on the need of randomness in fault attack countermeasures
play

On the Need of Randomness in Fault Attack Countermeasures - PowerPoint PPT Presentation

Jan 16, 2023 •107 likes •358 views

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

  1. Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures – Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and Information Security Agency) FDTC 2012, Sunday, September 9th, 2012 Leuven, Belgium 1/ 25 Victor LOMNE - ANSSI FDTC 2012

  2. Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures Context of this work (1/2) Embedded Systems integrating Cryptography are susceptible to Physical Attacks, namely: Side-Channel Attacks (SCA) Fault Attacks (FA) Combined Attacks (CA) 2/ 25 Victor LOMNE - ANSSI FDTC 2012

  3. Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures Context of this work (2/2) In this work we consider the security of Block Ciphers vs: Side-Channel Attacks (SCA) Fault Attacks (FA) Combined Attacks (CA) As example we will use the AES cipher 3/ 25 Victor LOMNE - ANSSI FDTC 2012

  4. Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures Outline 1 Physical Attacks Side-Channel Attacks Fault Attacks Combined Attacks 2 New Attacks on Classical Countermeasures Combined Attack on Detection CM Fault Attacks on Infection CM On the Need of Randomness 3 Extended Countermeasures Secure Detection Secure Infection Summary 4/ 25 Victor LOMNE - ANSSI FDTC 2012

  5. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Outline 1 Physical Attacks Side-Channel Attacks Fault Attacks Combined Attacks 2 New Attacks on Classical Countermeasures Combined Attack on Detection CM Fault Attacks on Infection CM On the Need of Randomness 3 Extended Countermeasures Secure Detection Secure Infection Summary 5/ 25 Victor LOMNE - ANSSI FDTC 2012

  6. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Side-Channel Attacks A CMOS device leaks information about its state during a computation through side-channels (power, electromagnetic radiations, time ...) SCA: exploits these physical leakages correlated with computed data to guess a secret Simple SCA (SSCA): exploits 1 crypto. operation Differential SCA (DSCA): exploits several crypto. operations ⇒ very powerful due to its resistance to noise Template Attacks (TA): profiling phase / matching phase ⇒ allow to capture the maximum of information 6/ 25 Victor LOMNE - ANSSI FDTC 2012

  7. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks SCA Countermeasures Masking: only family of countermeasures with formal proofs Principle: randomize input of the crypto. operation Based on secret sharing Input is shared in d shares ⇒ masking scheme of order d Attack on Masking: High-Order DSCA A d th order masking scheme can be defeated by a ( d + 1) th order DSCA It consists in combining the handling of the d shares before applying a 1 st order DSCA HO-DSCA complexity is exponential in the masking order 7/ 25 Victor LOMNE - ANSSI FDTC 2012

  8. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Fault Attacks (1/2) Induce a logical error during a crypto. operation Different physical means to induce such an error power glitch, clock glitch, light beam, EM field . . . Exploit few pairs of valid/faulty ciphertexts to retrieve the key A FA requires a Fault Model based on an Invariant 8/ 25 Victor LOMNE - ANSSI FDTC 2012

  9. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Fault Attacks (2/2) Definition A Fault Model is a function f such that: f : x → x ⋆ e (1) x target variable, e fault logical effect and ⋆ a logical operation New classification of FA based on the Invariant FA based on a Fixed Fault Diffusion Pattern [Piret+ 2003] , [Mukhopadhyay+ 2009] . . . FA based on a Fixed Fault Logical Effect Safe Error Attack , [Roche+ 2011] . . . 9/ 25 Victor LOMNE - ANSSI FDTC 2012

  10. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Classical FA Countermeasures (1/2) First classical FA countermeasure: Detection scheme 3 classical Detection schemes: P ′ P P P P I I C ′ C ′ C C C C C = C ′ ? P = P ′ ? C = C ′ ? Full Duplication Encrypt/Decrypt Partial Duplication 10/ 25 Victor LOMNE - ANSSI FDTC 2012

  11. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Classical FA Countermeasures (2/2) Second classical FA countermeasure: Infection scheme Generic sketch exhibiting the Infection CM: S , S ′ the two States D the diffusion function (such as D (0) = 0) S ′ ∆ Γ D () S 11/ 25 Victor LOMNE - ANSSI FDTC 2012

  12. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Combined Attacks (1/2) Consider a secure AES implementation using: A masking scheme such that SCA are unpracticable A duplication countermeasure to avoid FA Is such an implementation really secure ? If one takes each attack path alone yes . . . But if one mixes both attack paths . . . Combined Attacks exploit the side-channel leakage of a faulty encryption to bypass both SCA and FA CM Combined Attack of [Clavier+ 2010 ] Combined Attack of [Roche+ 2011] 12/ 25 Victor LOMNE - ANSSI FDTC 2012

