overview of countermeasures
play

Overview of Countermeasures against Implementation Attacks Marcel - PowerPoint PPT Presentation

Sep 27, 2022 •135 likes •549 views

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

  1. Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

  2. Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  3. Motivation Sensitive applications require certification – Pay TV, Banking,... – e.g. CC EAL5+ – Semi-formal evidence for security – Standard portfolio of attacks • SCA • Fault analysis, probing • … Cost security tradeoff 3 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  4. General Mechanisms Constant Detection Instantaneous Timing Leakage Limit measurements m 1 Faults m 2 c = E k (m) ... Probing ... m n Low SNR Independence Shielding Dependence 4 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  5. Side-Channel Countermeasures Data independent timing Hiding Masking Regular key updates Dependent leakage 5 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  6. Data Independent Timing Data dependent branches – Reduction, Compiler • Use regular algorithms • Use assembly code Architectural features – e.g. ARM7 multiplier • time(0xFFFF*Op2) > time(0xFF*Op2) – Cache [ [ – Code alignment • Prefetch / Branch 6 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  7. Instantaneous Leakage - Preliminaries Leakage trace – Vector of t leakage samples Sensitive variable v – Depends on key and input  Observe noisy function of v – For some i, – E.g. L = Hamming weight – Normal distributed noise Univariate, First-order, Hamming weight – Templates and Correlation are asymptotically equivalent 7 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  8. Hiding in General In each clock cycle, consume either – (close to) random power  increase n – (close to) constant power  L(v) ~ const. Hiding only decreases the SNR Hiding dimensions – Time – Amplitude 8 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  9. Hiding in Time with Shuffling (1) Time – Insertion of dummy operations – Shuffling time S 1 S 3 S 3 D S 2 S 3 S 4 S 4 S 1 D S 2 S 4 S 1 D D S 2 observations S 1 S 3 D S 2 S 3 S 4 D D S 2 S 4 S 4 D S 3 D S 1 D D S 2 D S 4 S 1 S 2 S 3 S 4 S 3 D S 4 S 1 D D S 2 D S 1 S 2 S 3 S 4 9 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  10. Hiding in Time with Shuffling (2) Effect of time randomization with k positions – Sample from with probability 1/k Plain attack – Correlation ~ k – k 2 traces Integration over all k positions – Noise increases linearly – Correlation ~ k -1/2 10 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  11. Hiding in Amplitude Peripheral activity – ADCs – Co-processors Memory addresses – of dummy registers – of key dependent registers Random precharge of bus – Pure HD leakage? 11 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  12. Hiding in Hardware Time – Dummy instructions – Shuffling – Random jitters Amplitude – Filters • Switching capacitors • Constant drain circuits – Noise generation engines – Parallelization – Pipelining / Unrolling – Dynamic reconfiguration (FPGAs) 12 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  13. Hiding at Cell Level Dual-rail precharge logic styles Trans. l 0  0 0 a Single 0  1 1 q Rail b 1  0 1 1  1 0  Talk by Ingrid Verbauwhede Trans. l 10  00 1 a Dual ¬a q 01  00 1 b Rail ¬q 00  10 ¬b 1 00  01 1 13 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  14. Conclusions for Hiding Decrease the SNR – Increase noise – Decrease signal Only minor changes to the algorithms Noise is essential for masking! EM measurements can overcome many hiding countermeasures – Shuffling / dummy operations are strong but – Which resources are used? – Exact same behavior of circuit? 14 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  15. Masking Randomized redundant representation – nth-order masking – All n-1 intermediate variables are independent of v – Adversary needs to • identify n leakage samples • and combine their information Challenge – Usually achieving is not straightforward 15 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  16. Masking Few Bits (1) Assume little structure (e.g. block cipher) – Boolean masking • Alternatively – Multiplicative masking (zero-value problem) • – Affine Masking • 16 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  17. Masking Few Bits (2) Marginal PDFs are independent  joint PDF WH(v)=0 WH(v) = 4 W H (v 2 ) W H (v 2 ) W H (v 1 ) W H (v 1 ) Effect – k shares, sufficient noise – Number of traces relates to – Combination results in additional loss 17 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  18. Masking Few Bits (3) Combined Only masking Only shuffling 18 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  19. Masking in Software (1) First-order masking  Lookup tables Higher order masking – Secure table computation for 2nd order masking – Test all subsets! Check Hamming distance – Buses, registers,... 19 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  20. Masking in Software (2) Rivain and Prouff – CHES10 – Provable secure masking for AES with arbitrary order – Based on Private Circuits Genelle, Prouff, and M. Quisquarter – CHES11 – Combination of additive and multiplicative masking Cycle counts for a masked AES Masking order AES cycles – Pay for security directly w/o masking 2 000 in execution time 1 25 000 2 69 000 3 180 000 20 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  21. Masking in Hardware (1) v m S(v) m„ Masked S-box m„ m Unclear what synthesizer does – Unintentional unmasking – Unintentional combination function Data dependent phenomena – Glitches – Early propagation – Cross-talk 21 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  22. Masking in Hardware (2) Nikova et al. – Threshold implementation – Independent processing of subset of shares z 1 f 1 f 4 v 1 y 1 f 2 f 5 z 2 v 2 y 2 f 3 f 6 z 3 v 3 y 3 If shares processed in parallel – Univariate leakage – But still higher order attack  Talk by Svetla Nikova 22 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  23. Flawed Masking Can only provide a constant factor Do you measure right or left of the line, how bad is your flaw? Taken from http://perso.uclouvain.be/fstandae/PUBLIS/107_slides.pdf Test: Does your second-order attack work better than your first-order one? 23 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  24. Masked Logic Styles Remove requirement for balanced routing – Average power consumption is constant (in theory) – E.g. MDPL NAND gate a m b m m ¬a m ¬b m ¬m q ¬q a m 0 0 0 1 1 1 1 0 SR b m q MAJ 0 1 0 1 0 1 1 0 m 1 0 0 0 1 1 1 0 1 1 0 0 0 1 0 1 ¬a m SR 0 0 1 1 1 0 1 0 ¬b m ¬q MAJ 0 1 1 1 0 0 0 1 ¬m 1 0 1 0 1 0 0 1 1 1 1 0 0 0 0 1 24 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  25. Exploiting Algebraic Structures Scalar blinding Message blinding Embeddings 25 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  26. Using Inherent Redundancy ECC point projection – Originally to avoid inversions – Free randomization 26 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  27. Conclusions for Masking Take care of – Unintentional unmasking – Glitches – Lower order leakages For small mask widths – PDFs can be estimated – But exponential increase in data complexity For large mask widths (PKC) – Inexpensive and very effective – But complex operations  Additive masking of multiplicative masking,… 27 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group Marcel.medwed@uclouvain.be Design and Security of Cryptographic Algorithms and Devices 1 Albena, May 2011 Outline 1. Motivation & general

