Lejla Ba na - · PDF fileLejla Ba"na# # Digital*Security*Group* ... channel*security*before*...
56
Introduc)on to physical a2acks: Tamper resistance & Sidechannel analysis basics Lejla Bana Digital Security Group Ins)tute for Compu)ng and Informa)on Sciences (ICIS) Radboud University Nijmegen The Netherlands Hardware Security Zagreb, Croa)a May 23, 2014
Transcript of Lejla Ba na - · PDF fileLejla Ba"na# # Digital*Security*Group* ... channel*security*before*...
Introduc)on to physical a2acks: Tamper resistance &
Side-‐channel analysis basics Lejla Batina
Digital Security Group
Ins)tute for Compu)ng and Informa)on Sciences (ICIS) Radboud University Nijmegen
The Netherlands
Hardware Security Zagreb, Croa)a May 23, 2014
Crypto: theory vs physical reality
power
&ming
sound Algorithms are (supposed to be)
theoretically secure
fault injec&on
Implementations leak in physical world
2
Side-‐channels
R. Anderson and M. Kuhn, P. Kocher, 1996
Outline • RU Nijmegen • Intro: Implementa)on of security vs secure implementa)ons
– Embedded cryptographic devices – Tamper resistance is “problema)c”
• Side-‐channel analysis basics • Power analysis a2acks
– SPA vs DPA – Direct and 2-‐step a2acks
• Other side-‐channels • Countermeasures • A few words about SCA prac)cum
3
Digital Security group
• A part of ICIS – Ins)tute for Compu)ng and Informa)on Sciences
• Research topics: – Applied cryptography – Privacy and iden)ty management – User-‐centric aspects of security – SoYware verifica)on – Quantum logic
My group
Research topics
• Hardware security – Side-‐channel analysis and countermeasures – Fault a2acks
• Machine learning for crypto • Lightweight cryptography
– Protocols – Implementa)ons – Privacy issues
Our network and research partners
COST project TRUDEVICE (2012-2016)
Research projects
" STW project SIDES " NWO project ProFil
NoE
ECRYPT(II) theory
prac*ce
Our lab
!
Introduction
9
Embedded cryptographic devices
Embedded security: -‐ resource limita)on -‐ physical accessibility
10
What do attackers want to achieve?
(In)security for Embedded Systems “Researchers have extracted information from nothing more than the reflection of a computer monitor off an eyeball or the sounds emanating from a printer.” Scientific American, May 2009.
11
More Insecurity for Embedded Systems “Devices That Tell On You: The Nike+iPod Sport Kit” T. Saponas, J. Lester, C. Hartung, T. Kohno h2p://www.cs.washington.edu/research/systems/privacy.html Dec. 2006 -‐ Tracks up to 60 feet = 20 meter (even without iPod) -‐ No privacy measures included
[www.apple.com: nike+ipod]
12
The goals of a2ackers • Secret keys/data • Unauthorized access • IP/piracy • (Loca)on) privacy • (Theore)cal) cryptanalysis [RS01] • Reverse engineering (h2p://www.flylogic.net/blog/) • Finding backdoors in chips [SW12] • …
13
Our scope: Implementa)on A2acks
“Remote keyless entry system for cars and buildings is hacked” March 31, 2008, [EK+08]
-‐ KeeLoq: eavesdropping from up to 100 m -‐ 2 mesages are enough
Even SPA is possible, July 19, 2009, [KK+09] www.crypto.rub.de/keeloq
PS3 hack -‐ ECDSA implementa)on failed -‐ resulted in PS3 master key recovery
Contactless Smartcards with Mifare Classic [KS+10], DESFire, Atmel CryptoMemory [BG+12], etc.
14
Embedded Security We NEED BOTH
• Efficient Implementa)on – Within power, area, )ming budgets – Public-‐key: 1024 bits RSA on 8 bit μC and
100 mW
– Public key: ECC on a passive RFID tag
• Secure (trustworthy) implementa)on – Resistant to a2acks – Ac)ve a2acks: probing, (power) glitches,
JTAG scan chain, cold-‐boot, … – Passive a2acks: power consump)on,
electromagne)c emana)on, sound, temperature, etc.
