod n

 Increase the size of numbers used of the random size.

• Multiplicative

m* = re.m mod n S = (m*)d . 1/r mod n  Need the calculation of r -1 mod n

• Can be combined with exponent blinding …and atomicity ….
• Secure implementation is a sum of countermeasures …

50/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

And now …

51/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Next years …

• After 15 years of side channel, research on that topic has

increased a lot …

• And … still so many things to discover …
• Sometimes we hear ‘’Side channel, everything is known for

years …nothing new ..’’ … it is not the case …

• Many new ideas appear every year ..
• … There are a lot of things to do again

52/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Some Recent Research Results on Side Channel

• Not exhaustive list …
• ‘’Collision Correlation’’ attacks

─ Moradi etal., Correlation-Enhanced Power Analysis Collision Attack, CHES 2010 ─ Marc F. Witteman etal., Defeating RSA Multiply-Always and Message Blinding

Countermeasures CT-RSA 2011 … (can be assimilated to Partial Collision Correlation …)

• Combining many techniques becomes more and more used:

─ Di-Battista etal., When Failure Analysis Meets Side-Channel Attacks, CHES 2010 ─ Clavier etal., Passive and Active Combined Attacks on AES, FDTC 2010.

• Rivain etal.,Provably Secure Higher-Order Masking of AES, CHES 2010
• L. Genelle etal., Secure Multiplicative Masking of Power Functions, ACNS 2010
• Clavier etal. Correlation Analysis on a single exponentiation power curve, ICICS 2010
• Courrege etal., Simple Power Analysis on Exponentiation Revisited, CARDIS 2010
• … etc.

53/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Power Analysis on a single curve

• Why a single curve:

─ Exponent blinding not useful, ─ Unique (often) message blinding: allow exhaustive search on random used for

blinding if not big enough.

• Enhanced SPA

─ SPA remains a very powerful attack, often underestimated.

• Power attack on RSA

─ Need only one execution power curve as the Big Mac Attack, ─ Compute correlation on many segments of the unique curve (Horizontal

Correlation analysis).

• Conclusion

─ Random numbers used for blinding MUST BE upper to 32 bits. ─ Multipliers core must be at least 32 bits for Public Key algorithm implementations.

54/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Combined Attacks Example: PACA on RSA

Two class of attacks:

• SCA: Side Channel Attacks or Passive Attacks (SPA, DPA, and CPA, Template-

Analysis, Timing Attacks, …)

• FA: Fault Attacks or Active Attacks (Invasive, Transient, …) light injection,

glitches …

 Protecting a product from these attacks is not an easy task Problem: Each protection is usually focused to protect against SCA

• r FA, is their combination sufficient?

─ Idea: Combine both kind of attacks to defeat classical set of

• countermeasures. (hardware / software)

 PACA = Passive and Active Combined Attacks

55/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

PACA on RSA

Compute an RSA signature : s = md mod n

Countermeasures : Randomization Scheme / Side-Channel Atomicity / Fault Protection Implementation : Get r1, r2 two non zero small random values R0 = 1 + r1.n R1 = m + r1.n mod r2.n k = 0 for i from k-1 to 0 do

• R0 = R0.Rk mod r2.n
• k = k xor di
• i = i – not(k)

s = R0 mod n mredundancy = se mod n if m ≠ mredundancy then fault detected ! else return (s)

… this operation is perturbed and gives to R1 a low Hamming Weight ?

56/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

SPA Leaking Exponentiation for Tagged Data

SPA leakage with only 1 successful fault !

Mult operations by R1 are now revealed Verification happens too late!

1 1 1 1 1 1 1 1 1 1 1

57/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

PACA

• Very powerful …
• More difficult to protect than simply adding fault

and side channel countermeasures …

• More and more practicable with fault injections

bench improvements …

58/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Must be at the state of the Art

• Remember, it is easier to attack than to protect … very challenging … so many

potential attacks and techniques to take into account … then you need to do:

• Research and survey activities

─ Internal challenging activities – challenge yourself – Innovate

• Participate in conferences, workshop
• Manufacturers communicate together through security workshops

─ Evaluation labs, card and chip makers, government institutions,  Standards (JIL Attack Methods…)

• Evaluation labs are very accurate in security!
• Collaborations with universities, industrial and academic words must speak together, …

with respect to industrial confidentiality constraints and rules …

• Secure chips (Infineon, Inside, NXP, ST) have lot of countermeasure … measurement

is not as on an FPGA …

• If a new attack appear … what happens ?

59/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011

Thanks for your attention.

60/XX pages Design and Security of Cryptographic Algorithms and Devices (ECRYPT II). Albena, Bulgaria, 29 May – 3 June 2011