introdution to physical cryptanalysis
play

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI - PowerPoint PPT Presentation

Sep 17, 2023 •93 likes •817 views

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information Security Agency) Saturday, December 20 th , 2014 Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections|

  1. Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information Security Agency) Saturday, December 20 th , 2014

  2. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 1/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  3. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 2/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  4. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Context Since the 90’s, increasing use of secure embedded devices ◮ 8G smartcard ICs sold in 2012 (SIM cards, credit cards ✿ ✿ ✿ ) Strong cryptography from a mathematical point of view used to manage sensitive data ◮ AES, RSA, ECC, SHA-3 ✿ ✿ ✿ 3/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  5. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Secure Embedded devices Functionalities: ◮ secure boot ◮ secure storage & execution of code in confidentiality & integrity ◮ secure storage of sensitive data in confidentiality & integrity ◮ secure implementation of crypto operations Small set of commands ✮ reduce the Attack Surface 4/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  6. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Examples of Secure Embedded Devices Smartcards (credit cards, USIM, e-passports ✿ ✿ ✿ ) Trusted Platform Modules (TPM) Smartphone secure elements Hard disk drives with HW encryption Set-Top Boxes Hardware Security Modules (HSM) Wireless sensors network ✿ ✿ ✿ 5/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  7. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 6/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  8. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Classical Cryptography Black-Box Model assumed in classical cryptography: ◮ key(s) stored in the device ◮ cryptographic operations computed inside the device black-box model PLAINTEXT CIPHERTEXT blablablablablabla tO^à@:/!uYe#&²é" blibliblibliblibliblibl ccGt*µ$Bg;./rSdrtg bloblobloblobloblo ([jKé~-|kLm%*ø$tf blublublublublublu vB:!§eR'{qZé~rt6- blyblyblyblyblybly phçö^$"NhR([qSrT The attacker has only access to pairs of plaintexts / ciphertexts. 7/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  9. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Secure Cipher - Unsecure Implementation (1/2) ❬ Kocher ❪ ✭ 1996 ✮ ✮ exploitation of physical leakages ◮ cryptosystems integrated in CMOS technology ◮ physical leakages correlated with computed data gray-box model (spy the computation) PLAINTEXT CIPHERTEXT blablablablablabla tO^à@:/!uYe#&²é" blibliblibliblibliblibl CRYPTOSYSTEM ccGt*µ$Bg;./rSdrtg bloblobloblobloblo ([jKé~-|kLm%*ø$tf blublublublublublu vB:!§eR'{qZé~rt6- blyblyblyblyblybly phçö^$"NhR([qSrT time power electromagnetic radiations vibrations light ... The attacker has also access to physical leakages New class of attacks ✮ Side-Channel Attacks (SCA) 8/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  10. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Secure Cipher - Unsecure Implementation (2/2) ❬ Boneh et al. ❪ ✭ 1997 ✮ ✮ exploitation of faulty encryptions ◮ the attacker can generate faulty encryptions gray-box model (perturbate the computation) PLAINTEXT BAD CIPHERTEXT blablablablablabla tO^à@:/!uYe#&²é" blibliblibliblibliblibl CRYPTOSYSTEM ccGt*µ$toto/rSdrtg bloblobloblobloblo ([jKé~-|kLm%*ø$tf blublublublublublu vB:!§eR'{UZé~rt6- blyblyblyblyblybly phç%^$"NhR([qSrT power glitch light eletromagnetic field ... the attacker has access to correct & faulty ciphertexts New class of attacks ✮ Fault Attacks (FA) 9/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  11. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 10/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  12. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channel Cryptanalysis SCA consist in measuring a physical leakage of a device when it handles sensitive information ◮ e.g. cryptographic keys Handled info. are correlated with the physical leakage ◮ e.g. a register leaking as the Hamming Weight of its value The attacker can then apply statistical methods to extract the secret from the measurements ◮ Simple Side-Channel Attacks (SSCA) ◮ Differential Side-Channel Attacks (DSCA) ◮ Template Attacks (TA) ◮ Collision-based Side-Channel Attacks ◮ ✿ ✿ ✿ 11/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  13. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 12/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  14. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Physical Leakages exploited by SCA Timing Attacks (CRYPTO 96) - [Kocher] exploit the computational time of cryptographic operations Power Analysis (CRYPTO 99) - [Kocher et al.] exploit the power consumption of the IC ElectroMagnetic Analysis (CHES 01) - [Gandolfi et al.] exploit the electro-magnetic radiations of the IC Acoustic Cryptanalysis (2004) - [Shamir] exploit the sound emitted by the IC Light Emission Analysis (CHES 10) - [Di Battista et al.] exploit the light emission of the IC 13/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  15. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Measuring the Power Consumption of an IC (1/2) Different means: ◮ shunt resistor ◮ current probe ◮ differential probe Optional: Low Noise Amplifier ✦ amplify the signal Cost: low 14/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  16. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Measuring the Power Consumption of an IC (2/2) The IC can filter the current switching The IC can be mounted on complex boards !!! ◮ Where is the power supply pin ? ◮ There is sometimes several power supply pins ✿ ✿ ✿ 15/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  17. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Measuring the EM Radiations of an IC (1/3) When an IC is computing, current flows through the different metal layers to supply the gates. Maxwell equations ✮ current flowing through each metal rails creates an ElectroMagnetic field 16/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Iran Post Sanctions: How Much Oil will Hit the Market? New York 28 September 2015 INTRODUTION

Iran Post Sanctions: How Much Oil will Hit the Market? New York 28 September 2015 INTRODUTION

Iran Post Sanctions: How Much Oil will Hit the Market? New York 28 September 2015 INTRODUTION Iran and the P5+1 have agreed on a framework to put an end to the dispute over Irans nuclear program; Once the so-called Joint

457 views • 16 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e

White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e

White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e Informatique Paris, 31 mai 2017 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the

1.41k views • 46 slides
Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel

726 views • 60 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G.

Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G.

Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G. Karpovsky, Alexander Taubin, Zhen Wang, Adrian Kulikowski Boston University Reliable Computing Laboratory 6/27/2008 Outline Side Channel

293 views • 18 slides
Partial Key Exposure: Generalized Framework to Attack RSA Santanu Sarkar Cryptology Research

Partial Key Exposure: Generalized Framework to Attack RSA Santanu Sarkar Cryptology Research

Partial Key Exposure: Generalized Framework to Attack RSA Santanu Sarkar Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Santanu Sarkar Partial Key Exposure: Generalized Framework to Attack RSA Outline of the

478 views • 24 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006

Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006

MTAT.07.006 Research Seminar in Cryptography Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 1

382 views • 16 slides

More recommend