introduction to side channel attacks
play

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / - PowerPoint PPT Presentation

Aug 08, 2023 •290 likes •920 views

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International COSIC Course Leuven, Belgium, 18 June 2015 Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel,

  1. Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International COSIC Course Leuven, Belgium, 18 June 2015 Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel, Helena Handschuh Side-Channel Attacks - COSIC Course 18 June 2015

  2. Outline • PART I: Introduction to implementation attacks o Embedded cryptographic devices o Security models o Classification of implementation attacks • PART II: Introduction to Power Analysis attacks o Power measurements, leakage models o Simple Power Analysis (SPA) o Differential Power Analysis (DPA) o Countermeasures Side-Channel Attacks - COSIC Course 2

  3. Physical attacks, embedded cryptographic devices, security models, classification of attacks Part I: INTRODUCTION TO IMPLEMENTATION ATTACKS Side-Channel Attacks - COSIC Course 3

  4. Traditional model (simplified view) o Attack on channel between communicating parties o Encryption and cryptographic operations in black boxes o Protection by strong mathematic algorithms and protocols o Computationally secure Side-Channel Attacks - COSIC Course 4

  5. Embedded Cryptographic Devices • A cryptographic device is an electronic device that implements a cryptographic algorithm and stores a cryptographic key. It is capable of performing cryptographic operations using that key. IDENTIFICATION PAYMENT COMMUNICATION MULTIMEDIA ... • Embedded : it is exposed to adversaries in a hostile environment; full physical access, no time constraints o Remark: the adversary might be a legitimate user! Side-Channel Attacks - COSIC Course 5

  6. How is Embedded Security affected? • New Model (also simplified view): o Attack on channel and endpoints o Encryption and cryptographic operations in gray boxes o Protection by strong mathematic algorithms and protocols o Protection by secure implementation • Need secure implementations not only algorithms Side-Channel Attacks - COSIC Course 6

  7. Keep in mind A system is as secure as its weakest link Side-Channel Attacks - COSIC Course 7

  8. A system is as secure as its weakest link unknown source: seen on schneier.com Side-Channel Attacks - COSIC Course 8

  9. A system is as secure as its weakest link source: Paul Kocher Side-Channel Attacks - COSIC Course 9

  10. A system is as secure as its weakest link • The adversary will go for the weakest entry point o Disable or go around security mechanisms o Guess / spy on passwords • What is the name of Paris Hilton‘s dog? o Bribe the security guard • Social engineering – Kevin Mitnick • If you use crypto, he will try to go around it o System designer: thinks of the "right" way to use the system o Adversary: does not play by the rules o Designer has to think like the adversary, anticipate attacks, protect against them o There is no way to protect against all attacks • Do you know all atacks? Side-Channel Attacks - COSIC Course 10

  11. Taxonomy of physical attacks • Two orthogonal criteria Non-Invasive o Active : perturbate and conclude o Passive : observe and infer Active Passive o Invasive : open package, contact chip o Semi-Invasive : open package, no contact o Non-Invasive : no modifications Invasive (a) Side-channels: passive and (typically) non-invasive (b) Circuit modification: active and invasive (c) Fault injection: active, different degrees of invasion Side-Channel Attacks - COSIC Course 11

  12. Side-channel Leakage Physical attacks ≠ Cryptanalysis ( gray box, physics) (black box, maths ) • Does not tackle the algorithm's math Input Output Leakage • Observe physical quantities in the device's vincinity and use additional information during cryptanalysis Side-Channel Attacks - COSIC Course 12

  13. Some side-channels (not exhaustive) • Passive: o Timing execution time • Overall or “local” execution time time o Power, Electromagnetic (EM) radiation • Predominant CMOS technology • Dynamic power consumption • Electric current induces an EM field o More exotic but shown to be practical • Sound, temperature, … • Invasive: Photonic emissions Side-Channel Attacks - COSIC Course 13

  14. Principle is nothing new… “Breaking into a safe is hard, because one has to solve a single, very hard problem…” “Divide et impera !” “Things are different if it is possible to solve many small problems instead...” Side-Channel Attacks - COSIC Course 14