15
Side-‐channel informa)on: Experiment
• Put 28 EUR in one pot, and 10 EUR in the other
• Mul)ply the content of the blue pot by 10 and the red pot by 7
• Add the results in both pots • Tell me if the sum is odd or even
• Is the answer sufficient to reveal the ini)al content of each pot?
[D. Naccache, A. Shamir]
Experiment (cont‘d) • Normally not
– 28 x 7 + 10 x 10 = 296 (even) – 10 x 7 + 28 x 10 = 350 (even)
• However, compu)ng the first case takes more )me
[D. Naccache, A. Shamir]
Side-‐channel security before • Tempest – known since early 1960s that computers
generate EM radia)on that leaks info about the data being processed – First evidence came out in 1943: an engineer using a Bell
Telephone 131-‐B2 no)ced that a digital oscilloscope spiked for every encrypted le2er
– Declassified in 2008 • In 1965, MI5 put a microphone near the rotor-‐cipher
machine used by the Egyp)an Embassy, the click-‐sound the machine produced was analyzed to deduce the core posi)on of the machines rotors
• First academic publica)ons by Paul Kocher: 1996 ()ming, Koc96) and 1999 (power, KJJ99)
18
Side-‐channel security today
• As a research area took off in the 90’s • First academic publica)ons by Paul Kocher: 1996 ()ming) and 1999 (power), [Koc96, KJJ99]
• Many successful a2acks published on various playorms and real products e.g. KeeLoq [EK+08], CryptoMemory [BG+12], (numerous) contactless cards
• A good business model for security evalua)on labs e.g. Riscure and Brightsight
19
Concepts of side-‐channel leakage
• Side-‐channel leakage is based on (non-‐inten)onal) physical informa)on
• Can enable new kind of a2ack • OYen, op)miza)ons enable leakages
o Cache: faster memory access o Fixed computa)on pa2erns (rounds) o Square vs mul)ply (for RSA)
20
Basic idea
“Breaking into a safe is hard, because one has to solve a single, very hard problem...”
… b r e a k i n g d o w n a problem into two or more sub-problems that are simple enough to be solved directly
21
Side-channel attacks basics
22
Concept: Black box model
Standardized algor)hms are secure
Cryptographic device Plain text Cipher text
23
Side-‐Channel Leakage
• Physical a2acks ≠ Cryptanalysis (gray box, physics) (black box, math) • Does not tackle the algorithm's mathema)cal security
• Timing, Power, EM, Light, Sound, Temperature,… • Observe physical quan))es in the device's vicinity and use
addi)onal informa)on during cryptanalysis • Uninten)onal signals to reconstruct data
Input Output
Leakage
Sources of side-‐channel informa)on • Timing (Kocher 1996), Power (KJJ 1999), EM (UCL & Gemplus
2001, QS01, GMO01) • Temperature (BK+09, Naccache et al.)
– informa)on about the device's malfunc)on leaked-‐out via its temperature
• Light (Markus Kuhn) – Reading CRT-‐displays at a distance – Observing high-‐frequency varia)ons of the light emi2ed
• Sound (Acous)c cryptanalysis Shamir and Tromer) – Dis)nguishing an idle from a busy CPU – Dis)nguish various pa2erns of CPU opera)ons and memory access (RSA
signatures)
• Photonic emissions (SN+13, TU Berlin)
25
Leakage is explorable
• Due to the (dependency of leakages on) sequences of instruc)ons executed
• Due to the data (even sensi)ve!) being processed • Due to other physical effects • …
• And remember:
26
A2ack categories
• Side-‐channel a2acks – use some physical (analog) characteris)c and assume access to it
• Faults – use abnormal condi)ons causing malfunc)ons in the system
• Micro-‐probing – accessing the chip surface directly in order to observe, learn and manipulate the device
• Reverse engineering
27
Taxonomy of Implementa)on A2acks
• Ac)ve versus passive – Ac)ve
• The key is recovered by exploi)ng some abnormal behavior e.g. power glitches or laser pulses
• Inser)on of signals – Passive
• The device operates within its specifica)on • Reading hidden signals
28
Taxonomy of Implementa)on A2acks
• Invasive versus non-‐invasive – Invasive aka expensive: the strongest type e.g. bus
probing – Semi-‐invasive: the device is de-‐packaged but no contact
to the chip e.g. op)cal a2acks that read out memory cells (or faults/glitches by voltage, power supply, clock, EM, etc.)
