side channel analysis and embedded systems impact and
play

Side Channel Analysis and Embedded Systems Impact and - PowerPoint PPT Presentation

Apr 27, 2023 •226 likes •653 views

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat Europe 2008 Black Hat Europe 2008 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

  1. Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat Europe 2008 Black Hat Europe 2008

  2. Agenda • Advances in Embedded Systems Security – From USB stick to game console – Current attacks – Cryptographic devices • Side Channels explained – Principles – Listening to your hardware – Types of analysis • Attacks and Countermeasures – Breaking a key – Countermeasures theory – Practical implementations Black Hat Europe 2008

  3. Security in embedded systems Black Hat Europe 2008

  4. Trends in embedded hardware security • Preventing debug access – Fuses, Secure access control • Protecting buses and memory components – Flash memories with security, DRAM bus scrambling • Increase in code integrity – Boot loader ROM in CPU, Public key signature checking • Objectives: – Prevent running unauthorized code – Prevent access to confidential information � Effective against most “conventional” attacks Black Hat Europe 2008

  5. Popular ‘hardware’ attacks Black Hat Europe 2008

  6. Towards cryptographic devices • Smart cards represent the ultimate cryptographic device: – Operate in a hostile environment – Perform cryptographic operations on data – Harnessing both the cryptographic operation and the key – Tamper resistant • General purpose processors are incorporating more and more smart card style security • Why not use a smart card? – Also adds complexity – How to communicate securely with it? – Some do (PayTV, TPM etc) Black Hat Europe 2008

  7. Agenda • Advances in Embedded Systems Security – From USB stick to game console – Current attacks – Cryptographic devices • Side Channels explained – Principles – Listening to your hardware – Types of analysis • Attacks and Countermeasures – Breaking a key – Countermeasures theory – Practical implementations Black Hat Europe 2008

  8. Side Channel Analysis • What? – read ‘hidden’ signals • Why? – retrieve secrets • How? – Attack channels – Methods – Tools Black Hat Europe 2008

  9. Attack Channels • Time • Power consumption • Electro-Magnetic radiation • Light emission • Sound Black Hat Europe 2008

  10. Passive versus active attacks • Passive attacks – Only observing the target – Possibly modifying it to execute a specific behavior to observe – Examples : time, power or EM measurements • Active attacks – Manipulating the target or its environment outside of its normal behavior – Uncovering cryptographic keys through ‘fault injection’ – Changing program flow (eg. circumvent code integrity checks) – Examples : Voltage or clock glitching, laser pulse attacks Black Hat Europe 2008

  11. Principle of timing analysis Start Decision Process 1 Process 2 t = 10ms t = 20ms End Black Hat Europe 2008

  12. Principle of power analysis • Semiconductors use current while switching • Shape of power consumption profile reveals activity • Comparison of profiles reveals processes and data • Power is consumed when switching from 1 → 0 or 0 → 1 Black Hat Europe 2008

  13. Principle of electromagnetic analysis • Electric and Magnetic field are related to current • Probe is a coil for magnetic field • Generally the near field (distance << λ ) is most suitable • Adds dimension position compared to the one dimensional power measurement Black Hat Europe 2008

  14. Side channel analysis tools • Probes – Power: Intercept power circuitry with small resistor – EM: Coil with low noise amplifier • Digital storage oscilloscope • High bandwidth amplifier • Computer with analysis and control software Black Hat Europe 2008

  15. XY table for EM analysis Black Hat Europe 2008

  16. Localization with EM • Scanning chip surface with XY table • Display intensity per frequency • Search for optimal location: – CPU frequency – Crypto engine clock – RAM bus driver Black Hat Europe 2008

  17. Demo equipment • CPU: Ti OMAP 5910 150Mhz Black Hat Europe 2008

  18. Listening to your hardware - demo digitized signal analog signal Oscilloscope amplifier EM probe sensor trigger CPU I/O Analysis Embedded Software system Black Hat Europe 2008

  19. Simple Power/EM Analysis • Recover information by inspection of single or averaged traces • Can also be useful for reverse engineering algorithms and implementations Black Hat Europe 2008

  20. Differential Power/EM Analysis • Recover information by inspection difference between traces with different (random) inputs • Use correlation to retrieve information from noisy signals Black Hat Europe 2008