  15. A side-channel timing attack (I) • 4-digit PIN verification o 10000 possible combinations o On average 5000 attempts necessary o Typically only 3 attempts allowed (counter) o Probability of correct guess: 3/10000 FUNCTION check (USER_PIN, CORRECT_PIN) MAIN FUNCTION FOR i=1 TO PIN_LENGTH … IF USER_PIN[i] != CORRECT_PIN[i] IF check(…) == -1 RETURN -1 COUNTER++ ENDFOR ELSE RETURN 0 COUNTER = 0 … Side-Channel Attacks - COSIC Course 15

  16. A side-channel timing attack (II) • Execution time of check(…) leaks information o Test random PIN, measure time N o Change first PIN digit, measure time N’ o If N == N’ both digit guesses are wrong o If N > N’ the first digit guess was correct o If N < N’ the new digit guess is correct • Average 5 (worst case 10) attempts per digit • Average 20 (worst case 40) attempts per PIN • … but recall that only 3 attempts are allowed Side-Channel Attacks - COSIC Course 16

  17. Relevance for embedded crypto devices • Some cryptographic primitives gain their mathematical strength by repeating a “weak” function many times o Classical model: adversary only sees final and secure output o Ease of implementation • Other primitives are more complex, but their implementations follow a similar idea • Side- channels leak information about the “weak” intermediate results o Localized leakage inside the implementation Side-Channel Attacks - COSIC Course 17

  18. Invasive attacks • Passive: micro-probing o Probe the bus with a very thin needle o Read out data from bus or individual cells directly o Several needles concurrently source: Helena Handschuh • Active: circuit modification "0" OUT o Connect or disconnect security mechanism • Disconnect security sensors • RNG stuck at a fixed value • Reconstruct blown fuses RNG o Cut or paste tracks with laser or focused ion beam o Add probe pads on buried layers [www.fa-mal.com] Side-Channel Attacks - COSIC Course 18

  19. Fault injection attacks (I) • Non-(semi)invasive: apply combination of strange environmental conditions o Vcc o Glitch o Clock o Temperature o UV o Light o X-Rays o ... error input • And bypass security mechanisms or infer secrets slide source: Helena Handschuh Side-Channel Attacks - COSIC Course 19

  20. Back to the PIN example • Assume the function check(…) runs in constant time MAIN FUNCTION … IF check(…) == -1 COUNTER++ ELSE COUNTER = 0 … • Attacker can target the main function with the aim of obtaining unlimited attempts o Disconnect power supply before increasing counter o “Skip” instructions using glitches o … Side-Channel Attacks - COSIC Course 20

  21. Fault injection attacks (II) • Invasive: exploit faulty behavior provoked by physical stress applied to the device o Laser fault injection allows to target a relatively small surface area of the target device o Laser pulse frequency ~ 50Hz o Fully automated scan of chip surface o Once you have a weak spot: perturbate and exploit source: www.new-wave.com Side-Channel Attacks - COSIC Course 21

  22. Differential Fault Analysis • Ask for a cryptographic computation twice o With any input and no fault (reference) o With the same input and fault injection • Infer information about the key from the output differential • Sometimes a single fault injection is enough! Side-Channel Attacks - COSIC Course 22

  23. Power measurements, Simple Power Analysis (SPA), Differential Power Analysis (DPA) Part II: INTRODUCTION TO POWER ANALYSIS Side-Channel Attacks - COSIC Course 23

  24. Measuring power consumption • Not average power over time, not peak power • Instantaneous power over time o Trace or curve, many samples Time • Typical (automated) measurement setup CENTRAL PC SCOPE POWER SUPPLY / FUNCTION GENERATOR CRYPTOGRAPHIC DEVICES Side-Channel Attacks - COSIC Course 24

  25. Measuring power consumption (II) • Logic: constant supply voltage, supply current varies • Predominant technology: CMOS o Low static power consumption o Relatively high dynamic power consumption o Power consumption depends on input • CMOS inverter: Input Output Current 0-1 0  0 1  1 Low transition 0  1 1  0 Discharge 1  0 0  1 Charge 1  1 0  0 Low Side-Channel Attacks - COSIC Course 25

  26. Power Analysis (I) • What can we see looking at a curve? • Information in: o Repetitive patterns: typically coarse, structure of algorithm and implementation (e.g. loops) o Time: what happens when, program flow o Amplitude: what happens at a given moment in time, data flow • The same operation, executed with different operand values, consumes more or less power • Examples: trace inspection Side-Channel Attacks - COSIC Course 26

