Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University - - PowerPoint PPT Presentation

seminar 6 side channel attacks
SMART_READER_LITE
LIVE PREVIEW

Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University - - PowerPoint PPT Presentation

Nov 03, 2023 203 likes •386 views

MTAT.07.006 Research Seminar in Cryptography Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 1

slide-1
SLIDE 1

MTAT.07.006 Research Seminar in Cryptography

Seminar 6: Side-Channel Attacks

Aleksei Ivanov

Tartu University

aivanov@math.ut.ee

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 1

slide-2
SLIDE 2

Overview of the Lecture

  • Types of Information Leakage
  • Attacks
  • Countermeasures

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 2

slide-3
SLIDE 3

Types of information leakage

  • Execution time leakage
  • Power consumption leakage
  • Electromagnetic radiation leakage
  • Error message leakage
  • Combining side-channels

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 3

slide-4
SLIDE 4

Types of attacks

  • Passive attacks

Attacker eavesdrops on some side-channel information, which is analysed afterwords to reveal some secret information

  • Active attacks

Attacker takes active part in the attack: assuming the attacker is able to deviate the device from its normal behaviour, and tries to gain addi- tional information by analysing its reactions

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 4

slide-5
SLIDE 5

Timing Attacks

  • Cryptanalysis of a Simple Modular Exponentiator
  • Montgomery Multiplication and the CRT

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 5

slide-6
SLIDE 6

Simple Modular Exponentiator

  • R = yx mod n
  • known values to the attacher y, n, computation time
  • x stays the same (unknown to the attacker)
  • attacker knows the design of the target system (information can be
  • btained via observing system behaviour)
  • attack can be done passively listening on a channel

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 6

slide-7
SLIDE 7

Montgomery Multiplication and the CRT

  • mod n makes usually the most difference in time (Montgomey elim-

inates the operation)

  • Chinese Reminder Theorem (CRT) is often used for optimization
  • y mod p and y mod q are computed first
  • if y < p then no operation, else some operations might be done and

the time differs

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 7

slide-8
SLIDE 8

Power Consumption Attacks

  • Simple Power Analysis (SPA)
  • Differential Power Analysis (DPA)

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 8

slide-9
SLIDE 9

Simple Power Analysis (SPA)

  • power consumed varies on microprocessor instruction being executed
  • only visual analysis

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 9

slide-10
SLIDE 10

Differential Power Analysis (DPA)

  • consists of visual, statistical and error-correction statistical analysis

(also noise filtering)

  • little or no information is needed about the target implementation
  • attacker observes n encryption operations and records k power sam-

ples and cipher text for each (no plain text is needed).

  • it is possible to find DES keys in less than 15 traces for most smart

cards

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 10

slide-11
SLIDE 11

Fault Attacks

  • Spike Attacks
  • Glitch Attacks
  • Optical Attacks
  • Differential Fault Analysis(DFA)

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 11

slide-12
SLIDE 12

Countermeasures

  • General data-independent calculations
  • Blinding
  • Avoiding conditional branching and secret intermediates
  • Licensing modified algorithms

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 12

slide-13
SLIDE 13

Countermeasures against timing attacks

  • Adding delays
  • Time equalization of multiplication and squaring
  • Making every computation take fixed amount of time
  • Making every operation constant time
  • Making entire transaction fixed-time

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 13

slide-14
SLIDE 14

Countermeasures against power analysis attacks

  • Power consumption balancing
  • Reduction of signal size
  • Adding noise
  • Shielding
  • Modification of the algorithms design

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 14

slide-15
SLIDE 15

Countermeasures against fault attacks

  • Running the encryption twice
  • Checking the output
  • Randomization

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 15

slide-16
SLIDE 16

Conclusion

  • Smart cards are in most danger of side channel attacks
  • Servers are easier to protect against side channel attacks
  • The subject needs more research

MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 16