Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / - - PowerPoint PPT Presentation

Josep Balasch

Introduction to Side-Channel Attacks

KU Leuven ESAT / COSIC

15th International COSIC Course

Leuven, Belgium, 18 June 2015

Side-Channel Attacks - COSIC Course 18 June 2015

Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel, Helena Handschuh

• PART I: Introduction to implementation attacks
• Embedded cryptographic devices
• Security models
• Classification of implementation attacks
• PART II: Introduction to Power Analysis attacks
• Power measurements, leakage models
• Simple Power Analysis (SPA)
• Differential Power Analysis (DPA)
• Countermeasures

2

Outline

Side-Channel Attacks - COSIC Course

3 Side-Channel Attacks - COSIC Course

Part I: INTRODUCTION TO IMPLEMENTATION ATTACKS

Physical attacks, embedded cryptographic devices, security models, classification of attacks

• Attack on channel between communicating parties
• Encryption and cryptographic operations in black boxes
• Protection by strong mathematic algorithms and protocols
• Computationally secure

4

Traditional model (simplified view)

Side-Channel Attacks - COSIC Course

• A cryptographic device is an electronic device that

implements a cryptographic algorithm and stores a cryptographic key. It is capable of performing cryptographic

• perations using that key.
• Embedded: it is exposed to adversaries in a hostile

environment; full physical access, no time constraints

• Remark: the adversary might be a legitimate user!

5

Embedded Cryptographic Devices

Side-Channel Attacks - COSIC Course

IDENTIFICATION PAYMENT COMMUNICATION MULTIMEDIA

...

• New Model (also simplified view):
• Attack on channel and endpoints
• Encryption and cryptographic operations in gray boxes
• Protection by strong mathematic algorithms and protocols
• Protection by secure implementation
• Need secure implementations not only algorithms

6

How is Embedded Security affected?

Side-Channel Attacks - COSIC Course

A system is as secure as its weakest link

7

Keep in mind

Side-Channel Attacks - COSIC Course

8

A system is as secure as its weakest link

Side-Channel Attacks - COSIC Course

unknown source: seen on schneier.com

9

A system is as secure as its weakest link

Side-Channel Attacks - COSIC Course

source: Paul Kocher

• The adversary will go for the weakest entry point
• Disable or go around security mechanisms
• Guess / spy on passwords
• What is the name of Paris Hilton‘s dog?
• Bribe the security guard
• Social engineering – Kevin Mitnick
• If you use crypto, he will try to go around it
• System designer: thinks of the "right" way to use the system
• Adversary: does not play by the rules
• Designer has to think like the adversary,

anticipate attacks, protect against them

• There is no way to protect against all attacks
• Do you know all atacks?

10 Side-Channel Attacks - COSIC Course

A system is as secure as its weakest link

• Two orthogonal criteria

(a) Side-channels: passive and (typically) non-invasive (b) Circuit modification: active and invasive (c) Fault injection: active, different degrees of invasion

11

Taxonomy of physical attacks

Side-Channel Attacks - COSIC Course

• Active: perturbate and conclude
• Passive: observe and infer
• Invasive: open package, contact chip
• Semi-Invasive: open package, no contact
• Non-Invasive: no modifications

Active Passive Non-Invasive Invasive

Physical attacks ≠ Cryptanalysis

(gray box, physics) (black box, maths)

• Does not tackle the algorithm's math
• Observe physical quantities in the device's vincinity and use additional

information during cryptanalysis

12

Side-channel Leakage

Side-Channel Attacks - COSIC Course

Input Output Leakage

• Passive:
• Timing
• Overall or “local” execution time
• Power, Electromagnetic (EM) radiation
• Predominant CMOS technology
• Dynamic power consumption
• Electric current induces an EM field
• More exotic but shown to be practical
• Sound, temperature, …
• Invasive: Photonic emissions

13

Some side-channels (not exhaustive)

Side-Channel Attacks - COSIC Course

execution time time

14

Principle is nothing new…

Side-Channel Attacks - COSIC Course

“Breaking into a safe is hard, because one has to solve a single, very hard problem…” “Things are different if it is possible to solve many small problems instead...” “Divide et impera!”

