side channel attacks and countermeasures for embedded
play

Side Channel Attacks and Countermeasures for Embedded Systems Job - PowerPoint PPT Presentation

Sep 26, 2023 •111 likes •533 views

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

  1. Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007

  2. Agenda • Advances in Embedded Systems Security – From USB stick to game console – Current attacks – Cryptographic devices • Side Channels explained – Principles – Listening to your hardware – Types of analysis • Attacks and Countermeasures – Breaking a key – Countermeasures theory – Practical implementations Black Hat USA 2007

  3. Security in embedded systems Black Hat USA 2007

  4. Trends in embedded hardware security • Preventing debug access – Fuses, Secure access control • Protecting buses and memory components – Flash memories with security, DRAM bus scrambling • Increase in code integrity – Boot loader ROM in CPU, Public key signature checking • Objectives: – Prevent running unauthorized code – Prevent access to confidential information � Effective against most “conventional” attacks Black Hat USA 2007

  5. Popular ‘hardware’ attacks Black Hat USA 2007

  6. Attacks on glue and BGA • Cheap BGA reballing in phone unlocking and repair • Glue can be removed with chemicals or hot air (See also Joe Grand’s BH presentations on hardware attacks) Black Hat USA 2007

  7. Towards cryptographic devices • Smart cards represent the ultimate cryptographic device: – Operate in a hostile environment – Perform cryptographic operations on data – Harnessing both the cryptographic operation and the key – Tamper resistant • General purpose processors are incorporating more and more smart card style security • Why not use a smart card? – Also adds complexity – How to communicate securely with it? – Some do (PayTV, TPM etc) Black Hat USA 2007

  8. Agenda • Advances in Embedded Systems Security – From USB stick to game console – Current attacks – Cryptographic devices • Side Channels explained – Principles – Listening to your hardware – Types of analysis • Attacks and Countermeasures – Breaking a key – Countermeasures theory – Practical implementations Black Hat USA 2007

  9. Side Channel Analysis • What? – read ‘hidden’ signals • Why? – retrieve secrets • How? – Attack channels – Methods – Tools Black Hat USA 2007

  10. Attack Channels • Time • Power consumption • Electro-Magnetic radiation • Light emission • Sound Black Hat USA 2007

  11. Passive versus active attacks • Passive attacks – Only observing the target – Possibly modifying it to execute a specific behavior to observe – Examples : time, power or EM measurements • Active attacks – Manipulating the target or its environment outside of its normal behavior – Uncovering cryptographic keys through ‘fault injection’ – Changing program flow (eg. circumvent code integrity checks) – Examples : Voltage or clock glitching, laser pulse attacks Black Hat USA 2007

  12. Principle of timing analysis Start Start Start Decision Decision Decision Process 1 Process 2 Process 1 Process 2 t = 10ms t = 20ms t = 10ms t = 20ms Process 1 Process 2 End End End Black Hat USA 2007

  13. Principle of power analysis • Semiconductors use current while switching • Shape of power consumption profile reveals activity • Comparison of profiles reveals processes and data • Power is consumed when switching from 1 → 0 or 0 → 1 Black Hat USA 2007

  14. Principle of electromagnetic analysis • Electric and Magnetic field are related to current • Probe is a coil for magnetic field • Generally the near field (distance << λ ) is most suitable • Adds dimension position compared to the one dimensional power measurement Black Hat USA 2007

  15. Side channel analysis tools • Probes – Power: Intercept power circuitry with small resistor – EM: Coil with low noise amplifier • Digital storage oscilloscope • High bandwidth amplifier • Computer with analysis and control software Black Hat USA 2007

  16. Test equipment • CPU: Ti OMAP 5912 150Mhz Black Hat USA 2007

  17. Listening to your hardware - demo digitized signal analog signal Oscilloscope amplifier EM probe sensor trigger CPU I/O Analysis Embedded Software system Black Hat USA 2007

