Your SlideShare is downloading. ×
0
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
1300 david oswald   id and ip theft with side-channel attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

1300 david oswald id and ip theft with side-channel attacks

472

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
472
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • 2008: Nokia Werk dicht, ca. 3000 Mitarbeiter weg.
    2015 Opel mit den restlichen (von damals 20.000) ca. 5000 Mitarbeitern

    Uni ist wie schiff
  • An dieser Stelle Möglichkeit für Tafel: CMOS-Inverter malen (mit Lastkapazität) und umladen erklären -> Hamming Distance
    HW: Pre-Charge busses etc.
  • Erfahrung aus Case Studies: Es ist nicht so...
  • Ende: Now lets go to the steps required in reality
  • Now, to put the analysis work I did in context -> core of IT security!
  • Now, to put the analysis work I did in context -> core of IT security!
  • Now, to put the analysis work I did in context -> core of IT security!
  • Typical login form
    Give focus to yubikey field -> press button
  • Constant public ID
    Appended ACTUAL OTP

    Unique, secret ID
    Use Counter, non-volatile, incremented at first OTP generation after power-up
    Timestamp, 8Hz clock, random initialization
    Session Counter, init 0, incremented each OTP
    Random
    CRC16 checksum
  • Modhey-encoding -> substitution for hex-character

    How can the attacker get the key?
  • We were curious which microcontroller is in it.
    We know the pcb from Youtube video about production
    Opened the case with fuming nitric acid
    Low cost Sunplus IT 8-bit microcontroller
  • To measure you need a reliable trigger -> LED off
    Clear patterns occure 10 times

    Low-pass characteristic

    Peaks start of frame
  • Final round since we only know the ciphertext
    First round input ist partially constant -> parts can not be attacked
    Key candidate
  • Improved by a factor of 10
  • Erfahrung aus Case Studies: Es ist nicht so...
  • Transcript