– Non-‐invasive aka low-‐cost: power/EM measurements – Non-‐invasive: data remanence in memories – cooling
down is increasing the reten)on )me • Side-‐channel a2acks: passive and non-‐invasive
29
Analysis capabili)es
• “Simple” a2acks: one or a few measurements -‐ visual inspec)on
• Differen)al a2acks: mul)ple measurements – Use of sta)s)cs, signal processing, etc.
• Higher order a2acks: n-‐th order is using n different samples
• Combining two or more side-‐channels • Combining side-‐channel a2ack with theore)cal cryptanalysis
30
Devices under a2ack • Smart card • FPGA, ASIC • RFID, PDAs • Phones, USBs • Actual smartcard products
Clock
Meas. VDD
Meas. GND
RS 232 ASIC Trigger
31
Measurement setup
oscilloscope
analyzing device
FPGA
32
Measurement setup -‐ details
• Cryptographic device under a2ack • Power measurement circuit or EM
probe • Power supply and clock generator • Control and analysis soYware • Oscilloscope • PC
Input Crypto
33
Power Analysis: Measurement setup@RU
34
Prac)cal Issues
• Quality of measurements – Noise issues
• Sources: power supply, clock generator • Algorithmic, sampling, external, intrinsic, quan)za)on • Averaging mul)ple observa)ons helps
• Aligning the measurements – Due to )me randomiza)on, permu)ng execu)on or hardware countermeasures
35
Misalignment
36
Power Analysis
• Direct a2acks • Simple Power Analysis (1999) • Differen)al Power Analysis (1999) • Correla)on Power Analysis (2004) • Collision A2acks (2003)
• Two-‐stage a2acks • Template A2acks (2002) • Stochas)c Models (2005) • Linear Regression Analysis (LRA)
• Advanced a2acks: Mutual Informa)on Analysis -‐ MIA (2008), Diff. cluster analysis (2009), PCA (2011), ...
37
Simple Power Analysis (SPA)
38
Simple Power Analysis (SPA)
• Based on one or a few measurements • Mostly discovery of data-‐(in)dependent but instruc)on-‐
dependent proper)es e.g. – Symmetric:
• Number of rounds (resp. key length) • Memory accesses (usually higher power consump)on)
– Asymmetric: • The key (if badly implemented, e.g. RSA / ECC) • Key length • Implementa)on details: for example RSA w/wo CRT
• Search for repe))ve pa2erns
conditional operation
39
Simple Power Analysis (AES)
• What is the key length of this AES implementa)on?
Time axis
40
Simple Power Analysis (AES) • AES is an iterated block cipher 10 rounds => AES-‐128
Time axis
41
Insecure RSA implementa)on
RSA modular exponentiation In: message m,key e(l bits) Output: me mod n
A = 1
for j = l – 1 to 0
A = A2 mod n /* square */ if (bit j of k) is 1 then A = A x m mod n /* multiply */
Return A
j < 0
Loop Init
bit j of k = 1?
A = A x m
j = j - 1
Return A A = A2
Side-Channel
42
• What is the private RSA exponent?