• 4-digit PIN verification

15

A side-channel timing attack (I)

Side-Channel Attacks - COSIC Course

FUNCTION check (USER_PIN, CORRECT_PIN) FOR i=1 TO PIN_LENGTH IF USER_PIN[i] != CORRECT_PIN[i] RETURN -1 ENDFOR RETURN 0 MAIN FUNCTION … IF check(…) == -1 COUNTER++ ELSE COUNTER = 0 …

• 10000 possible combinations
• On average 5000 attempts necessary
• Typically only 3 attempts allowed (counter)
• Probability of correct guess: 3/10000

• Execution time of check(…) leaks information
• Average 5 (worst case 10) attempts per digit
• Average 20 (worst case 40) attempts per PIN
• … but recall that only 3 attempts are allowed

16

A side-channel timing attack (II)

Side-Channel Attacks - COSIC Course

• Test random PIN, measure time N
• Change first PIN digit, measure time N’
• If N == N’ both digit guesses are wrong
• If N > N’ the first digit guess was correct
• If N < N’ the new digit guess is correct

• Some cryptographic primitives gain their mathematical

strength by repeating a “weak” function many times

• Classical model: adversary only sees final and secure
• utput
• Ease of implementation
• Other primitives are more complex, but their

implementations follow a similar idea

• Side-channels leak information about the “weak”

intermediate results

• Localized leakage inside the implementation

17

Relevance for embedded crypto devices

Side-Channel Attacks - COSIC Course

• Passive: micro-probing
• Probe the bus with a very thin needle
• Read out data from bus or individual cells

directly

• Several needles concurrently
• Active: circuit modification
• Connect or disconnect security mechanism
• Disconnect security sensors
• RNG stuck at a fixed value
• Reconstruct blown fuses
• Cut or paste tracks with laser or focused ion beam
• Add probe pads on buried layers

18

Invasive attacks

Side-Channel Attacks - COSIC Course

[www.fa-mal.com] source: Helena Handschuh

RNG OUT "0"

• Non-(semi)invasive: apply combination of strange

environmental conditions

• Vcc
• Glitch
• Clock
• Temperature
• UV
• Light
• X-Rays
• ...
• And bypass security mechanisms or infer secrets

19

Fault injection attacks (I)

Side-Channel Attacks - COSIC Course

input error

slide source: Helena Handschuh

• Assume the function check(…) runs in constant time
• Attacker can target the main function with the aim of
• btaining unlimited attempts
• Disconnect power supply before increasing counter
• “Skip” instructions using glitches
• …

20

Back to the PIN example

Side-Channel Attacks - COSIC Course

MAIN FUNCTION … IF check(…) == -1 COUNTER++ ELSE COUNTER = 0 …

• Invasive: exploit faulty behavior provoked by physical

stress applied to the device

• Laser fault injection allows to

target a relatively small surface area of the target device

• Laser pulse frequency ~ 50Hz
• Fully automated scan of chip

surface

• Once you have a weak spot:

perturbate and exploit

21

Fault injection attacks (II)

Side-Channel Attacks - COSIC Course

source: www.new-wave.com

• Ask for a cryptographic computation twice
• With any input and no fault (reference)
• With the same input and fault injection
• Infer information about the key from the output

differential

• Sometimes a single fault injection is enough!

22

Differential Fault Analysis

Side-Channel Attacks - COSIC Course

23 Side-Channel Attacks - COSIC Course

Part II: INTRODUCTION TO POWER ANALYSIS

Power measurements, Simple Power Analysis (SPA), Differential Power Analysis (DPA)

• Not average power over time, not peak power
• Instantaneous power over time
• Trace or curve, many samples
• Typical (automated) measurement setup

24

Measuring power consumption

Side-Channel Attacks - COSIC Course

Time CRYPTOGRAPHIC DEVICES CENTRAL PC SCOPE POWER SUPPLY / FUNCTION GENERATOR

• Logic: constant supply voltage, supply current varies
• Predominant technology: CMOS
• Low static power consumption
• Relatively high dynamic power consumption
• Power consumption depends on input
• CMOS inverter:

25

Measuring power consumption (II)

Side-Channel Attacks - COSIC Course

0-1 transition

Input Output Current 0  0 1  1 Low 0  1 1  0 Discharge 1  0 0  1 Charge 1  1 0  0 Low

• What can we see looking at a curve?
• Information in:
• Repetitive patterns: typically coarse, structure of algorithm and

implementation (e.g. loops)

• Time: what happens when, program flow
• Amplitude: what happens at a given moment in time, data flow
• The same operation, executed with different operand values, consumes more
• r less power
• Examples: trace inspection

26

Power Analysis (I)

Side-Channel Attacks - COSIC Course

• Unprotected software implementation of AES-128 on 8-bit µC
• Ten rounds, last round shorter, without MixColumns

27

Power Analysis (II)