    • 1. ID and IP Theft with Side-Channel Attacks David Oswald, Ruhr-Uni Bochum david.oswald@rub.de Breaking One-Time Password Tokens and FPGA Bitstream Encryption
    • 2. 2http://fb.com/WorldBeatClubTanzenUndHelfen
    • 3. 3 No, I did not do all this stuff alone  Christof Paar  Timo Kasper  Amir Moradi  Pawel Swierczynski  Bastian Richter
    • 4. 4
    • 5. 5 Sabre: Madboy74
    • 6. 6 Ruhr-University Bochum: beautiful.
    • 7. 7 Chameleon Mini https://github.com/emsec/ChameleonMini
    • 8. 8
    • 9. Embedded systems everywhere
    • 10. 10 (The life of) a typical pirate Pegleg Eye patch Pirate hat Pirate laughter
    • 11. 11
    • 12. 12
    • 13. 13
    • 14. 14
    • 15. 15 Report flaws Improve
    • 16. Implementation Attacks: …
    • 17. 17Based on Skoborogatov
    • 18. 18 Implementation Attacks: A Short History  Known for many decades (e.g. TEMPEST)  Poor understanding prior to 1996 (at least outside intelligence agencies)  End 1990s: „golden era“ – Fault attacks (RSA CRT), 1996 – Timing attacks, 1996 – SPA, DPA, 1998  Since 1999: hundreds of research papers
    • 19. 19 Side-Channel Attacks: In a nutshell
    • 20. 20 Principle of Side-Channel Analysis (here: listen to sound) A Bank Robbery
    • 21. 21 Principle of Side-Channel Analysis The world is changing…
    • 22. 22 Principle of Side-Channel Analysis (Now: measure the power consumption / EM) The world is changing … … the tools are, too.
    • 23. 23 Side-Channel Analysis: Leakage Power consumption / EM depends on processed data Data = 1111 Data = 0000 Data = 1010
    • 24. 24 Evaluation Methods: SPA Simple Power Analysis: Directly analyze (few) traces, for example RSA:
    • 25. 25 Evaluation Methods: DPA / CPA Differential Power Analysis  Detect statistical dependency: Key guess ⟺ Side-channel  Idea: Brute-force w/ additional information  Use a statistical test...
    • 26. Implementation Attacks: From Theory to Practice
    • 27. 28 Theory versus Practice Academia  8-bit µC  Interfaces and implementation known / controlled  Ideal setup White-box attack Real World  HW / SW impl.  Interfaces and implementation unknown  Many unknown factors Black-box attack
    • 28. 29 Case Studies Yubikey 2Altera Stratix II
    • 29. 30 Home Port Bochum
    • 30. 31 FPGA 2013
    • 31. 32 Case Studies Yubikey 2Altera Stratix II
    • 32. 33 FPGAs widely used in • Routers • Consumer products • Cars • Military Problem: FPGA design (bitstream) can be easily copied FPGAs
    • 33. 34 FPGA 1 Flash Bitstream FPGA Power-Up
    • 34. 35 FPGA 1 Flash Bitstream FPGA 2 Clone Problem: IP Theft
    • 35. 36 FPGA 1 Flash Encrypted bitstream Industry‘s Solution
    • 36. 37 FPGA 1 Flash Encrypted bitstream = ? Industry‘s Solution
    • 37. 38 Related Work  Bitstream encryption scheme of several Xilinx product lines broken – Virtex 2 (3DES) – Virtex 4 & 5 (AES256) – Spartan 6 (AES256)  Method: Side-Channel Analysis (SCA)
    • 38. 39 What about Altera?  Target: Stratix II  Bitstream encryption („design security“) uses AES w/ 128-bit key  Side-Channel Analysis possible?  Problem: Proprietary and undocumented mechanisms for key derivation and for encryption
    • 39. 40 Reverse-Engineering  Reverse-engineer proprietary mechanisms from Quartus II software  IDA Pro (disassembler / debugger)
    • 40. 41 KEY1 / KEY2 file for FPGA
    • 41. 42 Key derivation real key = f(KEY1,KEY2) KEY1 / KEY2 file for FPGA
    • 42. 43 Why this key derivation?  Real key cannot be set directly  Key derivation is performed once when programming the FPGA  Idea: When real key is extracted, KEY1 and KEY2 cannot be found  Prevent cloning: real key of blank FPGA cannot be set
    • 43. 44 „real key“ = AESKEY1(KEY2) Is f (KEY1,KEY2) „good“?
    • 44. 45 Good idea?  In principle: Yes  But: AES (in this form) is not one-way:  Pick any KEY1*  KEY2* = AES-1 KEY1*(real key)  This (KEY1*, KEY2*) leads to same real key
    • 45. 46 real key = AESKEY1(KEY2) KEY1 / KEY2 file for FPGA
    • 46. 47 real key = AESKEY1(KEY2) encreal key(...) KEY1 / KEY2 file for FPGA
    • 47. 48 Encrypted block i = AES128real key(IVi)  plain block i Encryption method: AES in Counter mode
    • 48. 49 Reverse-Engineering: Summary  All „obscurity features“ reverse-engineered  Further details: file format, coding, ...  Black-box  white box  Side-channel analysis possible (target: 128-bit real key)
    • 49. 50 Side-Channel Attack on Stratix II
    • 50. 51
    • 51. 52 Average trace: unencrypted vs. encrypted
    • 52. 53 Average trace: unencrypted vs. encrypted
    • 53. 55 With further experiments and signal processing ...
    • 54. 56 ... we recovered the 128-bit AES key with 30,000 traces (~ 3 hours of measurement) Key Recovery
    • 55. 57 ... and came up with a hypothetical architecture of the AES engine Architecture Recovery
    • 56. 58 Management Summary  Full 128-bit AES key of Stratix II can be extracted using 30,000 traces (3 hours)  Key derivation does not prevent cloning  Proprietary security mechanisms can be reverse-engineered from software  Software reverse-engineering enables hardware attack
    • 57. 59 Secure Bitstream Encryption? Virtex 2 Virtex 4 and 5 Spartan 6 Altera Stratix II and III Microsemi ProASIC3 (Skorobogatov et al.)
    • 58. 60 By Eva K.
    • 59. 61
    • 60. 62
    • 61. 63 RAID 2013
    • 62. 64
    • 63. 65 Case Studies Yubikey 2Altera Stratix II
    • 64. 66 Two-Factor Authentication Past: One factor: Password/PIN Today: Two factors: Password/PIN and additionally
    • 65. 67 Yubikey 2: Overview  Simulates USB keyboard  Generates and enters One-Time Password (OTP) on button press  Based on AES w/ 128-bit key
    • 66. 68 Yubikey OTP Generation (1) ... dhbgnhfhjcrl rgukndgttlehvhetuunugglkfetdegjd dhbgnhfhjcrl trjddibkbugfhnevdebrddvhhhlluhgh dhbgnhfhjcrl judbdifkcchgjkitgvgvvbinebdigdfd ...
    • 67. 69 Yubikey OTP Generation (2) AES-128 Encryption Modhex Encoding ?
    • 68. 70 Yubikey Hardware
    • 69. 71 Measurement Setup  Resistor in USB ground for power measurement  EM measurement with near-field probe  Connecting (capacitive) button to ground triggers the Yubikey
    • 70. 72 Power vs. EM Measurements  Trigger on falling edge (Yubikey's LED off)  EM yields better signal  AES rounds clearly visible 1 2 3 4 5 6 7 8 9 10
    • 71. 73 Key Recovery (Power)  Attacking final AES round  Power model hi = HW(SBOX-1(Ci  rk))  ~ 7000 traces needed  ~ 10.5 hours for data acquisition Byte 1 Byte 2 Byte 8 Byte 9
    • 72. 74 Key Recovery (EM)  Attacking final AES round  Power model hi = HW(SBOX-1(Ci  rk))  ~ 700 traces needed  ~ 1 hour for data acquisition Byte 1 Byte 2 Byte 8 Byte 9
    • 73. 75 Implications  128-bit AES key of the Yubikey 2 can be recovered (700 EM measurements = 1 hour physical access)  Attacker can compute OTPs w/o Yubikey  Impersonate user: Username and password still needed  Denial-of-Service: Send an OTP with highly increased useCtr → Improved FW version 2.4 for Yubikey 2
    • 74. Responsible Disclosure When pirates do good ...
    • 75. 77 By RedAndr, Wikimedia Commons
    • 76. 78
    • 77. 79 Responsible Disclosure  Altera: – Informed ~ 6 months before – Acknowledged our results  Yubikey: – Informed ~ 9 months before – Improved firmware version 2.4  More examples ...
    • 78. Countermeasures
    • 79. 81 Countermeasures  Implementation attacks: Practical threat, but:  First line of defense: Classical countermeasures – Secure hardware (certified devices) – Algorithmic level  Second line of defense: System level – Detect: Shadow accounts, logging – Minimize impact (where possible): Key diversification
    • 80. 82 Different Scenarios, different threats Yubikey 2  Time per key: 1 h  Diversified keys (?)  Each token: One ID → Attack does not scale FPGA  Time per key: 3 h  One key: All IP  Attack one FPGA → Attack scales
    • 81. 83
    • 82. Thanks for your attention Questions now? or later: david.oswald@rub.de http://fb.com/WorldBeatClubTanzenUndHelfen

    ×