side channel bas ed collision attacks theory to att k th
play

Side-channel bas ed Collision Attacks, Theory to Att k Th t o - PowerPoint PPT Presentation

Mar 05, 2024 •222 likes •495 views

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

  1. Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G

  2. Embedded Security Group Outline  Classical side ‐ channel attac cks  What is a side ‐ channel bas sed collision attack?  Implementation platforms and problems  A newly introduced side ‐ ch A newly introduced side ch hannel based correlation hannel based correlation collision attack  Some hints when impleme  Some hints when impleme enting enting WAC 2010 | Singapore | 3. December 2010 Amir Moradi 2

  3. Embedded Security Group Classical Side ‐ Channel At ttacks  Collecting the side ‐ channe l leakage – Using an oscilloscope fo or power analysis attacks • and an electromagnetic probe for electromagnetic analysis attacks – Using a timer for timing g attacks WAC 2010 | Singapore | 3. December 2010 Amir Moradi 3

  4. Embedded Security Group Classical Side ‐ Channel At ttacks  Define the hypothetical po D fi h h h i l ower model d l – In differential power an nalysis – In correlation power an nalysis  Define the distinguisher – In mutual information a analysis  Examine the relation betwe een the (hypothetical) model ( yp ) and the real measurement ts using statistical tools – difference of means – correlation coefficient – entropy entropy WAC 2010 | Singapore | 3. December 2010 Amir Moradi 4

  5. Embedded Security Group What is a Side ‐ Channel B Based Collision Attack?  avoids any model to predic ct the power consumption – Independent of the lea kage type  Examines the similarity of t the measurements for different processed values p – when a collision is foun nd, a relation between parts of the secret is revealed of the secret is revealed d WAC 2010 | Singapore | 3. December 2010 Amir Moradi 5

  6. Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 1]  Implementation platform: a micro ‐ controller  Target algorithm: the AES e encryption  Strategy of the attack: look king at the similar power consumption traces for diff p ferent Sbox outputs p  Sbox(P 1 +K 1 ) = Sbox(P 2 +K 2 ) = b ( ) b ( ) => P 1 +K 1 =P 2 +K 2 => K 1 +K 2 = C WAC 2010 | Singapore | 3. December 2010 Amir Moradi 6

  7. Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 1]  Presence of countermeasu ures – Masking: wait till a coll ision may occur on both masks and Sbox output ts, depends strongly on the masking order – Shuffling: extending the e search area to consider all clock cycles, may lead t y , y to false positive results p – Masking and Shuffling: efficiency of the attack is drastically reduced! drastically reduced! WAC 2010 | Singapore | 3. December 2010 Amir Moradi 7

  8. Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 2]  Implementation platform: an FPGA/ASIC  Target algorithm: the AES e encryption  Strategy of the attack: cann not be decided without knowing the architecture g WAC 2010 | Singapore | 3. December 2010 Amir Moradi 8

  9. Embedded Security Group An Overview of the Arch hitecture WAC 2010 | Singapore | 3. December 2010 Amir Moradi 9

  10. Embedded Security Group How do the power trace es look like?  8 ‐ bit architecture  32 ‐ bit architecture 32 bit architecture WAC 2010 | Singapore | 3. December 2010 Amir Moradi 10

  11. Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 2]  Implementation platform: an I l i l f n FPGA/ASIC FPGA/ASIC  Target algorithm: the AES en cryption  Strategy of the attack: St t f th tt k – 8 ‐ bit architecture: rough hly the same as μ C case – 32 ‐ bit architecture: not e 32 bi hi easy because of the low b f h l probability of collision  The attack does not work eff  The attack does not work eff ficiently ficiently – Switching noise is added in comparison to the μ C – Power consumption dep P ti d ends also on the last d l th l t processed values  Worse situation in the prese  Worse situation in the prese nce of countermeasures nce of countermeasures WAC 2010 | Singapore | 3. December 2010 Amir Moradi 11

  12. Embedded Security Group What can we do? [Usually a DPA/CPA using HD/ /HW model works + MIA]  Before developing an attac ck – First, averaging based o on plaintext bytes (32 ‐ bit arch.) • 256 mean traces for eac h plaintext byte p y • Variance over mean trac ces (each plaintext byte separately) WAC 2010 | Singapore | 3. December 2010 Amir Moradi 12