  18. Simple Power/EM Analysis • Recover information by inspection of single or averaged traces • Can also be useful for reverse engineering algorithms and implementations Black Hat USA 2007

  19. Differential Power/EM Analysis • Recover information by inspection difference between traces with different (random) inputs • Use correlation to retrieve information from noisy signals Black Hat USA 2007

  20. Data/signal correlation Black Hat USA 2007

  21. Agenda • Advances in Embedded Systems Security – From USB stick to game console – Current attacks – Cryptographic devices • Side Channels explained – Principles – Listening to your hardware – Types of analysis • Attacks and Countermeasures – Breaking a key – Countermeasures theory – Practical implementations Black Hat USA 2007

  22. Black Hat USA 2007 Secure CPUs

  23. Breaking a key - demo • Example breaking a DES key with a differential attack • Starting a measurement • Explaining DES analysis • Showing results Black Hat USA 2007

  24. DES 16 rounds • Input and output are 64 bits • Key K is 56 bits round keys are 48 bits • Cipher function F mixes input and round key Black Hat USA 2007

  25. F- function S box 1 Round key S box 2 E P permutation permutation 48 32 → 48 32 → 32 S box 8 8 * (6 → 4) Black Hat USA 2007

  26. DPA on DES Round key Bit 1 6 S box i Bit 4 E • Simulate DES algorithm based on input bits and permutation 48 hypotheses k. 32 → 48 • Select one S-Box, and one output bit x . Bit x depends on only 6 key bits. • Calculate differential trace for the 64 different values of k. • Incorrect guess will show noise, correct guess will show peaks. Black Hat USA 2007

  27. Black Hat USA 2007 DPA on DES results

  28. Countermeasures • Decrease leakage – Balance processing of values – Limit number of operations per key • Increase noise – Introduce timing variations in processing – Use hardware means Black Hat USA 2007

  29. Countermeasures concepts • Passive Side channel attacks: – Hiding: Break relation between processed value and power consumption – Masking / Blinding: Break relation between algorithmic value and processed value Measured Masking value Hiding Algorithmic Processed value value (at guessed position) Black Hat USA 2007

  30. Countermeasure examples • Change the crypto protocol to use key material only for a limited amount of operations. For instance, use short lived session keys based on a hash of an initial key. Example: Source: Kocher, P. Design and Validation Strategies for Obtaining Assurance in Countermeasures to Power Analysis and Related Attacks Black Hat USA 2007

  31. Countermeasure examples • Remove any execution time dependence on data and key. Do not forget cache timing and branch prediction. Also remove conditional execution that depends on the key. • Randomly insert instructions with no effect on the algorithm. Use different instructions that are hard to recognize in a trace default MOV XOR ADD INC CMP random MOV NOP XOR ADD NOP INC NOP CMP random MOV XOR NOP ADD INC CMP Black Hat USA 2007

  32. Countermeasure examples • Shuffling: Changing the order of independent operations (for instance S-box calculations) per round. This reduces correlation with a factor equal to the number of shuffled operations Sbox Sbox Sbox Sbox Sbox Sbox Sbox Sbox default 1 2 3 4 5 6 7 8 random Sbox Sbox Sbox Sbox Sbox Sbox Sbox Sbox 4 8 1 3 6 5 2 7 • Implement a masked version of the cryptographic algorithm. Examples can be found in research literature for common algorithms (RSA, AES). Black Hat USA 2007

  33. Countermeasure demos • Simple analysis of unprotected trace • Effect of randomly inserting NOP instructions • Effect of making RSA square-multiply constant Black Hat USA 2007

  34. SPA attack on RSA Key bits revealed signal processing to high-light dips variation of interval between dips 1 0 1 0 1 0 0 0 1 0 1 0 1 0 1 0 1 0 key bits revealed Black Hat USA 2007

