1300 david oswald id and ip theft with side-channel attacks

996 views
810 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
996
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 2008: Nokia Werk dicht, ca. 3000 Mitarbeiter weg.
    2015 Opel mit den restlichen (von damals 20.000) ca. 5000 Mitarbeitern

    Uni ist wie schiff
  • An dieser Stelle Möglichkeit für Tafel: CMOS-Inverter malen (mit Lastkapazität) und umladen erklären -> Hamming Distance
    HW: Pre-Charge busses etc.
  • Erfahrung aus Case Studies: Es ist nicht so...
  • Ende: Now lets go to the steps required in reality
  • Now, to put the analysis work I did in context -> core of IT security!
  • Now, to put the analysis work I did in context -> core of IT security!
  • Now, to put the analysis work I did in context -> core of IT security!
  • Typical login form
    Give focus to yubikey field -> press button
  • Constant public ID
    Appended ACTUAL OTP

    Unique, secret ID
    Use Counter, non-volatile, incremented at first OTP generation after power-up
    Timestamp, 8Hz clock, random initialization
    Session Counter, init 0, incremented each OTP
    Random
    CRC16 checksum
  • Modhey-encoding -> substitution for hex-character

    How can the attacker get the key?
  • We were curious which microcontroller is in it.
    We know the pcb from Youtube video about production
    Opened the case with fuming nitric acid
    Low cost Sunplus IT 8-bit microcontroller
  • To measure you need a reliable trigger -> LED off
    Clear patterns occure 10 times

    Low-pass characteristic

    Peaks start of frame
  • Final round since we only know the ciphertext
    First round input ist partially constant -> parts can not be attacked
    Key candidate
  • Improved by a factor of 10
  • Erfahrung aus Case Studies: Es ist nicht so...
  • 1300 david oswald id and ip theft with side-channel attacks

