statistical ineffective fault attacks on masked aes with
play

Statistical Ineffective Fault Attacks on Masked AES with Fault - PowerPoint PPT Presentation

Feb 22, 2023 •223 likes •1.01k views

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

  1. Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology

  2. www.tugraz.at Motivation Building cryptographic implementations is challenging: 1 Robert Primas — IAIK - Graz University of Technology

  3. www.tugraz.at Motivation Building cryptographic implementations is challenging: • Requires usage of proper cryptographic primitives 1 Robert Primas — IAIK - Graz University of Technology

  4. www.tugraz.at Motivation Building cryptographic implementations is challenging: • Requires usage of proper cryptographic primitives • But often also the usage of additional defenses ... • Microcontroller • FPGAs • ASICs 1 Robert Primas — IAIK - Graz University of Technology

  5. www.tugraz.at Motivation Building cryptographic implementations is challenging: • Requires usage of proper cryptographic primitives • But often also the usage of additional defenses ... • Microcontroller • FPGAs • ASICs • ... because of implementation attacks 1 Robert Primas — IAIK - Graz University of Technology

  6. www.tugraz.at Motivation • Proper cryptography does not mean practical security 2 Robert Primas — IAIK - Graz University of Technology

  7. www.tugraz.at Motivation • Proper cryptography does not mean practical security • Every cryptographic implementation stores a secret 2 Robert Primas — IAIK - Graz University of Technology

  8. www.tugraz.at Motivation • Proper cryptography does not mean practical security • Every cryptographic implementation stores a secret • Secrets can be extracted by: Power Analysis Fault Attacks 2 Robert Primas — IAIK - Graz University of Technology

  9. Fault Attacks 3 Robert Primas — IAIK - Graz University of Technology

  10. www.tugraz.at Fault Attacks • Get physical access to target device: P • Set plaintexts • Observe ciphertexts ENC C 4 Robert Primas — IAIK - Graz University of Technology

  11. www.tugraz.at Fault Attacks • Get physical access to target device: P • Set plaintexts • Observe ciphertexts • Cause erroneous computations via: • Clock glitches ENC • Voltage glitches • Lasers C 4 Robert Primas — IAIK - Graz University of Technology

  12. www.tugraz.at Fault Attacks • Get physical access to target device: P • Set plaintexts • Observe ciphertexts • Cause erroneous computations via: • Clock glitches ENC ENC • Voltage glitches • Lasers • Observe faulty and correct ciphertext C C 4 Robert Primas — IAIK - Graz University of Technology

  13. www.tugraz.at Fault Attacks • Get physical access to target device: P • Set plaintexts • Observe ciphertexts • Cause erroneous computations via: • Clock glitches ENC ENC • Voltage glitches • Lasers • Observe faulty and correct ciphertext • Recover key C C 4 Robert Primas — IAIK - Graz University of Technology

  14. www.tugraz.at Fault Attacks • Get physical access to target device: P • Set plaintexts • Observe ciphertexts • Cause erroneous computations via: • Clock glitches ENC ENC • Voltage glitches • Lasers • Observe faulty and correct ciphertext • Recover key C C ⇒ Differential Fault Attack (DFA) 4 Robert Primas — IAIK - Graz University of Technology

  15. www.tugraz.at Fault Countermeasures - Detection P P ENC ENC • Use redundancy to detect faults ENC-DETECT ENC ENC C C C C C 5 Robert Primas — IAIK - Graz University of Technology

  16. www.tugraz.at Fault Countermeasures - Detection P P ENC ENC • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext C C C C ... 5 Robert Primas — IAIK - Graz University of Technology

  17. www.tugraz.at Fault Countermeasures - Detection P P ENC ENC • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack C C C C C 5 Robert Primas — IAIK - Graz University of Technology

  18. www.tugraz.at Fault Countermeasures - Detection P P ENC ENC • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack C C → More redundancy, Enc-Dec, etc... C C C 5 Robert Primas — IAIK - Graz University of Technology

  19. www.tugraz.at Statistical Ineffective Fault Attacks (SIFA) • We presented SIFA at CHES 2018: • Breaks detection countermeasures (any degree of redundancy) • Breaks infection countermeasures • Requires just a single fault injection per encryption • Require no precise knowledge about location and effect of the fault 6 Robert Primas — IAIK - Graz University of Technology

  20. www.tugraz.at Statistical Ineffective Fault Attacks (SIFA) • We presented SIFA at CHES 2018: • Breaks detection countermeasures (any degree of redundancy) • Breaks infection countermeasures • Requires just a single fault injection per encryption • Require no precise knowledge about location and effect of the fault • We demonstrated applicability to AE schemes at SAC 2018 6 Robert Primas — IAIK - Graz University of Technology

  21. www.tugraz.at Statistical Ineffective Fault Attacks (SIFA) • We presented SIFA at CHES 2018: • Breaks detection countermeasures (any degree of redundancy) • Breaks infection countermeasures • Requires just a single fault injection per encryption • Require no precise knowledge about location and effect of the fault • We demonstrated applicability to AE schemes at SAC 2018 • What about power analysis countermeasures? 6 Robert Primas — IAIK - Graz University of Technology