787 views • 40 slides
Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

May 10, 2013 Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on Countermeasures for Earthquakes and Tsunamis Based on The Lessons Learned from The 2011 Off The Pacific Coast of Tohoku Earthquake

436 views • 29 slides
On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

National Policy Workshop Webinar Series On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2: Community Perceptions and behavioral aspects for plastic management and promotion of countermeasures to

473 views • 19 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY CONNECTED WORLD SHANE MACDOUGALL TACTICAL INTELLIGENCE INC. About Me InfoSec since 1989

1k views • 79 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
Full Year Results to 31 October 2012 Counter-IED Countermeasures Munitions Pyrotechnics Peter

Full Year Results to 31 October 2012 Counter-IED Countermeasures Munitions Pyrotechnics Peter

Full Year Results to 31 October 2012 Counter-IED Countermeasures Munitions Pyrotechnics Peter Hickson Chairman Counter-IED Countermeasures Munitions Pyrotechnics Chemring Group PLC FY 2012 Results Introduction A disappointing

694 views • 34 slides
C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

1.03k views • 77 slides
A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas & Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

425 views • 29 slides
Challenges in the Development of Medical Countermeasures Tracy MacGill, Ph.D. Sr. MCM Scientist

Challenges in the Development of Medical Countermeasures Tracy MacGill, Ph.D. Sr. MCM Scientist

Challenges in the Development of Medical Countermeasures Tracy MacGill, Ph.D. Sr. MCM Scientist FDA/OC/OCS/OCET Biology of Anthrax November 18, 2016 Disclaimer The views expressed in this presentation are those of the presenter and do not

531 views • 23 slides
Controlled Rest on the Flight Deck Presented by: Brad Favors Chairman, Fatigue Countermeasures

Controlled Rest on the Flight Deck Presented by: Brad Favors Chairman, Fatigue Countermeasures

Controlled Rest on the Flight Deck Presented by: Brad Favors Chairman, Fatigue Countermeasures Working Group Dr. Alexandra Holmes Research Director, Clockwork Research About the Fatigue Countermeasures Working Group The Fatigue

120 views • 9 slides
1/22/13 CS200 Algorithms and Data Structures Colorado State University Pa ar rt t 0 0.