  13. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Combined Attacks (2/2) Example: Combined Attack of [Roche+ 2011] Encrypt N plaintexts P 1 . . . P N and keep the N ciphertexts C 1 . . . C N Encrypt the N plaintexts once again by injecting a fault during the penultimate round of the Key-Schedule and record the leakage traces Ω 1 . . . Ω N Exploit the side-channel leakage of the faulty ciphertext: j ⊕ ˆ e 9 ) ⊕ ˆ k = argmax ( ρ ( HW ( SB ( SB − 1 ( C i k ) ⊕ ˆ k ⊕ ˆ e 10 ) , Ω i )) The attack will work if the fault has the effect of a XOR with a non negligible rate Interestingly enough, up to now only FA based on a Fixed Fault Logical Effect have been extended to CA 13/ 25 Victor LOMNE - ANSSI FDTC 2012

  14. Physical Attacks Side-Channel Attacks New Attacks on Classical Countermeasures Fault Attacks Extended Countermeasures Combined Attacks Combined Attack Countermeasure In [Roche+ 2011] , authors propose to perform a secure comparison to avoid the leakage of the faulty ciphertext: Algorithm 1 Secure Comparison Input: two masked ciphertexts C ⊕ M and C ′ ⊕ M ′ and their respective masks M and M ′ Output: C if C = C ′ , 0 otherwise 1. do a = M ⊕ ( C ′ ⊕ M ′ ) 2. do b = M ′ ⊕ ( C ⊕ M ) 3. if a = b then return C 4. else return 0 14/ 25 Victor LOMNE - ANSSI FDTC 2012

  15. Physical Attacks Combined Attack on Detection CM New Attacks on Classical Countermeasures Fault Attacks on Infection CM Extended Countermeasures On the Need of Randomness Outline 1 Physical Attacks Side-Channel Attacks Fault Attacks Combined Attacks 2 New Attacks on Classical Countermeasures Combined Attack on Detection CM Fault Attacks on Infection CM On the Need of Randomness 3 Extended Countermeasures Secure Detection Secure Infection Summary 15/ 25 Victor LOMNE - ANSSI FDTC 2012

  16. Physical Attacks Combined Attack on Detection CM New Attacks on Classical Countermeasures Fault Attacks on Infection CM Extended Countermeasures On the Need of Randomness Combined Attack on Detection CM New Combined Attack on [Roche+ 2011] countermeasure: At step 3 of algorithm 1, one check if a = b In a lot of architectures, a comparison involves: ⇒ exclusive-or or substraction ⇒ Pr( HW ( a − b ) = HW ( a ⊕ b ) | ( a , b ) ∈ GF (2 8 ) 2 ) > 36% Thus ∆ = ( M ′ ⊕ ( C ⊕ M )) ⊕ ( M ⊕ ( C ′ ⊕ M ′ )) leaks ( C ⊕ C ′ ) Possibility to adapt the CA of Roche et al. to exploit ∆: j ⊕ ˆ e 9 ) ⊕ ˆ k = argmax ( ρ ( HW ( SB ( SB − 1 ( C i e 10 ⊕ C i k ) ⊕ ˆ k ⊕ ˆ j ) , Ω i )) 16/ 25 Victor LOMNE - ANSSI FDTC 2012

  17. Physical Attacks Combined Attack on Detection CM New Attacks on Classical Countermeasures Fault Attacks on Infection CM Extended Countermeasures On the Need of Randomness Fault Attack on Infection CM (1/2) We show that any Deterministic Infection CM is inefficient: If Infection placed before last MixColumns ⇒ inject a fault between Infection and last MixColumns ⇒ case of a classical Piret Attack If Infection placed between last MixColumns & last SubBytes ⇒ inject a fault before the Infection ⇒ leads to a modified Piret Attack exploit the Infection instead of the MixColumns If Infection placed after the last SubBytes ⇒ inject a fault before the MixColumns ⇒ leads to a modified Piret Attack make an hypothesis on 5 bytes instead of 4 17/ 25 Victor LOMNE - ANSSI FDTC 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas & Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

425 views • 29 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
Impugning Alleged Randomness Yuri Gurevich Guanajuato, Nov 13, 2014 1 impugn ( mpjun )

Impugning Alleged Randomness Yuri Gurevich Guanajuato, Nov 13, 2014 1 impugn ( mpjun )

Impugning Alleged Randomness Yuri Gurevich Guanajuato, Nov 13, 2014 1 impugn ( mpjun ) vb ( tr ) to challenge or attack as false; assail; criticize from Old French impugner, from Latin impugnre to fight against, attack, from im- +

493 views • 30 slides
Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August 20, 2016 PROOFS 2016 Sarani Bhattacharya

591 views • 42 slides
Impugning Alleged Randomness Yuri Gurevich Tallinn, April 28, 2014 1 impugn ( mpjun )