  22. www.tugraz.at SIFA on AES in Pictures P P 1...N P 1...N P 1...N P 1...N P 1...N P 1...N P 1...N P 1...N : : : : : : : : ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS KEY ADD 8 KEY ADD 8 KEY ADD 8 KEY ADD 8 KEY ADD 8 KEY ADD 8 KEY ADD 8 KEY ADD 8 SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES ? SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS KEY ADD 9 KEY ADD 9 KEY ADD 9 KEY ADD 9 KEY ADD 9 KEY ADD 9 KEY ADD 9 KEY ADD 9 SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS KEY ADD 10 KEY ADD 10 KEY ADD 10 KEY ADD 10 KEY ADD 10 KEY ADD 10 KEY ADD 10 KEY ADD 10 C C C C C C N C N C N C C C C C N C N C N C 2 C C C C C N C N C N C C C C C N C N C N C N C N C N C N C N C N C N C N 7 Robert Primas — IAIK - Graz University of Technology

  23. www.tugraz.at SIFA on AES in Pictures P P 1...N P 1...N P 1...N P 1...N : : : : ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS KEY ADD 8 KEY ADD 8 KEY ADD 8 KEY ADD 8 SUB BYTES SUB BYTES SUB BYTES SUB BYTES ? SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS MIX COLUMNS MIX COLUMNS KEY ADD 9 KEY ADD 9 KEY ADD 9 KEY ADD 9 SUB BYTES SUB BYTES SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS SHIFT ROWS SHIFT ROWS KEY ADD 10 KEY ADD 10 KEY ADD 10 KEY ADD 10 C C C C C C C C C C C C C C C C C C N C N C N C N 7 Robert Primas — IAIK - Graz University of Technology

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

964 views • 64 slides
SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

413 views • 17 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria

730 views • 54 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

M EDIA A CCESS C ONTROL (MAC) A DDRESS S POOFING A TTACKS AGAINST P ORT S ECURITY Andrew Buhr, Dale Lindskog, Pavol Zavarsky, Ron Ruhl Concordia University College of Alberta Findings Port Security is ineffective at preventing 3 different

455 views • 24 slides
Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

535 views • 51 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
Fault-Tolerant Subgraph For Single-Source Reachability: General and Optimal Surender Baswana,

Fault-Tolerant Subgraph For Single-Source Reachability: General and Optimal Surender Baswana,

FMC-Properties Main Tools Construction of 2-FTRS Reference Fault-Tolerant Subgraph For Single-Source Reachability: General and Optimal Surender Baswana, Keerti Choudhary, Liam Roditty Presented by: Santhini K A and Sampriti Roy CS18D013

1.46k views • 91 slides
Fault Tolerance via the State Machine Replication Approach Favian Contreras Implementing

Fault Tolerance via the State Machine Replication Approach Favian Contreras Implementing

Fault Tolerance via the State Machine Replication Approach Favian Contreras Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial Written by Fred Schneider Why a Tutorial? The State Machine Approach was

743 views • 52 slides
Wonderful Counselor Wonderful Counselor He made us. Wonderful Counselor He made us.

Wonderful Counselor Wonderful Counselor He made us. Wonderful Counselor He made us.

Wonderful Counselor Wonderful Counselor He made us. Wonderful Counselor He made us. He knows everything about us. Wonderful Counselor He made us. He knows everything about us. He can relate to us. Mighty God

200 views • 15 slides
What is DNA? D eoxyribo n ucleic A cid A molecule composed of two chains that wrap

What is DNA? D eoxyribo n ucleic A cid A molecule composed of two chains that wrap

What is DNA? D eoxyribo n ucleic A cid A molecule composed of two chains that wrap around each other consisting of sugars, phosphates, and nucleotide bases (adenine, guanine, thyamine, and cytosine) Acts as the store of genetic

397 views • 3 slides
MPLS TP Ring Fault Detection and Localization draft-jiang-mpls-tp-ring-fd Authors Albert

MPLS TP Ring Fault Detection and Localization draft-jiang-mpls-tp-ring-fd Authors Albert

MPLS TP Ring Fault Detection and Localization draft-jiang-mpls-tp-ring-fd Authors Albert Jiang Guoman Liu Xuehui Dai (ZTE) Purpose & Overview MPLS TP Ring Optimized Node/Link Fault Detection & Localization Mechanism 1)

405 views • 21 slides
VLSI Testing Sequential ATPG Virendra Singh Associate Professor C omputer A rchitecture and D

VLSI Testing Sequential ATPG Virendra Singh Associate Professor C omputer A rchitecture and D

VLSI Testing Sequential ATPG Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/ E-mail:

1.05k views • 15 slides
Nonlinear Autoregressive with Exogenous Wathiq R Abed #UDT2019 Outline Aim of Fault

Nonlinear Autoregressive with Exogenous Wathiq R Abed #UDT2019 Outline Aim of Fault

Unmanned Marine Vehicles Motor Fault Classifier Based on Nonlinear Autoregressive with Exogenous Wathiq R Abed #UDT2019 Outline Aim of Fault diagnosis and condition monitoring Task Major Faults in electrical Machines Fault

274 views • 9 slides
Machine Learning for monitoring the condition of critical systems Ross W Dickie MacTaggart Scott

Machine Learning for monitoring the condition of critical systems Ross W Dickie MacTaggart Scott

Machine Learning for monitoring the condition of critical systems Ross W Dickie MacTaggart Scott | Heriot Watt University rwd2@hw.ac.uk, Ross.Dickie@mactag.com #UDT2019 Stand: A19 Project Outline Industry & Academic partnership

476 views • 24 slides

More recommend