[courtesy: C. Clavier]
Simple Power Analysis (RSA)
43
Simple Power Analysis (RSA)
[courtesy: C. Clavier] 44
Simple Power Analysis
time axis
45
Using SPA to find a good place to a2ack
46
SPA examples -‐ PK
47
ECC Example: Double and Add
Conditional operation: Side Channel
point doubling
point addition
How to prevent this type of leakage?
48
Intro to Sta)c CMOS
• Most popular circuit style! • A power analysis a2ack explores the fact that the instantaneous power cons. depends on the data and instruc)ons being processed
• Power consumed when an output signal switches is much higher
0-‐>0: sta)c (low) 0-‐>1: sta)c + dynamic (high) 1-‐>0: sta)c + dynamic (high) 1-‐>1: sta)c (low)
49
“We don’t understand electricity. We use it.”
-‐ Maya Angelou
Power Models • Hamming distance model
– Counts number of 0-‐>1 and 1-‐>0 transi)ons – Assuming same power consumed for both – Typically for register outputs in ASIC’s – HD(v0, v1)=HW(v0 xor v1) – Requires knowledge of preceding or succeeding v
• Hamming weight model – Typically for pre-‐charged busses
• Weighted Hamming weight/distance model • Signed Hamming distance (0-‐>1 neq 1-‐>0) • Dedicated models for combina)onal circuits
50
Some new directions
51
Conclusions and open problems
• Physical access allows many a2ack paths • Trade-‐offs between assump)ons and computa)onal complexity
• Requires knowledge in many different areas • Combining SCA with theore)cal cryptanalysis
52
SCA: Recent developments
• Theory – Framework for side-‐channel analysis – Leakage resilient crypto
• Prac)ce – Even more advances in a2acks: algorithm specific (combined with cryptanalysis)
– Machine learning methods – Similar techniques apply to traffic analysis – New countermeasures – New models (going sub-‐micron)
53
References and further reading (1/2) • [AK96] R. Anderson and M. Kuhn. “Tamper resistance – a cau)onary
note”. USENIX 1996, h2p://www.cl.cam.ac.uk/~rja14/tamper.html • [Koc96] P. Kocher. “Timing A2acks on Implementa)ons of Diffie-‐Hellman,
RSA, DSS, and Other Systems”. CRYPTO 1996 • [RS01] T. Romer and J.-‐P. Seifert. “Informa)on Leakage A2acks against
Smart Card Implementa)ons of the Ellip)c Curve Digital Signature Algorithm”. E=Smart 2001
• [SW12] Skorobogatov and Woods. “Breakthrough silicon scanning discovers backdoor in military chip” h2p://www.cl.cam.ac.uk/~sps32/ches2012-‐backdoor.pdf CHES 2012.
• [EK+08] T. Eisenbarth et al. “On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme”. CRYPTO 2008.
• [KK+09] M. Kasper et al. “Breaking KeeLoq in a Flash: On Extrac)ng Keys at Lightning Speed.” AFRICACRYPT 2009.
References and further reading (2/2) • [KS+10] T. Kasper et al. “All You Can Eat or Breaking a Real-‐World
Contactless Payment System.” Financial Cryptography 2010. • [BG+12] J. Balasch et al. “Power Analysis of Atmel CryptoMemory -‐
Recovering Keys from Secure EEPROMs.” CT-‐RSA 2012. • [KJJ99] P. Kocher, J. Jaffe, B. Jun. “Differen)al Power Analysis”. CRYPTO
1999. • [QS01] J. -‐J. Quisquater and D. Samyde. “ElectroMagne)c Analysis (EMA):
Measures and Counter-‐Measures for Smart Cards”mart 2001. • [GMO01] K. Gandolfi et al. “Electromagne)c Analysis: Concrete Results”.
CHES 2001. • [BK+09] J. Brouchier et al. “Temperature A2acks”. IEEE Security & Privacy
7(2): 79-‐82 (2009) • [SN+13] A. Schlösser et al. “Simple photonic emission analysis of AES. J.
Cryptogra-‐phic Engineering 3(1): 3-‐15 (2013)
Questions?
56