  27. Power Analysis (II) Quantized voltage Time • Unprotected software implementation of AES-128 on 8-bit µC o Ten rounds, last round shorter, without MixColumns Side-Channel Attacks - COSIC Course 27

  28. Power Analysis (III) Quantized voltage Time • Unprotected software implementation of AES-128 on 8-bit µC o Two rounds, four AES building blocks look different Side-Channel Attacks - COSIC Course 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks Pieter Robyns Motivation and introduction Motivation Information about performing EM side-channel attacks using SDR is quite scarce A few

758 views • 42 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&amp;P), 2019 (Dustin)

726 views • 44 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain

Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain

Introduction Solution Results Conclusions and perspectives Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Damien Marion and Olivier Rioul Saturday August 20, 2016

1.11k views • 36 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon

Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon

Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis Benjamin Timon August 28, 2019 Python notebook presentation for CHES 2019 1 Introduction &amp; Motivation Profiled vs Non-Profiled attacks Machine Learning trend

407 views • 14 slides
Embedding SQL Engine to Your Application Iwo Panowicz Percona Whats an Embedded Database?

Embedding SQL Engine to Your Application Iwo Panowicz Percona Whats an Embedded Database?

Embedding SQL Engine to Your Application Iwo Panowicz Percona Whats an Embedded Database? A library embedded in the application, that implements methods to access and manipulate data. A database running on an embedded computer mostly

795 views • 53 slides
NATIONAL ACTION PLAN OF THE FRENCH NUCLEAR SAFETY AUTHORITY December 2012 TABLE OF CONTENTS

NATIONAL ACTION PLAN OF THE FRENCH NUCLEAR SAFETY AUTHORITY December 2012 TABLE OF CONTENTS

COMPLEMENTARY SAFETY ASSESSMENTS FOLLOW-UP TO THE FRENCH NUCLEAR POWER PLANT STRESS TESTS NATIONAL ACTION PLAN OF THE FRENCH NUCLEAR SAFETY AUTHORITY December 2012 TABLE OF CONTENTS Introductio n

1.06k views • 65 slides
Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

1.54k views • 98 slides
End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About RISC-V RISC-V is an Open Instruction Set Architecture (ISA) Can be freely used for any purpose Many implementations are available from

677 views • 22 slides
Rapid Prototyping of Avionic Applications Using P4 Dominik Scholz , Fabien Geyer, Sebastian

Rapid Prototyping of Avionic Applications Using P4 Dominik Scholz , Fabien Geyer, Sebastian

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Rapid Prototyping of Avionic Applications Using P4 Dominik Scholz , Fabien Geyer, Sebastian Gallenmller, Georg Carle german-french academy

573 views • 16 slides
Soletta Technical Introduction Otavio Pontes OTC - Intel Soletta overview Features and

Soletta Technical Introduction Otavio Pontes OTC - Intel Soletta overview Features and

Soletta Technical Introduction Otavio Pontes OTC - Intel Soletta overview Features and Architecture Soletta Overview IoT Questions and Problems Explosion of libraries Subsets: I/O, comms Specific targets Too big for small

381 views • 25 slides
WATER SYSTEM POWER REDUNDANCY PROJECT WS85470002 DESIGN SERVICES The City of Phoenix is seeking

WATER SYSTEM POWER REDUNDANCY PROJECT WS85470002 DESIGN SERVICES The City of Phoenix is seeking

PRE-SUBMITTAL CONFERENCE FOR THE WATER SYSTEM POWER REDUNDANCY PROJECT WS85470002 DESIGN SERVICES The City of Phoenix is seeking a qualified engineering firm with experience in electrical power redundancy system, Water Treatment Plants (WTPs),

304 views • 18 slides
Model-based Testing Without a Model: Assessing Portability in the Seattle Testbed Justin Cappos

Model-based Testing Without a Model: Assessing Portability in the Seattle Testbed Justin Cappos

Model-based Testing Without a Model: Assessing Portability in the Seattle Testbed Justin Cappos and Jonathan Jacky University of Washington Seattle, Washington USA justinc@cs.washington.edu, jon@u.washington.edu with special thanks to Jeff

425 views • 10 slides

More recommend