Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ID and IP Theft with
Side-Channel Attacks
David Oswald, Ruhr-Uni Bochum
david.oswald@rub.de
Breaking One-Time Password Tok...
2http://fb.com/WorldBeatClubTanzenUndHelfen
3
No, I did not do all this stuff alone
 Christof Paar
 Timo Kasper
 Amir Moradi
 Pawel Swierczynski
 Bastian Richter
4
5
Sabre: Madboy74
6
Ruhr-University Bochum: beautiful.
7
Chameleon Mini
https://github.com/emsec/ChameleonMini
8
Embedded systems
everywhere
10
(The life of) a typical pirate
Pegleg
Eye patch
Pirate hat
Pirate laughter
11
12
13
14
15
Report
flaws
Improve
Implementation Attacks:
…
17Based on Skoborogatov
18
Implementation Attacks: A Short History
 Known for many decades (e.g. TEMPEST)
 Poor understanding prior to 1996
(at ...
19
Side-Channel Attacks:
In a nutshell
20
Principle of Side-Channel Analysis
(here: listen to sound)
A Bank Robbery
21
Principle of Side-Channel Analysis
The world is changing…
22
Principle of Side-Channel Analysis
(Now: measure the power consumption / EM)
The world is changing …
… the tools are, t...
23
Side-Channel Analysis: Leakage
Power consumption / EM depends on
processed data
Data = 1111
Data = 0000
Data = 1010
24
Evaluation Methods: SPA
Simple Power Analysis: Directly analyze (few)
traces, for example RSA:
25
Evaluation Methods: DPA / CPA
Differential Power Analysis
 Detect statistical dependency:
Key guess ⟺ Side-channel
 I...
Implementation Attacks:
From Theory to Practice
28
Theory versus Practice
Academia
 8-bit µC
 Interfaces and
implementation
known / controlled
 Ideal setup
White-box a...
29
Case Studies
Yubikey 2Altera Stratix II
30
Home Port
Bochum
31
FPGA
2013
32
Case Studies
Yubikey 2Altera Stratix II
33
FPGAs widely used in
• Routers
• Consumer products
• Cars
• Military
Problem:
FPGA design (bitstream)
can be easily cop...
34
FPGA 1
Flash
Bitstream
FPGA Power-Up
35
FPGA 1
Flash
Bitstream
FPGA 2
Clone
Problem: IP Theft
36
FPGA 1
Flash
Encrypted
bitstream
Industry‘s Solution
37
FPGA 1
Flash
Encrypted
bitstream
= ?
Industry‘s Solution
38
Related Work
 Bitstream encryption scheme of
several Xilinx product lines broken
– Virtex 2 (3DES)
– Virtex 4 & 5 (AES...
39
What about Altera?
 Target: Stratix II
 Bitstream encryption („design security“)
uses AES w/ 128-bit key
 Side-Chann...
40
Reverse-Engineering
 Reverse-engineer proprietary mechanisms from
Quartus II software
 IDA Pro (disassembler / debugg...
41
KEY1 / KEY2 file
for FPGA
42
Key derivation
real key =
f(KEY1,KEY2)
KEY1 / KEY2 file
for FPGA
43
Why this key derivation?
 Real key cannot be set directly
 Key derivation is performed once when
programming the FPGA...
44
„real key“ = AESKEY1(KEY2)
Is f (KEY1,KEY2) „good“?
45
Good idea?
 In principle: Yes
 But: AES (in this form) is not one-way:
 Pick any KEY1*
 KEY2* = AES-1
KEY1*(real ke...
46
real key =
AESKEY1(KEY2)
KEY1 / KEY2 file
for FPGA
47
real key =
AESKEY1(KEY2) encreal key(...)
KEY1 / KEY2 file
for FPGA
48
Encrypted block i =
AES128real key(IVi)  plain block i
Encryption method:
AES in Counter mode
49
Reverse-Engineering: Summary
 All „obscurity features“ reverse-engineered
 Further details: file format, coding, ...
...
50
Side-Channel
Attack on Stratix II
51
52
Average trace: unencrypted vs. encrypted
53
Average trace: unencrypted vs. encrypted
55
With further experiments
and signal processing ...