  35. RSA implementations • Algorithm for M=c d , with d i is exponent bits (0 ≤ i ≤ t ) – M := 1 – For i from t down to 0 do: • M := M * M • If d i = 1, then M := M*C • Algorithm for M=c d , with d i group of exponent bits (0 ≤ i ≤ t ) – Precompute multipliers C i – M := 1 – For i from t down to 0 do: • For j = 1 to groupSize: M := M * M • M := M* C i Black Hat USA 2007

  36. Example: RSA message blinding • Normal encryption: M = C d mod n under condition: – n = p·q – e·d = 1 mod lcm( p -1, q -1) • Choose a random r, then C r = C r e mod n • Perform RSA: M r = C r d mod n = C d r mod n • M = M r r -1 mod n • During the RSA operation itself the operations with exponent d do not depend on C Black Hat USA 2007

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat Europe 2008 Black Hat Europe 2008 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

653 views • 42 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, &quot;Power Analysis Attacks, Revealing the Secrets of Smart Cards&quot;, Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat DC February 21, 2008 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current

673 views • 42 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation &amp; general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

495 views • 26 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel Power Resistance for Encryption Algo- rithms using Dynamic Partial Reconfiguration or SPREAD As a countermeasure to DPA, CPA and other types of

689 views • 10 slides
Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

790 views • 68 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Q3FY19 Standalone Highlights Q3FY19 LOANS NIM* P A T NET NPA ` 1,291 cr 4.33% ` 196,432 cr

Q3FY19 Standalone Highlights Q3FY19 LOANS NIM* P A T NET NPA ` 1,291 cr 4.33% ` 196,432 cr

INVESTOR PRESENTATION Q3FY19 Standalone Highlights Q3FY19 LOANS NIM* P A T NET NPA ` 1,291 cr 4.33% ` 196,432 cr 0.71% [ ` 1,053 cr] [4.27%] [ ` 159,071 cr] [1.09%] CAR TOTAL CASA BRANCHES 18.1% # ASSETS [18.7%] Tier I 1,453

609 views • 37 slides
Investors Presentation September 2010 Disclaimer All forward-looking statements are Ingenico

Investors Presentation September 2010 Disclaimer All forward-looking statements are Ingenico

Investors Presentation September 2010 Disclaimer All forward-looking statements are Ingenico managements present expectations of future events and are subject to a number of factors and uncertainties that could cause actual results to differ

572 views • 35 slides
Payment Card Industry (PCI) Compliance Training Presented to: Diocese of Rockford Presenters:

Payment Card Industry (PCI) Compliance Training Presented to: Diocese of Rockford Presenters:

Payment Card Industry (PCI) Compliance Training Presented to: Diocese of Rockford Presenters: Mary Breeden and Sarilyn Neiber What is the Payment Card Industry (PCI) Data Security Standard (DSS)? What are the PCI DSS Standards? First, lets

191 views • 7 slides
2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich

2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich

2002 State Member Bank / Bank Holding Company Regulatory Reporting Update Meredith Miske Rich Molloy Monica Posen Mike Tursi Federal Reserve Bank of New York April 1, 2002 1 2002 State Member Bank / Bank Holding Company Regulatory

1.03k views • 102 slides
RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning

RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning

RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning signs for an active shooter Strategies for surviving an incident Law Enforcements response to an active shooter incident Incidents of Active Shooters

745 views • 35 slides
Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon,

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon,

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon, Boris Danev, Srdjan apkun Monday February 7, 2011 System Security Group 1 Modern Cars Evolution Increasing amount of electronics in cars

552 views • 24 slides
Active Shooter Guidance Training Overview Rihana Ahmad Manager, State Plan and Self-Advocacy

Active Shooter Guidance Training Overview Rihana Ahmad Manager, State Plan and Self-Advocacy

Active Shooter Guidance Training Overview Rihana Ahmad Manager, State Plan and Self-Advocacy Credits Special thanks to everyone who supported the development and release of the Active Shooter Training and Drill ToolBox: 2 Number of Number

299 views • 27 slides
Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal {krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection

478 views • 23 slides

More recommend