1/22/13 CS200 Algorithms and Data Structures Colorado State University Pa ar rt t 0 0.

1/22/13 CS200 Algorithms and Data Structures Colorado State University Pa ar rt t 0 0. . O Ov ve er rv vi ie ew w o of f t th he e C Co ou ur rs se e CS 200 Algorithms and Data Structures, Spring, 2013 Sangmi

414 views • 8 slides
Global routing Global routing Global routing Global routing Bill Swartz Bill Swartz

Global routing Global routing Global routing Global routing Bill Swartz Bill Swartz

Global routing Global routing Global routing Global routing Bill Swartz Bill Swartz InternetCAD.com InternetCAD.com InternetCAD.com InternetCAD.com Disclaimer Disclaimer Disclaimer Disclaimer Paper written in 5 days Paper written

759 views • 73 slides
Update on Fall Reopening July 29, 2020 1 Living our Values: Living Our Values 2 W A Y L A

Update on Fall Reopening July 29, 2020 1 Living our Values: Living Our Values 2 W A Y L A

W A Y L A N D * P U B L I C * S C H O O L S Update on Fall Reopening July 29, 2020 1 Living our Values: Living Our Values 2 W A Y L A N D * P U B L I C * S C H O O L S Our Time-Line Late May-Mid-June: District Working Groups May

626 views • 39 slides
GTC/Osiris spectra of z~1 superdense E/S0s Jess Martnez, Rafael Guzmn et al. ( UCM/IAC

GTC/Osiris spectra of z~1 superdense E/S0s Jess Martnez, Rafael Guzmn et al. ( UCM/IAC

GTC/Osiris spectra of z~1 superdense E/S0s Jess Martnez, Rafael Guzmn et al. ( UCM/IAC collaborators) UF |Astronomy GTC/Osiris spectra of z~1 superdense E/S0s Jess Martnez, Rafael Guzmn et al. ( UCM/IAC collaborators) UF |Astronomy The

447 views • 27 slides
REAL-TIME MICHAEL ROITZSCH OVERVIEW TU Dresden MOS Real - Time 2 SO FAR talked about

REAL-TIME MICHAEL ROITZSCH OVERVIEW TU Dresden MOS Real - Time 2 SO FAR talked about

Department of Computer Science Institute for System Architecture, Operating Systems Group REAL-TIME MICHAEL ROITZSCH OVERVIEW TU Dresden MOS Real - Time 2 SO FAR talked about in - kernel building blocks: threads memory IPC

511 views • 26 slides
Language splitting, Relevance and the Logic of Campaigning Rohit Parikh City University of New

Language splitting, Relevance and the Logic of Campaigning Rohit Parikh City University of New

Language splitting, Relevance and the Logic of Campaigning Rohit Parikh City University of New York Brooklyn College and CUNY Graduate Center IMSc, Chennai January 7, 2009 Abstract: When a theory is updated with new information, few problems

1.33k views • 113 slides
Simulation of Particle Optics: Applications in Geoscience and Biomedicine Lei Bi, Bingqi Yi,

Simulation of Particle Optics: Applications in Geoscience and Biomedicine Lei Bi, Bingqi Yi,

Simulation of Particle Optics: Applications in Geoscience and Biomedicine Lei Bi, Bingqi Yi, Ping Yang, Lee Panetta Department of Atmospheric Sciences, Texas A&M University Simulation of Particle Optics: Applications in Geoscience and

253 views • 12 slides
II. I. PRELIMINARIES 1. Minkowski space-time , a natural set of null surfaces (in neighborhood of

II. I. PRELIMINARIES 1. Minkowski space-time , a natural set of null surfaces (in neighborhood of

I. . Warsaw Talk: Sept 16, 2019 . . . Standard Classical Mechanics Sitting in Standard Classical GR . Ted Newman - Univ of Pittsburgh . . Comments : . 1. A lot of material - much must be left out - even a few little dishonesties to

256 views • 9 slides

More recommend