Side-Channel Attacks - COSIC Course Quantized voltage Time

• Unprotected software implementation of AES-128 on 8-bit µC
• Two rounds, four AES building blocks look different

28

Power Analysis (III)

Side-Channel Attacks - COSIC Course Quantized voltage Time

• Few clock cycles on 8-bit µC
• Capacitive charge and discharge effect visible in every clock cycle
• Loading and unloading capacitors in the circuit
• wires, input/output capacitances, parasitic capacitances, etc.
• Amplitude depends on operation and operand value(s)

29

Power Analysis (IV)

Side-Channel Attacks - COSIC Course Quantized voltage Time

• RSA signature generation with CRT

30

Power Analysis (V)

Side-Channel Attacks - COSIC Course Quantized voltage Time

• If sequence of patterns, timing or amplitude depends
• n secret values, power analysis attacks can possibly

reveal the secrets

• Taxonomy: attacks categorized according to approach,

requirements, adversarial power, etc.

• Categories and criteria not 100% clear, definitions vary,

transitions are smooth

31

From Power Analysis to Power Analysis Attacks

Side-Channel Attacks - COSIC Course

[JO05]

• Anything but simple (except in examples  )
• Visual inspection of a few traces, worst/best case: single

shot

• Often exploits direct key dependencies
• Input/output not need to be known, but useful for verification
• Require: expertise, experience, detailed knowledge about

target device and implementation

• Examples in following slides: patterns, amplitude, timing

32

SPA: Simple Power Analysis attacks (I)

Side-Channel Attacks - COSIC Course

[KJJ99]

• Patterns (over many-cycle sequences) show, e.g.:
• Symmetric crypto algorithms
• Number of rounds (resp. key length), loops
• Memory accesses (sometimes higher power consumption)
• Asymmetric crypto algorithms
• Key length
• Implementation details (e.g. RSA with CRT)
• Key (if careless implementation, e.g. RSA/ECC)

33

SPA: Simple Power Analysis attacks (II)

Side-Channel Attacks - COSIC Course

34

SPA: Simple Power Analysis attacks (III)

Side-Channel Attacks - COSIC Course ECC POINT MULTIPLICATION (left-to-right binary method) INPUT: k=(kt-1,…,k0)2, P ∈ E(Fq) OUTPUT: Q = kP Q ← ∞ FOR i=t-1 TO 0 Q ← 2Q ; point doubling IF ki == 1 Q ← Q + P ; point addition RETURN Q

• Conditional, key-dependent operation
• Different algorithms to compute point

addition and point doubling

• Implementation on 8-bit μC with

Montgomery co-processors (affine points)

Quantized voltage Time

35

SPA: Simple Power Analysis attacks (IV)

Side-Channel Attacks - COSIC Course Quantized voltage Time

1 1 1 1 1 1 …

• Zoom-in until patterns appear:
• Always point doubling
• Sometimes point addition

• Amplitude of a certain cycle can show:
• Exact operand values (extreme case)
• Often: Hamming weight or Hamming distance of
• perand(s)
• Operation being executed in software scenarios
• Reverse-engineering of implementation details, and e.g.

proprietary algorithms

36

SPA: Simple Power Analysis attacks (V)

Side-Channel Attacks - COSIC Course

• Example: Load from Memory instruction (LD)
• Power consumption depends on HW of the read value
• Suppose we have a 'dictionary' that translates power

consumption values into HW

• Example: SPA attack on the AES key schedule
• Extract HWs of round keys, generate list of suitable round keys
• Requires 1 plaintext/ciphertext pair to check remaining candidate keys

37

SPA: Simple Power Analysis attacks (VI)

Side-Channel Attacks - COSIC Course

HW = 0 HW = 8

[M02]

• Timing, e.g. when an operation is executed, can show:
• Data-dependent branches in software implementations
• Execution of additional operations
• Example: bad implementation of AES MixColumns

38

SPA: Simple Power Analysis attacks (VIII)

Side-Channel Attacks - COSIC Course

[KQ99]

• Multiplications by 02 in GF(28):
• Shift one bit to the left
• If carry occurs, XOR the result with 1B

X K SBox a0 < < carry? 02 · a0 1B

39

SPA: Simple Power Analysis attacks (IX)

Side-Channel Attacks - COSIC Course Quantized voltage Time

• Differential side-channel analysis allows an adversary to confirm
• r reject a hypothesis about an intermediate state of an

implementation

• If this allows to deduce the value of secret data, the analysis

becomes an attack

• Three disciplines

1. Cryptanalysis: target a sensitive intermediate state for which exhaustive key search is easy 2. Engineering: access to side-channel leakage 3. Statistics: an "oracle" to verify key hypotheses