56
... we recovered the 128-bit AES key with 30,000
traces (~ 3 hours of measurement)
Key Recovery
57
... and came up with a hypothetical architecture
of the AES engine
Architecture Recovery
58
Management Summary
 Full 128-bit AES key of Stratix II can be
extracted using 30,000 traces (3 hours)
 Key derivation...
59
Secure Bitstream Encryption?
Virtex 2
Virtex 4 and 5
Spartan 6
Altera Stratix II and III
Microsemi ProASIC3
(Skorobogat...
60
By Eva K.
61
62
63
RAID
2013
64
65
Case Studies
Yubikey 2Altera Stratix II
66
Two-Factor Authentication
Past: One factor: Password/PIN
Today: Two factors: Password/PIN and additionally
67
Yubikey 2: Overview
 Simulates USB keyboard
 Generates and enters One-Time
Password (OTP) on button press
 Based on ...
68
Yubikey OTP Generation (1)
...
dhbgnhfhjcrl rgukndgttlehvhetuunugglkfetdegjd
dhbgnhfhjcrl trjddibkbugfhnevdebrddvhhhllu...
69
Yubikey OTP Generation (2)
AES-128
Encryption
Modhex Encoding
?
70
Yubikey Hardware
71
Measurement Setup
 Resistor in USB ground for power measurement
 EM measurement with near-field probe
 Connecting (c...
72
Power vs. EM Measurements
 Trigger on falling edge (Yubikey's LED off)
 EM yields better signal
 AES rounds clearly ...
73
Key Recovery (Power)
 Attacking final AES round
 Power model hi = HW(SBOX-1(Ci  rk))
 ~ 7000 traces needed
 ~ 10.5...
74
Key Recovery (EM)
 Attacking final AES round
 Power model hi = HW(SBOX-1(Ci  rk))
 ~ 700 traces needed
 ~ 1 hour f...
75
Implications
 128-bit AES key of the Yubikey 2 can be recovered
(700 EM measurements = 1 hour physical access)
 Attac...
Responsible Disclosure
When pirates do good ...
77
By RedAndr, Wikimedia Commons
78
79
Responsible Disclosure
 Altera:
– Informed ~ 6 months before
– Acknowledged our results
 Yubikey:
– Informed ~ 9 mont...
Countermeasures
81
Countermeasures
 Implementation attacks: Practical threat, but:
 First line of defense: Classical countermeasures
– S...
82
Different Scenarios, different threats
Yubikey 2
 Time per key: 1 h
 Diversified keys (?)
 Each token: One ID
→ Atta...
83
Thanks for your attention
Questions now?
or later: david.oswald@rub.de
http://fb.com/WorldBeatClubTanzenUndHelfen
Upcoming SlideShare
Loading in …5
×

1300 david oswald id and ip theft with side-channel attacks

1,528 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

1300 david oswald id and ip theft with side-channel attacks

  1. 1. ID and IP Theft with Side-Channel Attacks David Oswald, Ruhr-Uni Bochum david.oswald@rub.de Breaking One-Time Password Tokens and FPGA Bitstream Encryption
  2. 2. 2http://fb.com/WorldBeatClubTanzenUndHelfen
  3. 3. 3 No, I did not do all this stuff alone  Christof Paar  Timo Kasper  Amir Moradi  Pawel Swierczynski  Bastian Richter
  4. 4. 4
  5. 5. 5 Sabre: Madboy74
  6. 6. 6 Ruhr-University Bochum: beautiful.
  7. 7. 7 Chameleon Mini https://github.com/emsec/ChameleonMini
  8. 8. 8
  9. 9. Embedded systems everywhere
  10. 10. 10 (The life of) a typical pirate Pegleg Eye patch Pirate hat Pirate laughter
  11. 11. 11
  12. 12. 12
  13. 13. 13
  14. 14. 14
  15. 15. 15 Report flaws Improve
  16. 16. Implementation Attacks: …
  17. 17. 17Based on Skoborogatov
  18. 18. 18 Implementation Attacks: A Short History  Known for many decades (e.g. TEMPEST)  Poor understanding prior to 1996 (at least outside intelligence agencies)  End 1990s: „golden era“ – Fault attacks (RSA CRT), 1996 – Timing attacks, 1996 – SPA, DPA, 1998  Since 1999: hundreds of research papers
  19. 19. 19 Side-Channel Attacks: In a nutshell
  20. 20. 20 Principle of Side-Channel Analysis (here: listen to sound) A Bank Robbery
  21. 21. 21 Principle of Side-Channel Analysis The world is changing…
  22. 22. 22 Principle of Side-Channel Analysis (Now: measure the power consumption / EM) The world is changing … … the tools are, too.