  21. Data/signal correlation Black Hat Europe 2008

  22. Agenda • Advances in Embedded Systems Security – From USB stick to game console – Current attacks – Cryptographic devices • Side Channels explained – Principles – Listening to your hardware – Types of analysis • Attacks and Countermeasures – Breaking a key – Countermeasures theory – Practical implementations Black Hat Europe 2008

  23. Black Hat Europe 2008 Secure CPUs

  24. Breaking a key - demo • Example breaking a DES key with a differential attack • Starting a measurement • Explaining DES analysis • Showing results Black Hat Europe 2008

  25. DES 16 rounds • Input and output are 64 bits • Key K is 56 bits round keys are 48 bits • Cipher function F mixes input and round key Black Hat Europe 2008

  26. F- function S box 1 Round key S box 2 E P permutation permutation 48 32 → 48 32 → 32 S box 8 8 * (6 → 4) Black Hat Europe 2008

  27. DPA on DES Round key Bit 1 6 S box i Bit 4 E • Simulate DES algorithm based on input bits and permutation hypotheses k. 48 32 → 48 • Select one S-Box, and one output bit x . Bit x depends on only 6 key bits. • Calculate differential trace for the 64 different values of k. • Incorrect guess will show noise, correct guess will show peaks. Black Hat Europe 2008

  28. DPA on DES results Black Hat Europe 2008

  29. Countermeasures • Decrease leakage – Balance processing of values – Limit number of operations per key • Increase noise – Introduce timing variations in processing – Use hardware means Black Hat Europe 2008

  30. Countermeasures concepts • Passive Side channel attacks: – Hiding: Break relation between processed value and power consumption – Masking / Blinding: Break relation between algorithmic value and processed value Measured value Masking Hiding Algorithmic Processed value value (at guessed position) Black Hat Europe 2008

  31. Countermeasure examples • Change the crypto protocol to use key material only for a limited amount of operations. For instance, use short lived session keys based on a hash of an initial key. Example: Source: Kocher, P. Design and Validation Strategies for Obtaining Assurance in Countermeasures to Power Analysis and Related Attacks Black Hat Europe 2008

  32. Countermeasure examples • Remove any execution time dependence on data and key. Do not forget cache timing and branch prediction. Also remove conditional execution that depends on the key. • Randomly insert instructions with no effect on the algorithm. Use different instructions that are hard to recognize in a trace default MOV XOR ADD INC CMP random MOV NOP XOR ADD NOP INC NOP CMP random MOV XOR NOP ADD INC CMP Black Hat Europe 2008

  33. Countermeasure examples • Shuffling: Changing the order of independent operations (for instance S-box calculations) per round. This reduces correlation with a factor equal to the number of shuffled operations Sbox Sbox Sbox Sbox Sbox Sbox Sbox Sbox default 1 2 3 4 5 6 7 8 Sbox Sbox Sbox Sbox Sbox Sbox Sbox Sbox random 4 8 1 3 6 5 2 7 • Implement a masked version of the cryptographic algorithm. Examples can be found in research literature for common algorithms (RSA, AES). Black Hat Europe 2008

  34. Countermeasure demos • Simple analysis of unprotected trace • Effect of randomly inserting NOP instructions • Effect of making RSA square-multiply constant Black Hat Europe 2008

  35. SPA attack on RSA Key bits revealed signal processing to high-light dips variation of interval between dips 1 0 1 0 1 0 0 1 0 key bits revealed Black Hat Europe 2008

  36. RSA implementations • Algorithm for M=c d , with d i is exponent bits (0 ≤ i ≤ t ) – M := 1 – For i from t down to 0 do: • M := M * M • If d i = 1, then M := M*C • Algorithm for M=c d , with d i group of exponent bits (0 ≤ i ≤ t ) – Precompute multipliers C i – M := 1 – For i from t down to 0 do: • For j = 1 to groupSize: M := M * M • M := M* C i Black Hat Europe 2008

  37. Example: RSA message blinding Normal encryption: M = C d mod n under condition: • – n = p·q – e·d = 1 mod lcm( p -1, q -1) Choose a random r, then C r = C r e mod n • d mod n = C d r mod n • Perform RSA: M r = C r • M = M r r -1 mod n • During the RSA operation itself the operations with exponent d do not depend on C Black Hat Europe 2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC February 21, 2008 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current