40

Differential Power Analysis (DPA)

Side-Channel Attacks - COSIC Course

[KJJ99]

• A chip implements an encryption algorithm ENC, say AES-128,

without power analysis protection

• Inputs: plaintext
• Output: ciphertext = Enc(plaintext,key)
• Assume that the processing of each bit

affects the instantaneous dynamic power consumption

• For example:
• Bit = 1  higher power consumption
• Bit = 0  lower power consumption

41

The easy way to start… (I)

Side-Channel Attacks - COSIC Course

plaintext AES-128 encrypt ciphertext

• Choose a "good target" Y = f(X,K) in ENC
• Define a selection function D that selects one bit of Y:

D = LSB (Y)

• Take n power measurements when the chip processes varying

input data X

• Fundamental idea: key testing
• If K has this value, then Y has this value, then the selected bit has this

value (and the power consumption is higher or lower)

42

The easy way to start… (II)

Side-Channel Attacks - COSIC Course

X K SBox Y = Sbox (X ⨁ K) X ⨁ K

43

The easy way to start… (III)

Side-Channel Attacks - COSIC Course

Plaintext :

0EFCAFE0.... A12F726A.... 9115793B.... 37A75474.... 6E1AEDF8.... 965A9F0F....

• For each possible value of K, here [0..255]
• Compute the value of Y for each of the n inputs and apply the

selection function: D=0 or D=1?

• Group power curves in two sets: D=0 and D=1
• Compute mean power curve for both sets
• Compute difference of both means  differential curve
• Analyse the differential curves:
• For the correct guess of K, the differential trace shows peaks

at the point in time when the selected bit is manipulated

44

The easy way to start… (IV)

Side-Channel Attacks - COSIC Course

• Attack on first key byte in round 1 of AES-128
• If K = 00

46

The easy way to start… (V)

Side-Channel Attacks - COSIC Course

Y = AB, LSB = 1 Y = 32, LSB = 0 Y = 81, LSB =1 Y = 9A, LSB = 0 Y = 9F, LSB = 1 Y = 90, LSB = 0 AVERAGE DIFFERENTIAL

• Attack on first key byte in round 1 of AES-128
• If K = 2B

47

The easy way to start… (VI)

Side-Channel Attacks - COSIC Course

Y = 32, LSB = 0 Y = FC, LSB = 0 Y = 69, LSB =1 Y = B7, LSB = 0 Y = 2D, LSB = 1 Y = 70, LSB = 0 AVERAGE DIFFERENTIAL

• Differential trace for wrong hypothesis on K

48

The easy way to start… (VII)

Side-Channel Attacks - COSIC Course

• Differential trace for correct hypothesis on K

49

The easy way to start… (VIII)

Side-Channel Attacks - COSIC Course

• Highest peak / hypotheses on K

50

The easy way to start… (IX)

Side-Channel Attacks - COSIC Course

One hypothesis stands out

• input for encryption i
• power consumption waveform i
• targeted sub-key
• chosen intermediate result
• is one bit, e.g. LSB, of

51

More formal

Side-Channel Attacks - COSIC Course

Average power di = 0 Average power di = 1

• For the correct key hypothesis the computed di are correct
• The groups for di = 0 and di = 1 are correct
• They have a significant difference
• Averaging reveals the footprint of the target bit in the power traces

52

Why does it work?

Side-Channel Attacks - COSIC Course

Average power di = 0 Average power di = 1

• For a wrong key hypothesis the computed di are wrong (random)
• The groups for di = 0 and di = 1 both contain a mixture
• They have no significant difference
• Averaging yields the power consumption of "di = 0.5" in both groups

53

Why does it work (II)

Side-Channel Attacks - COSIC Course

Average power di = 0 Average power di = 1

• Observe power consumption of targeted intermediate value

multiple executions on varying data

54

Modern view (I)

Side-Channel Attacks - COSIC Course

X Ek(X)

k

Leak( )

• Build a model to predict "power consumption"

Predict( ) parameterized by guess on the secret k'

55

Modern view (II)

Side-Channel Attacks - COSIC Course

X Ek(X)

k

X k' Predict( ) Leak( )

• For each k', evaluate statistical dependence between

Predict( ) and Leak( ) with some Test

• Correct guess k' = k should yield strongest dependency

56

Modern view (III)

Side-Channel Attacks - COSIC Course

X Ek(X)

k

X k' ? Leak( ) Predict( )