  23. 23. 23 Side-Channel Analysis: Leakage Power consumption / EM depends on processed data Data = 1111 Data = 0000 Data = 1010
  24. 24. 24 Evaluation Methods: SPA Simple Power Analysis: Directly analyze (few) traces, for example RSA:
  25. 25. 25 Evaluation Methods: DPA / CPA Differential Power Analysis  Detect statistical dependency: Key guess ⟺ Side-channel  Idea: Brute-force w/ additional information  Use a statistical test...
  26. 26. Implementation Attacks: From Theory to Practice
  27. 27. 28 Theory versus Practice Academia  8-bit µC  Interfaces and implementation known / controlled  Ideal setup White-box attack Real World  HW / SW impl.  Interfaces and implementation unknown  Many unknown factors Black-box attack
  28. 28. 29 Case Studies Yubikey 2Altera Stratix II
  29. 29. 30 Home Port Bochum
  30. 30. 31 FPGA 2013
  31. 31. 32 Case Studies Yubikey 2Altera Stratix II
  32. 32. 33 FPGAs widely used in • Routers • Consumer products • Cars • Military Problem: FPGA design (bitstream) can be easily copied FPGAs
  33. 33. 34 FPGA 1 Flash Bitstream FPGA Power-Up
  34. 34. 35 FPGA 1 Flash Bitstream FPGA 2 Clone Problem: IP Theft
  35. 35. 36 FPGA 1 Flash Encrypted bitstream Industry‘s Solution
  36. 36. 37 FPGA 1 Flash Encrypted bitstream = ? Industry‘s Solution
  37. 37. 38 Related Work  Bitstream encryption scheme of several Xilinx product lines broken – Virtex 2 (3DES) – Virtex 4 & 5 (AES256) – Spartan 6 (AES256)  Method: Side-Channel Analysis (SCA)
  38. 38. 39 What about Altera?  Target: Stratix II  Bitstream encryption („design security“) uses AES w/ 128-bit key  Side-Channel Analysis possible?  Problem: Proprietary and undocumented mechanisms for key derivation and for encryption
  39. 39. 40 Reverse-Engineering  Reverse-engineer proprietary mechanisms from Quartus II software  IDA Pro (disassembler / debugger)
  40. 40. 41 KEY1 / KEY2 file for FPGA
  41. 41. 42 Key derivation real key = f(KEY1,KEY2) KEY1 / KEY2 file for FPGA
  42. 42. 43 Why this key derivation?  Real key cannot be set directly  Key derivation is performed once when programming the FPGA  Idea: When real key is extracted, KEY1 and KEY2 cannot be found  Prevent cloning: real key of blank FPGA cannot be set
  43. 43. 44 „real key“ = AESKEY1(KEY2) Is f (KEY1,KEY2) „good“?
  44. 44. 45 Good idea?  In principle: Yes  But: AES (in this form) is not one-way:  Pick any KEY1*  KEY2* = AES-1 KEY1*(real key)  This (KEY1*, KEY2*) leads to same real key
  45. 45. 46 real key = AESKEY1(KEY2) KEY1 / KEY2 file for FPGA
  46. 46. 47 real key = AESKEY1(KEY2) encreal key(...) KEY1 / KEY2 file for FPGA
  47. 47. 48 Encrypted block i = AES128real key(IVi)  plain block i Encryption method: AES in Counter mode
  48. 48. 49 Reverse-Engineering: Summary  All „obscurity features“ reverse-engineered  Further details: file format, coding, ...  Black-box  white box  Side-channel analysis possible (target: 128-bit real key)
  49. 49. 50 Side-Channel Attack on Stratix II
  50. 50. 51
  51. 51. 52 Average trace: unencrypted vs. encrypted
  52. 52. 53 Average trace: unencrypted vs. encrypted
  53. 53. 55 With further experiments and signal processing ...