673 views • 42 slides
Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high security solutions Rohde &amp; Schwarz SIT GmbH Stuttgart/Germany Dr. Torsten Schtze Workshop on Applied Cryptography Lightweight

595 views • 15 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Conference on Cryptographic Hardware and Embedded Systems (CHES) 2020 Strength in Numbers: Improving Generalization with Ensembles in Machine Learning-based Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

468 views • 25 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo

Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo

b a L y t i r u c e S r Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo Bojinov Elie Bursztein Dan Boneh n a Stanford Computer Security Lab t S Cross-channel scripting

1.09k views • 68 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

495 views • 26 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 &amp; Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
CEIS Review, Inc. Consulting Services to the Financial Community Loan Review Programs Loan Loss

CEIS Review, Inc. Consulting Services to the Financial Community Loan Review Programs Loan Loss

CEIS Review, Inc. Consulting Services to the Financial Community Loan Review Programs Loan Loss Reserve General &amp; Specialized ALLL Methodology Validation Acquisition Due Diligence ALLL Methodology Refjnement Portfolio Stress Testing

382 views • 17 slides
As Semiconductor Devices Shrink so do their Reliability and Lifetimes National Software and

As Semiconductor Devices Shrink so do their Reliability and Lifetimes National Software and

As Semiconductor Devices Shrink so do their Reliability and Lifetimes National Software and Airborne Electronic Hardware Standardization Conference August 20-21 Denver, CO Lloyd Condra, Boeing Gary Horan, FAA Bill Scofield, Boeing Outline

316 views • 21 slides
28 28 29 ential diagnosis to establish cause and effect. In one Frye expert testimony to

28 28 29 ential diagnosis to establish cause and effect. In one Frye expert testimony to

28 28 29 ential diagnosis to establish cause and effect. In one Frye expert testimony to establish injury and causation is the most frequent type of expert testimony among all cases. 2 Through an analysis of recent decisions, this article

440 views • 7 slides
Edited Transcript 3Q 2015 Earnings Release Conference Call with Investors and Analysts 2 November

Edited Transcript 3Q 2015 Earnings Release Conference Call with Investors and Analysts 2 November

Edited Transcript 3Q 2015 Earnings Release Conference Call with Investors and Analysts 2 November 2015, 8.30am GMT Corporate participants: Douglas Flint, Group Chairman Stuart Gulliver, Group Chief Executive Iain Mackay, Group Finance Director

800 views • 15 slides
G N R I N U N S ! O R A T A Y N L E P R E Y O D R F U O CLASS OF

G N R I N U N S ! O R A T A Y N L E P R E Y O D R F U O CLASS OF

G N R I N U N S ! O R A T A Y N L E P R E Y O D R F U O CLASS OF 2021 T I S N E S LEARNING OUTCOMES Parents/Guardians (and Students) will... understand graduation requirements, and UC/CSU requirements

939 views • 51 slides
Treating the the Untreatable Untreatable: : Treating Schema Therapy Therapy for for Schema

Treating the the Untreatable Untreatable: : Treating Schema Therapy Therapy for for Schema

Treating the the Untreatable Untreatable: : Treating Schema Therapy Therapy for for Schema Psychopaths and and Other Other Psychopaths Forensic Personality Personality Disorder Disorder Forensic Patients Patients David P.

390 views • 16 slides
TLS Security EPL682 Neophytos Christou What is TLS? - Cryptographic protocols that provide

TLS Security EPL682 Neophytos Christou What is TLS? - Cryptographic protocols that provide

TLS Security EPL682 Neophytos Christou What is TLS? - Cryptographic protocols that provide secure communication on the internet - Consists of two phases: - TLS Handshake protocol: agree on the cipher suite that will be used to encrypt

320 views • 31 slides
HALF YEAR RESULTS PRESENTATION Good Revenue Growth Momentum 7 August 2018 CAUTIONARY STATEMENT

HALF YEAR RESULTS PRESENTATION Good Revenue Growth Momentum 7 August 2018 CAUTIONARY STATEMENT

2018 HALF YEAR RESULTS PRESENTATION Good Revenue Growth Momentum 7 August 2018 CAUTIONARY STATEMENT REGARDING FORWARD-LOOKING STATEMENTS This presentation contains certain forward-looking statements with respect to the financial condition,

650 views • 39 slides

More recommend