Side Channels and Covert Channels Daniel Bosk Department of - - PowerPoint PPT Presentation

Side Channels Covert Channels References

Side Channels and Covert Channels

Daniel Bosk

Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall.

1st May 2017

Daniel Bosk MIUN ICS Side Channels and Covert Channels 1

Side Channels Covert Channels References

1 Side Channels

What are side-channels? Timing Attacks Traffic Analysis Acoustic Attacks Physical Attacks Electromagnetic Attacks

2 Covert Channels

Definition Bell-LaPadula Page Faults and LEDs Cheating on the Exam

Daniel Bosk MIUN ICS Side Channels and Covert Channels 2

Side Channels Covert Channels References What are side-channels?

Definition (Side Channel) A side channel is an unintended channel emitting information which is due to physical implementation flaws and not theoretical weaknesses or forcing attempts. Example Using the standard algorithms for addition and multiplication (using the binary number system) we can easily see that the time to perform 3 × 25 and 7 × 25 will be different.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 3

Side Channels Covert Channels References What are side-channels?

Looking at the numbers we have we see that 310 = 112, 710 = 1112 and 2510 = 110012 Assume each step in the algorithm takes one time unit. Then for 11001 × 11 we get:

5 time units for multiplying the last 1 in 11 with each digit in 11001, another 5 time units for the next digit in 11, we have an additional 1 time unit for shifting the second result

• ne step,

finally, we get 6 time units for adding the numbers.

For 11001 × 111 we get:

5 time units for each digit, hence 15 in total, we have two shifts, thus 2 time units more, finally we have 7 time units for adding.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 4

Side Channels Covert Channels References What are side-channels?

Hence, the first multiplication takes 17 time units to perform whereas the second takes 24 time units. This is called a timing attack and is one example of why constant-time operations are desirable. However, in this example we cannot see the difference between multiplication of 210 = 102 and 310 = 112. But in more complex situations this might not even be necessary.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 5

Side Channels Covert Channels References Timing Attacks

The first example was a timing attack. We can measure the time for different operations. Depending on the times it takes we can figure out something about the operands.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 6

Side Channels Covert Channels References Timing Attacks

Example (SSH password guessing) In [SWT01] a timing attack on passwords sent over encrypted SSH sessions was shown. As each keystroke in the password is sent in a separate package, the attacker can observe the delay between keystrokes. They found that this gave a factor 50 advantage for guessing the password.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 7

Side Channels Covert Channels References Timing Attacks

Anonymized traffic with onion routing Alice sends a message encrypted in three layers to Bob. Bob removes the outermost layer and sends to Carol. Carol removes the (next) outermost layer and sends to David. David removes the final layer and sends to destination. Example (De-anonymize traffic) We can also perform time-correlation attacks against anonymity systems. Measure how long it takes between something goes in and something comes out. Then we can figure out who is sending where.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 8

Side Channels Covert Channels References Timing Attacks

Anonymized traffic with onion routing Alice sends a message encrypted in three layers to Bob. Bob removes the outermost layer and sends to Carol. Carol removes the (next) outermost layer and sends to David. David removes the final layer and sends to destination. Example (De-anonymize traffic) We can also perform time-correlation attacks against anonymity systems. Measure how long it takes between something goes in and something comes out. Then we can figure out who is sending where.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 8

Side Channels Covert Channels References Traffic Analysis Daniel Bosk MIUN ICS Side Channels and Covert Channels 9

Side Channels Covert Channels References Acoustic Attacks

Some authors1 showed an attack to extract a 4096-bit RSA private key from a laptop PC (GnuPG implementation of RSA). Computers emit high-pitched noise during operation due to some of their electronic components. This was used to derive the key used for decryption of some chosen ciphertexts within an hour! Their results show that this attack can be accomplished by placing a mobile phone (microphone) next to the target laptop.

1Daniel Genkin, Adi Shamir and Eran Tromer. RSA Key Extraction via

Low-Bandwidth Acoustic Cryptanalysis.