  13. Embedded Security Group Designing an Attack  Supposing knowing a key byte, we get mean traces for the corresponding Sbox input byte  For another plaintext byte (unk known key), we get mean traces  How are these mean traces rel ated to each other? WAC 2010 | Singapore | 3. December 2010 Amir Moradi 13

  14. Embedded Security Group Designing an Attack  The mean traces for the unk nown key bytes can be generated for each key byte hypothesis  The correct key byte can be f found comparing the mean traces at each time instance – Correlation helps here! l h l h • Correlation of two sets of m mean traces based on key hypothesis (is almost 1 for right key (du (is almost 1 for right key (du ue to equal power consumption)) ue to equal power consumption)) WAC 2010 | Singapore | 3. December 2010 Amir Moradi 14

  15. Embedded Security Group Extending the Attack  If the first key byte (for the e first mean traces) is not known, what we recover is t the linear difference between two key bytes: k 1 +k 2 , beca k b b ause of addroundkey of AES f dd dk f AES k k – The same attack shown n on μ C but using all possible collisions! WAC 2010 | Singapore | 3. December 2010 Amir Moradi 15

  16. Embedded Security Group Why does it work?  There are four instances of f S ‐ box in the 32 ‐ bit arch. – The power consumption c characteristics of the same instance of the S ‐ box is us sed in mean traces – Power consumption of an n instance of the S ‐ box is compared to itself in diffe erent clock cycles  What does happen for larg ger architecture? – The same netlist for the S S ‐ boxes, even the same placement and routing, b ut still process variations exists • Small differences on power r consumption characteristics of different instances of the S ‐ ‐ box – The same instances of the Th i t f th e S ‐ box should be compared S b h ld b d WAC 2010 | Singapore | 3. December 2010 Amir Moradi 16

  17. Embedded Security Group The gain of the attack  Relation between key byte s s, 2 8 candidates for the 128 ‐ bit – 8 ‐ bit arch. → 15 rela � ons key ns, 2 32 candidates for the 128 ‐ – 32 ‐ bit arch. → 12 rela � on bit key  How to get the correct key ? – A pair of plain ‐ /ciphertext t – Continue the attack on th he second round of the AES for each key candidate WAC 2010 | Singapore | 3. December 2010 Amir Moradi 17

  18. Embedded Security Group How about Shuffling?  Shuffling is done on the orde er of Sbox runs  Using combing [what’s comb g g [ bing?] g ] WAC 2010 | Singapore | 3. December 2010 Amir Moradi 18

  19. Embedded Security Group How about Masking?  Looking into the literatures  smallest masked AES S ‐ box by Canright and Batina  1 st order leakage is obvious because of glitches WAC 2010 | Singapore | 3. December 2010 Amir Moradi 19

  20. Embedded Security Group Results when masking is implemented WAC 2010 | Singapore | 3. December 2010 Amir Moradi 20

  21. Embedded Security Group Masking combined with Shuffling?  Using combing WAC 2010 | Singapore | 3. December 2010 Amir Moradi 21

  22. Embedded Security Group First Hints  The attack works when an instance of the Sbox is shared for a computation o of a round  Try to avoid Sbox [hardwar re] sharing – going through round ‐ ba g g g ased implementation p • 128 ‐ bit architectures • even unrolled architectu ures WAC 2010 | Singapore | 3. December 2010 Amir Moradi 22

  23. Embedded Security Group Results of on 128 ‐ bit arc ch. [unmasked]   not achieved for all key byt t hi d f ll k b t tes – because of difference b between netlist of different instances of Sbox WAC 2010 | Singapore | 3. December 2010 Amir Moradi 23

  24. Embedded Security Group How about unrolled imp plementations?  two rounds per clock cycle  th  three rounds per clock cycl d l k l le WAC 2010 | Singapore | 3. December 2010 Amir Moradi 24

  25. Embedded Security Group Second Hints  The attack still works on so ome key bytes even on unrolled implementations  To avoid such an attack it is s recommended to used different netlists for differe ent instances of the Sbox – the result will avoid sim milarity of the power consumption of differe p nt instances of the Sbox  The world still is not enoug gh – at the end of the day, a – at the end of the day a a statistical tool, e.g., MIA, a statistical tool e g MIA will recover the secret! WAC 2010 | Singapore | 3. December 2010 Amir Moradi 25