Impugning Alleged Randomness Yuri Gurevich Tallinn, April 28, 2014 1 impugn ( mpjun )

Impugning Alleged Randomness Yuri Gurevich Tallinn, April 28, 2014 1 impugn ( mpjun ) vb ( tr ) to challenge or attack as false; assail; criticize from Old French impugner, from Latin impugnre to fight against, attack, from im- +

577 views • 41 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley Telecom ParisTech CNRS LTCI / COMELEC / SEN FDTC 2014 Eleventh

460 views • 43 slides
Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 ,

Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 ,

Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 , Guillaume BOUFFARD 1,2 , Jessy CLDIRE 3 1 National Cybersecurity Agency of France (ANSSI) 2 Information Security Group, cole Normale

292 views • 28 slides
Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing Systems [CS219], Valencia, Spain January 21, 2019 Jean-Baptiste Brjon Emmanuelle Encrenaz Karine Heydemann Quentin Meunier Son-Tuan Vu Sorbonne

770 views • 34 slides
Questions & Answers Certain Disclosures In keeping with the SEC's "Safe Harbor"

Questions & Answers Certain Disclosures In keeping with the SEC's "Safe Harbor"

Questions & Answers Certain Disclosures In keeping with the SEC's "Safe Harbor" guidelines, certain statements made during this presentation could be considered forward-looking and subject to certain risks and uncertainties that

750 views • 32 slides
Careers Conference for Doctoral Researchers Developing the critical balance for career success

Careers Conference for Doctoral Researchers Developing the critical balance for career success

Careers Conference for Doctoral Researchers Developing the critical balance for career success Jane Hunt CIHE report reactions Main points? Reservations? Outline of this session Explore the elements of the balance Your core

552 views • 21 slides
Disclaimer This presentation may not be copied, published, distributed or transmitted. The

Disclaimer This presentation may not be copied, published, distributed or transmitted. The

F ORTIS H EALTHCARE L IMITED Earnings Presentation Q1FY21 August 14, 2020 Disclaimer This presentation may not be copied, published, distributed or transmitted. The presentation has been prepared solely by the company. Any reference in this

525 views • 30 slides
Soa emlikov Labour Office The Labour Office is an administrative body with nationwide

Soa emlikov Labour Office The Labour Office is an administrative body with nationwide

Career guidance at Labour Offices in the Czech Republic Soa emlikov Labour Office The Labour Office is an administrative body with nationwide authority (Ministry of Labour and Social Affairs) The Labour Office covers 14 regional

338 views • 15 slides
A DE L PHI ST UDY OF COUNT E RME AS URE S T O SE CURIT Y Me linda L yle s T HRE

A DE L PHI ST UDY OF COUNT E RME AS URE S T O SE CURIT Y Me linda L yle s T HRE

A DE L PHI ST UDY OF COUNT E RME AS URE S T O SE CURIT Y Me linda L yle s T HRE AT S IN NE T WORKE D ME DICAL DE VICE S Pro b le m Sta te me nt Purpo se o f the Re se a rc h Re se a rc h Que stio ns

380 views • 13 slides
Current Status of Scenario for Current Status of Scenario for Modelling Contaminant Modelling

Current Status of Scenario for Current Status of Scenario for Modelling Contaminant Modelling

Current Status of Scenario for Current Status of Scenario for Modelling Contaminant Modelling Contaminant Transport and Countermeasures Transport and Countermeasures EMRAS-2 Urban Working Group EMRAS-2 Urban Working Group January 25-29, 2010

772 views • 14 slides
INTERNATIONAL CIVIL AVIATION ORGANIZATION SECOND AFRICA-INDIAN OCEAN (AFI) AVIATION SECURITY AND

INTERNATIONAL CIVIL AVIATION ORGANIZATION SECOND AFRICA-INDIAN OCEAN (AFI) AVIATION SECURITY AND

2 nd AFI SECFAL Symposium/2017 (Cape Verde) 17/05/2017 English Version INTERNATIONAL CIVIL AVIATION ORGANIZATION SECOND AFRICA-INDIAN OCEAN (AFI) AVIATION SECURITY AND FACILITATION SYMPOSIUM (Wednesday, 24 May 2017, Gaborone, Botswana)

315 views • 4 slides
Countermeasures Plan Update UASI Approval Authority Meeting 14 July 2016 Dr. Erica Pan Alameda

Countermeasures Plan Update UASI Approval Authority Meeting 14 July 2016 Dr. Erica Pan Alameda

Bay Area Medical Countermeasures Plan Update UASI Approval Authority Meeting 14 July 2016 Dr. Erica Pan Alameda County Public Health Director, Division of Communicable Disease Control & Prevention and Deputy Public Health Officer

356 views • 6 slides

More recommend