• Tech. rep. Cryptology ePrint Archive,

Report 2013/857, 2013., 2013. URL: http://eprint.iacr.org/2013/857.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 10

Side Channels Covert Channels References Acoustic Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 11

Side Channels Covert Channels References Acoustic Attacks

The acoustic signals are picked up from components in the power supply. Individual CPU operations are too fast for a microphone to pick up. But long operations such as modular exponentiation (as in RSA) can create a characteristic acoustic spectral signature which can be detected using a microphone.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 12

Side Channels Covert Channels References Acoustic Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 13

Side Channels Covert Channels References Physical Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 14

Side Channels Covert Channels References Physical Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 15

Side Channels Covert Channels References Physical Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 16

Side Channels Covert Channels References Physical Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 17

Side Channels Covert Channels References Electromagnetic Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 18

Side Channels Covert Channels References Electromagnetic Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 19

Side Channels Covert Channels References Electromagnetic Attacks Daniel Bosk MIUN ICS Side Channels and Covert Channels 20

Side Channels Covert Channels References Electromagnetic Attacks

[Kuh04]

Daniel Bosk MIUN ICS Side Channels and Covert Channels 21

Side Channels Covert Channels References

1 Side Channels

What are side-channels? Timing Attacks Traffic Analysis Acoustic Attacks Physical Attacks Electromagnetic Attacks

2 Covert Channels

Definition Bell-LaPadula Page Faults and LEDs Cheating on the Exam

Daniel Bosk MIUN ICS Side Channels and Covert Channels 22

Side Channels Covert Channels References Definition

Definition (Covert Channel) A covert channel is a mechanism that was not designed for communication but which can nontheless be abused to allow information to flow in a way which is not allowed in the security policy. Definition (Side Channel) A side channel is an unintended channel emitting information which is due to physical implementation flaws and not theoretical weaknesses or forcing attempts.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 23

Side Channels Covert Channels References Definition

The definitions do overlap. Usually one talks of side-channels in cryptography and covert-channels in larger systems.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 24

Side Channels Covert Channels References Bell-LaPadula

BLP says “no read up” and “no write down”. What happens if I try to “write up” but something already exists? Using this you can create a covert channel. Each denied operation is one bit of information (entropy) revealed by the security mechanisms.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 25

Side Channels Covert Channels References Bell-LaPadula

The Naval Research Laboratory invented the NRL-Pump. This is a device used to limit the bandwidth of possible covert channels. The pump allows flow upwards. But we need some flow downwards too, e.g. acknowledgement that data was received correctly. Bandwidth of possible covert channels are limited using buffers and randomised timing of acknowledgements among other things.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 26

Side Channels Covert Channels References Bell-LaPadula

Example (Logistics system) A military warehouse holds classified equipment, but the warehouse itself it not classified. A person in the logistics department doesn’t have sufficient clearance. What happens when this person wants to use the space for

• ther things?

Make some things up and put in there so it looks occupied. What if this person needs some of the items in the cover story?

Daniel Bosk MIUN ICS Side Channels and Covert Channels 27

Side Channels Covert Channels References Page Faults and LEDs

Another example of how a covert channel might be constructed is page faults. What if we manage to place things in memory in such a way that it extends into another page. What if that page is not in memory? Then we know from either measuring time (we notice if a page-fault occurs) or obsering the disk activity.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 28

Side Channels Covert Channels References Page Faults and LEDs

Yet another example is the LEDs indicating disk activity. If this LED is connected to the serial lines, indicating when data is sent, then information about the data is leaked. Further, the electronic components in computer displays leak radio signals caused by the states of pixels etc. There has been shown that you can pick up the picture of the screen from these signals two rooms away.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 29

Side Channels Covert Channels References Cheating on the Exam

Which times someone goes to the toilet: if it is an even minute it’s a one, if odd it’s a zero. The rythm someone clicks their pen against the desk: a change in rythm is a one. However, this needs some synchronisation. Drum Morse code on the table. . . .

Daniel Bosk MIUN ICS Side Channels and Covert Channels 30

Side Channels Covert Channels References Cheating on the Exam

Referenser

[GST13] Daniel Genkin, Adi Shamir and Eran Tromer. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis.

• Tech. rep. Cryptology ePrint Archive, Report 2013/857,

2013., 2013. URL: http://eprint.iacr.org/2013/857. [Kuh04] Markus G Kuhn. “Electromagnetic eavesdropping risks

• f flat-panel displays”. In: Privacy Enhancing
• Technologies. Springer. 2004, pp. 88–107.

[SWT01] Dawn Xiaodong Song, David Wagner and Xuqing Tian. “Timing Analysis of Keystrokes and Timing Attacks on SSH.” In: USENIX Security Symposium. Vol. 2001. 2001.

Daniel Bosk MIUN ICS Side Channels and Covert Channels 31