    1. 1. ID and IP Theft with Side-Channel Attacks David Oswald, Ruhr-Uni Bochum david.oswald@rub.de Breaking One-Time Password Tokens and FPGA Bitstream Encryption
    2. 2. 2http://fb.com/WorldBeatClubTanzenUndHelfen
    3. 3. 3 No, I did not do all this stuff alone  Christof Paar  Timo Kasper  Amir Moradi  Pawel Swierczynski  Bastian Richter
    4. 4. 4
    5. 5. 5 Sabre: Madboy74
    6. 6. 6 Ruhr-University Bochum: beautiful.
    7. 7. 7 Chameleon Mini https://github.com/emsec/ChameleonMini
    8. 8. 8
    9. 9. Embedded systems everywhere
    10. 10. 10 (The life of) a typical pirate Pegleg Eye patch Pirate hat Pirate laughter
    11. 11. 11
    12. 12. 12
    13. 13. 13
    14. 14. 14
    15. 15. 15 Report flaws Improve
    16. 16. Implementation Attacks: …
    17. 17. 17Based on Skoborogatov
    18. 18. 18 Implementation Attacks: A Short History  Known for many decades (e.g. TEMPEST)  Poor understanding prior to 1996 (at least outside intelligence agencies)  End 1990s: „golden era“ – Fault attacks (RSA CRT), 1996 – Timing attacks, 1996 – SPA, DPA, 1998  Since 1999: hundreds of research papers
    19. 19. 19 Side-Channel Attacks: In a nutshell
    20. 20. 20 Principle of Side-Channel Analysis (here: listen to sound) A Bank Robbery
    21. 21. 21 Principle of Side-Channel Analysis The world is changing…
    22. 22. 22 Principle of Side-Channel Analysis (Now: measure the power consumption / EM) The world is changing … … the tools are, too.
    23. 23. 23 Side-Channel Analysis: Leakage Power consumption / EM depends on processed data Data = 1111 Data = 0000 Data = 1010
    24. 24. 24 Evaluation Methods: SPA Simple Power Analysis: Directly analyze (few) traces, for example RSA:
    25. 25. 25 Evaluation Methods: DPA / CPA Differential Power Analysis  Detect statistical dependency: Key guess ⟺ Side-channel  Idea: Brute-force w/ additional information  Use a statistical test...
    26. 26. Implementation Attacks: From Theory to Practice
    27. 27. 28 Theory versus Practice Academia  8-bit µC  Interfaces and implementation known / controlled  Ideal setup White-box attack Real World  HW / SW impl.  Interfaces and implementation unknown  Many unknown factors Black-box attack
    28. 28. 29 Case Studies Yubikey 2Altera Stratix II
    29. 29. 30 Home Port Bochum
    30. 30. 31 FPGA 2013
    31. 31. 32 Case Studies Yubikey 2Altera Stratix II
    32. 32. 33 FPGAs widely used in • Routers • Consumer products • Cars • Military Problem: FPGA design (bitstream) can be easily copied FPGAs
    33. 33. 34 FPGA 1 Flash Bitstream FPGA Power-Up
    34. 34. 35 FPGA 1 Flash Bitstream FPGA 2 Clone Problem: IP Theft
    35. 35. 36 FPGA 1 Flash Encrypted bitstream Industry‘s Solution
    36. 36. 37 FPGA 1 Flash Encrypted bitstream = ? Industry‘s Solution
    37. 37. 38 Related Work  Bitstream encryption scheme of several Xilinx product lines broken – Virtex 2 (3DES) – Virtex 4 & 5 (AES256) – Spartan 6 (AES256)  Method: Side-Channel Analysis (SCA)
    38. 38. 39 What about Altera?  Target: Stratix II  Bitstream encryption („design security“) uses AES w/ 128-bit key  Side-Channel Analysis possible?  Problem: Proprietary and undocumented mechanisms for key derivation and for encryption
    39. 39. 40 Reverse-Engineering  Reverse-engineer proprietary mechanisms from Quartus II software  IDA Pro (disassembler / debugger)
    40. 40. 41 KEY1 / KEY2 file for FPGA
    41. 41. 42 Key derivation real key = f(KEY1,KEY2) KEY1 / KEY2 file for FPGA
    42. 42. 43 Why this key derivation?  Real key cannot be set directly  Key derivation is performed once when programming the FPGA  Idea: When real key is extracted, KEY1 and KEY2 cannot be found  Prevent cloning: real key of blank FPGA cannot be set
    43. 43. 44 „real key“ = AESKEY1(KEY2) Is f (KEY1,KEY2) „good“?
    44. 44. 45 Good idea?  In principle: Yes  But: AES (in this form) is not one-way:  Pick any KEY1*  KEY2* = AES-1 KEY1*(real key)  This (KEY1*, KEY2*) leads to same real key
    45. 45. 46 real key = AESKEY1(KEY2) KEY1 / KEY2 file for FPGA
    46. 46. 47 real key = AESKEY1(KEY2) encreal key(...) KEY1 / KEY2 file for FPGA
    47. 47. 48 Encrypted block i = AES128real key(IVi)  plain block i Encryption method: AES in Counter mode
    48. 48. 49 Reverse-Engineering: Summary  All „obscurity features“ reverse-engineered  Further details: file format, coding, ...  Black-box  white box  Side-channel analysis possible (target: 128-bit real key)
    49. 49. 50 Side-Channel Attack on Stratix II
    50. 50. 51
    51. 51. 52 Average trace: unencrypted vs. encrypted
    52. 52. 53 Average trace: unencrypted vs. encrypted
    53. 53. 55 With further experiments and signal processing ...
    54. 54. 56 ... we recovered the 128-bit AES key with 30,000 traces (~ 3 hours of measurement) Key Recovery
    55. 55. 57 ... and came up with a hypothetical architecture of the AES engine Architecture Recovery
    56. 56. 58 Management Summary  Full 128-bit AES key of Stratix II can be extracted using 30,000 traces (3 hours)  Key derivation does not prevent cloning  Proprietary security mechanisms can be reverse-engineered from software  Software reverse-engineering enables hardware attack
    57. 57. 59 Secure Bitstream Encryption? Virtex 2 Virtex 4 and 5 Spartan 6 Altera Stratix II and III Microsemi ProASIC3 (Skorobogatov et al.)
    58. 58. 60 By Eva K.
    59. 59. 61
    60. 60. 62
    61. 61. 63 RAID 2013
    62. 62. 64
    63. 63. 65 Case Studies Yubikey 2Altera Stratix II
    64. 64. 66 Two-Factor Authentication Past: One factor: Password/PIN Today: Two factors: Password/PIN and additionally
    65. 65. 67 Yubikey 2: Overview  Simulates USB keyboard  Generates and enters One-Time Password (OTP) on button press  Based on AES w/ 128-bit key
    66. 66. 68 Yubikey OTP Generation (1) ... dhbgnhfhjcrl rgukndgttlehvhetuunugglkfetdegjd dhbgnhfhjcrl trjddibkbugfhnevdebrddvhhhlluhgh dhbgnhfhjcrl judbdifkcchgjkitgvgvvbinebdigdfd ...
    67. 67. 69 Yubikey OTP Generation (2) AES-128 Encryption Modhex Encoding ?
    68. 68. 70 Yubikey Hardware
    69. 69. 71 Measurement Setup  Resistor in USB ground for power measurement  EM measurement with near-field probe  Connecting (capacitive) button to ground triggers the Yubikey
    70. 70. 72 Power vs. EM Measurements  Trigger on falling edge (Yubikey's LED off)  EM yields better signal  AES rounds clearly visible 1 2 3 4 5 6 7 8 9 10
    71. 71. 73 Key Recovery (Power)  Attacking final AES round  Power model hi = HW(SBOX-1(Ci  rk))  ~ 7000 traces needed  ~ 10.5 hours for data acquisition Byte 1 Byte 2 Byte 8 Byte 9
    72. 72. 74 Key Recovery (EM)  Attacking final AES round  Power model hi = HW(SBOX-1(Ci  rk))  ~ 700 traces needed  ~ 1 hour for data acquisition Byte 1 Byte 2 Byte 8 Byte 9
    73. 73. 75 Implications  128-bit AES key of the Yubikey 2 can be recovered (700 EM measurements = 1 hour physical access)  Attacker can compute OTPs w/o Yubikey  Impersonate user: Username and password still needed  Denial-of-Service: Send an OTP with highly increased useCtr → Improved FW version 2.4 for Yubikey 2
    74. 74. Responsible Disclosure When pirates do good ...
    75. 75. 77 By RedAndr, Wikimedia Commons
    76. 76. 78
    77. 77. 79 Responsible Disclosure  Altera: – Informed ~ 6 months before – Acknowledged our results  Yubikey: – Informed ~ 9 months before – Improved firmware version 2.4  More examples ...
    78. 78. Countermeasures
    79. 79. 81 Countermeasures  Implementation attacks: Practical threat, but:  First line of defense: Classical countermeasures – Secure hardware (certified devices) – Algorithmic level  Second line of defense: System level – Detect: Shadow accounts, logging – Minimize impact (where possible): Key diversification
    80. 80. 82 Different Scenarios, different threats Yubikey 2  Time per key: 1 h  Diversified keys (?)  Each token: One ID → Attack does not scale FPGA  Time per key: 3 h  One key: All IP  Attack one FPGA → Attack scales
    81. 81. 83
    82. 82. Thanks for your attention Questions now? or later: david.oswald@rub.de http://fb.com/WorldBeatClubTanzenUndHelfen

    ×