  54. 54. 56 ... we recovered the 128-bit AES key with 30,000 traces (~ 3 hours of measurement) Key Recovery
  55. 55. 57 ... and came up with a hypothetical architecture of the AES engine Architecture Recovery
  56. 56. 58 Management Summary  Full 128-bit AES key of Stratix II can be extracted using 30,000 traces (3 hours)  Key derivation does not prevent cloning  Proprietary security mechanisms can be reverse-engineered from software  Software reverse-engineering enables hardware attack
  57. 57. 59 Secure Bitstream Encryption? Virtex 2 Virtex 4 and 5 Spartan 6 Altera Stratix II and III Microsemi ProASIC3 (Skorobogatov et al.)
  58. 58. 60 By Eva K.
  59. 59. 61
  60. 60. 62
  61. 61. 63 RAID 2013
  62. 62. 64
  63. 63. 65 Case Studies Yubikey 2Altera Stratix II
  64. 64. 66 Two-Factor Authentication Past: One factor: Password/PIN Today: Two factors: Password/PIN and additionally
  65. 65. 67 Yubikey 2: Overview  Simulates USB keyboard  Generates and enters One-Time Password (OTP) on button press  Based on AES w/ 128-bit key
  66. 66. 68 Yubikey OTP Generation (1) ... dhbgnhfhjcrl rgukndgttlehvhetuunugglkfetdegjd dhbgnhfhjcrl trjddibkbugfhnevdebrddvhhhlluhgh dhbgnhfhjcrl judbdifkcchgjkitgvgvvbinebdigdfd ...
  67. 67. 69 Yubikey OTP Generation (2) AES-128 Encryption Modhex Encoding ?
  68. 68. 70 Yubikey Hardware
  69. 69. 71 Measurement Setup  Resistor in USB ground for power measurement  EM measurement with near-field probe  Connecting (capacitive) button to ground triggers the Yubikey
  70. 70. 72 Power vs. EM Measurements  Trigger on falling edge (Yubikey's LED off)  EM yields better signal  AES rounds clearly visible 1 2 3 4 5 6 7 8 9 10
  71. 71. 73 Key Recovery (Power)  Attacking final AES round  Power model hi = HW(SBOX-1(Ci  rk))  ~ 7000 traces needed  ~ 10.5 hours for data acquisition Byte 1 Byte 2 Byte 8 Byte 9
  72. 72. 74 Key Recovery (EM)  Attacking final AES round  Power model hi = HW(SBOX-1(Ci  rk))  ~ 700 traces needed  ~ 1 hour for data acquisition Byte 1 Byte 2 Byte 8 Byte 9
  73. 73. 75 Implications  128-bit AES key of the Yubikey 2 can be recovered (700 EM measurements = 1 hour physical access)  Attacker can compute OTPs w/o Yubikey  Impersonate user: Username and password still needed  Denial-of-Service: Send an OTP with highly increased useCtr → Improved FW version 2.4 for Yubikey 2
  74. 74. Responsible Disclosure When pirates do good ...
  75. 75. 77 By RedAndr, Wikimedia Commons
  76. 76. 78
  77. 77. 79 Responsible Disclosure  Altera: – Informed ~ 6 months before – Acknowledged our results  Yubikey: – Informed ~ 9 months before – Improved firmware version 2.4  More examples ...
  78. 78. Countermeasures
  79. 79. 81 Countermeasures  Implementation attacks: Practical threat, but:  First line of defense: Classical countermeasures – Secure hardware (certified devices) – Algorithmic level  Second line of defense: System level – Detect: Shadow accounts, logging – Minimize impact (where possible): Key diversification
  80. 80. 82 Different Scenarios, different threats Yubikey 2  Time per key: 1 h  Diversified keys (?)  Each token: One ID → Attack does not scale FPGA  Time per key: 3 h  One key: All IP  Attack one FPGA → Attack scales
  81. 81. 83
  82. 82. Thanks for your attention Questions now? or later: david.oswald@rub.de http://fb.com/WorldBeatClubTanzenUndHelfen

×