• Approach:
• Choice of intermediate value
• Choice of power model
• Choice of statistical test
• Power model assumption: linear with # of bit flips
• Pearson’s correlation coefficient is well suited
• No assumptions of power model:
• Mutual Information can capture any type of dependency
• Other power analysis attacks:
• Internal Collision Attacks
• Profiled attacks: template, stochastic methods, …
• …

57

Modern view (IV)

Side-Channel Attacks - COSIC Course

[CRR02, SLP05] [BCO04] [SLFP04, FV03] [GBTP08]

• You cannot prevent the adversary from trying to mount

an attack

• Active:
• You can try to make it more difficult
• "Hide" sensitive parts of the chip: Epoxy, metal layers, glue logic, etc.
• You can try to detect an attack and raise an alarm
• Security sensors: power, clock, light, temperature, wire mesh
• Perform error check before outputting the result: add redundancy
• Reaction to alarm: depends on security policy
• Stop computing, reset, erase memory, self-destruct: Security vs usability

59

Countermeasures (I)

Side-Channel Attacks - COSIC Course

• Passive:
• Try to eliminate side-channels, reduce information

leakage, turn leaked information useless

• Execution time independent of secret values
• Sequence of operations independent of secret values
• Hiding countermeasures

– Time domain: dummy operations, shuffling, ... – Amplitude domain (SNR): background noise, , secure logic styles,...

• Masking countermeasures to prevent known inputs

– Boolean masks, secret sharing schemes, ...

• Design algorithms using gray-box model:

– Leakage-resilient cryptography

60

Countermeasures (II)

Side-Channel Attacks - COSIC Course

• Security as a design dimension
• Adding security against implementation attacks consumes

resources

• Extra area, time, power, product development, …
• Attacker will go for the easiest entry point
• If strong crypto algorithm, try other weaknesses
• Monitor power consumption, EM radiation, time, …
• Inject glitches: clock, voltage, lasers, …
• Threat of power analysis attacks:
• Passive and non-invasive, low-cost equipment, …
• Arms-race between attacks and countermeasures

61

Conclusions

Side-Channel Attacks - COSIC Course

• [JO05] M. Joye, F. Olivier: Side-channel analysis, Encyclopedia of Cryptography

and Security, 2005

• [KJJ99] P. Kocher, J. Jaffe, B. Jun: Differential power analysis, CRYPTO 1999
• [M02] S. Mangard: A Simple Power-Analysis (SPA) Attack on Implementations
• f the AES Key Expansion, ICISC, 2002
• [DR98] J. Daemen, V. Rijmen: AES proposal Rijndael, 1998
• [KQ99] F. Koeune and J.-J. Quisquater: A timing attack against Rijndael, UCL

Crypto Group technical report CG-1999/1, 1999

• [SLFP04] K. Schramm, G. Leander, P. Felke, C. Paar: A Collision-Attack on AES
• Combining Side Channel- and Differential-Attack, CHES, 2004
• [FV03] P.-A. Fouque, F. Valette: The Doubling Attack - Why Upwards Is Better

than Downwards, CHES, 2003

• [BCO04] E. Brier, C. Clavier, F. Olivier: Correlation power analysis with a

leakage model, CHES, 2004

• [GBTP08] B. Gierlichs, L. Batina, P. Tuyls, B. Preneel: Mutual information

analysis, CHES, 2008

62

Bibliography (I)

Side-Channel Attacks - COSIC Course

• [CRR02] S. Chari, J.R. Rao, P. Rohatgi: Template Attacks, CHES, 2002
• [SLP05] W. Schindler, K. Lemke, C. Paar: A Stochastic Model for Differential

Side Channel Cryptanalysis, CHES 2005

• [M00] T.S. Messerges: Using second-order power analysis to attack DPA

resistant software, CHES, 2000

• [CJRR99] S. Chari, C.S. Jutla, J.R. Rao, P. Rohatgi: Towards sound approaches to

counteract power-analysis attacks, CRYPTO, 1999

• [S+10] F.-X. Standaert, N. Veyrat-Charvillon, E. Oswald, B. Gierlichs, M.

Medwed, M. Kasper, S. Mangard: The world is not enough: Another look on second-order DPA, ASIACRYPT, 2010

63

Bibliography (II)

Side-Channel Attacks - COSIC Course

64

Thanks for your attention!

Side-Channel Attacks - COSIC Course

QUESTIONS ?

Josep Balasch: josep.balasch@esat.kuleuven.be