Post on 12-May-2015
Side channel analysisPractice and a bit of theory
Ilya Kizhvatov
2
About myself
• Senior security analyst at Riscure, Delft
• PhD, University of Luxembourg
• Diploma in IT security, ФЗИ РГГУ, Moscow
3
Side channel analysis in 3 minutes
4http://insidenanabreadshead.com/
5
6
Simple power analysis
https://www.icmag.com/ic/showthread.php?t=217895
7
Countermeasure
Cost-effective: saves 150M euro yearly in NL
http://www.deweblogvanhelmond.nl
8
Differential power analysis
+ + +…
substation
households
–
∆ ≠ 0?
9
10
In the remaining 45 minutes:Side channel attacks
on embedded devices
• When and where are they applicable?
• How they work?
• What complicates them?
11
Embedded devices
A.78%B. 92%C. 98%
1. G. Borriello and R. Want. Embedded Computation meets the World Wide Web. Commun. ACM, May 2000
Absolute numbers for 2015: 15 billion connected devices2
7 billion people in the world1
How many out of all computing devices are embedded?
2. John Gantz. The Embedded Internet: Methodology and Findings. IDC, January 2009
12
Examples with secure context
code execution
keys
PayTV
Smart grid
Mobile paymenthttp://en.wikipedia.org/wiki/File:Mobile_payment_01.jpg
13
How to protect keys?
Pure software(whitebox crypto)
Go hardware
Recent overview: Dmitry Khovratovich @ 30C3
14
When SW exploitation is not enough
flash
DDR
CPU secure core (crypto)
secure storage(keys)
internal ROM
password protection / lock
JTAG, I2C, …
encryption
Ethernet, USB, UART
15
Secure boot
ROM loader code in flash
public keysignature
verify signature
Fault injection to skip. But when exactly?
20 Ways to Bypass Secure Boot: Job de Haas @ HITB KL 2013
16
Power analysis of secure boot
Boot with valid flash image
Boot with invalid flash image
time to glitch
17
Other examples
• Side Channel Analysis Reverse Engineering
• Interpretation of SW fuzzing effects
• JTAG password check (or PIN verification)
18
Key recovery with SCA
Part 1: Basics
19
A simple measurement setup
20
21
Zoom-in
22
Experiment: Look-up table
mov ZH, high(S<<1)mov ZL, R0lpm R0, Z
.ORG $800S:.db $63,$7c,$77,…
𝑆𝑎 𝑆 (𝑎)
23
Hamming weight leakage of S(a)
24
AES-128
𝑆𝑎 𝑆 (𝑎⨁𝑘)
𝑘
25
Step 1: Acquire power traces
𝑎1𝑎2
𝑎𝑁
random input bytes
…
1
2
3
…
26
Step 2: Predict leakage of guesses for
𝑎1𝑎2
𝑎𝑁
…
0 1 255
…
27
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
28
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
29
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
30
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
31
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
32
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
33
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
34
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
35
Step 3: Distinguish the right guess
𝑎1
𝑎2
𝑎𝑁
0 1 255
1
2
3
……
correlation
36
37
Key recovery with SCA
Part 2: Complications
38
Choice of side channel
http://www.dailymail.co.uk/news/article-2606972
39http://www.dailymail.co.uk/news/article-2606972
40http://news.bbc.co.uk/2/hi/uk_news/england/leicestershire/8447110.stm
41
EM leakage: where to measure?
42
EM leakage: where to measure?
Spectral intensityaround 32 MHz
43
EM leakage: where to measure?
Spectral intensityaround 64 MHz
Distance betweenright and wrong
key guesses
44
How to trigger?
• If dedicated trigger pin: easy
• Else if there is a pattern:– align online (special FPGA solution for triggering
on a pattern)– or align offline (processing complexity)
• Else attack as is (more traces needed)
45
Misalignment: Spot a pattern
46
Effect of misalignment on DPA
well aligned traces misaligned traces
Leakage spread across k samples k2 times more traces
47
Which target variable?
• SW AES (ATmega)S-box output
• Simple HW AES (ATXmega, 8-bit datapath)S-boxi in XOR S-boxi+1 in
• Full-blown HW AES (128-bit datapath)staten-1 XOR staten (requires known inputs!)
48
Which leakage model?
• Hamming weight (distance) often works
• More precise model faster attack
• Tools for leakage modelling:– Template attacks (profiling)– Linear regression
49
Fitting a leakage model
{𝟏𝟔𝟒=𝜷𝒄𝒐𝒏𝒔𝒕+𝜷𝟎 ∙𝟎𝟏𝟓𝟎=𝜷𝒄𝒐𝒏𝒔𝒕+𝜷𝟎 ∙𝟏
…𝟏𝟖𝟎=𝜷𝒄𝒐𝒏𝒔𝒕+𝜷𝟎 ∙𝟏
measured leakage
target variable
predictions
Solution using OLS:
50
Effect of a precise leakage model
Hamming weight model Model fit usinglinear regression
51
How to brute force DPA output?
… … … …
x x x x x.0065
.0063
.0062
.0010
…
.0071
.0068
.0067
.009
.0069
.0068
.0067
.0010
.0068
.0067
.0066
.0011
.0072
.0069
.0066
.0013
.0070
.0068
.0065
.008
x…
𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15
52
How to brute force DPA output?
… … … …
x x x x x.0065
.0063
.0062
.0010
…
.0071
.0068
.0067
.009
.0069
.0068
.0067
.0010
.0068
.0067
.0066
.0011
.0072
.0069
.0066
.0013
.0070
.0068
.0065
.008
x…
• 5-6 candidates per byte full keys (1 day on a desktop PC)
• Solution: key enumeration (e.g. Veyrat-Charvillon et al. @ SAC2012)
• Challenge: memory consumption and therefore speed keys needs 70 GB of RAM and 9 days on a desktop PC
𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15
53
Countermeasures
• desynchronize• shuffle with dummy crypto operations
• masking (split sensitive variables into many)
• limit the number of crypto operationssmartcards: 65K operations only
• frequent key update
Most patented by CRI
54
55
What makes an attack?
• Factors (according to JHAS*):– Time– Expertise– Equipment– Knowledge about the target– Number of device samples– Samples with known or chosen keys
• Identification ≠ exploitation* Joint Interpretation Library Hardware Attacks Subgroup
56
Complexity indicators
Identification Exploitation
General-purpose microcontroller < day < hour
(< thousand traces)
SoC without SCAcountermeasures < month < week
(millions of traces)
SoC with SCAcountermeasures
> month+ advanced SCA skills
+ high-end DSO> month
(billions of traces)
57
Special thanks to my colleagues at RiscureJob de Haas, Jing Pan, Eloi Sanfèlix, Albert Spruit
Contact: ilya@riscure.com