  26. Thanks! Any questions? Thanks to my colleagues: Oliver Mischke Thomas Eisenbarth Embedded Security Group, Ruhr University Bochum, Germ many

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks Pieter Robyns Motivation and introduction Motivation Information about performing EM side-channel attacks using SDR is quite scarce A few

758 views • 42 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Getting it Together! Instructional Materials Inventory at Seattle University Billie Boyd, MLIS |

Getting it Together! Instructional Materials Inventory at Seattle University Billie Boyd, MLIS |

Getting it Together! Instructional Materials Inventory at Seattle University Billie Boyd, MLIS | billie.boyd42@gmail.com Reilly Curran, MLIS | curranr@seattleu.edu Caitlin Plovnick, LMIS | plovnicc@seattleu.edu Sarah Schroeder, MLIS |

248 views • 21 slides
4/13/2008 Test Your Tech Test Your Tech FIT100 FIT100 FIT100 FIT100 FIT100 FIT100

4/13/2008 Test Your Tech Test Your Tech FIT100 FIT100 FIT100 FIT100 FIT100 FIT100

4/13/2008 Test Your Tech Test Your Tech FIT100 FIT100 FIT100 FIT100 FIT100 FIT100 Navigation is: Navigation is: A. Following a series of links to locate A. Following a series of links to locate specific information on the Web. p

338 views • 3 slides
Key Exchange With Public Key Cryptography With no trusted arbitrator Alice sends Bob her

Key Exchange With Public Key Cryptography With no trusted arbitrator Alice sends Bob her

Key Exchange With Public Key Cryptography With no trusted arbitrator Alice sends Bob her public key Bob sends Alice his public key Alice generates a session key and sends it to Bob encrypted with his public key, signed with her

654 views • 26 slides
Concealing Secrets in Embedded Processor Designs A B C Z Hannes Gross , Manuel Jelinek,

Concealing Secrets in Embedded Processor Designs A B C Z Hannes Gross , Manuel Jelinek,

0 Concealing Secrets in Embedded Processor Designs A B C Z Hannes Gross , Manuel Jelinek, Stefan Mangard, Thomas Unterluggauer, and Mario Werner Institute for Applied Information Processing and Communications Graz University of

516 views • 33 slides
Presented in collaboration with Nebraska ICAP, Nebraska DHHS HAI Team, Nebraska Medicine, and The

Presented in collaboration with Nebraska ICAP, Nebraska DHHS HAI Team, Nebraska Medicine, and The

Presented in collaboration with Nebraska ICAP, Nebraska DHHS HAI Team, Nebraska Medicine, and The University of Nebraska Medical Center Panelists: Dr. Salman Ashraf Kelly Cawcutt, MD, MS, FACP Moderated by Mounica Soma Kate Tyner, RN, BSN,

349 views • 31 slides
Vanuatu International Visitor Survey Annual Report November 2014 November 2015 www.nztri.org

Vanuatu International Visitor Survey Annual Report November 2014 November 2015 www.nztri.org

Vanuatu International Visitor Survey Annual Report November 2014 November 2015 www.nztri.org November 2014 November 2015 (excl. Feb-April) Approx 5% of all visitor arrival during the annual period Approx 10% of all visitor arrivals

1.53k views • 67 slides
JTransform , a Tool for Source Code Analysis Holger Eichelberger and J urgen Wolff von

JTransform , a Tool for Source Code Analysis Holger Eichelberger and J urgen Wolff von

JTransform , a Tool for Source Code Analysis Holger Eichelberger and J urgen Wolff von Gudenberg Universit at W urzburg 6. Workshop Software-Reengineering Bad Honnef, 5.5.2004 Contents 1. Architecture 2. Configuration 3.

448 views • 21 slides
SOEN6461: Software Design Methodologies Yann-Gal Guhneuc A brief introduction to

SOEN6461: Software Design Methodologies Yann-Gal Guhneuc A brief introduction to

SOEN6461: Software Design Methodologies Yann-Gal Guhneuc A brief introduction to software engineering This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 3.0 Unported License Outline Definition

1.68k views • 154 slides

More recommend