Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Side Channel Analysis: Practice and a Bit of Theory

2,132 views

Published on

Published in: Technology
  • Be the first to comment

Side Channel Analysis: Practice and a Bit of Theory

  1. 1. Side channel analysis Practice and a bit of theory Ilya Kizhvatov
  2. 2. About myself • Senior security analyst at Riscure, Delft • PhD, University of Luxembourg • Diploma in IT security, ФЗИ РГГУ, Moscow 2
  3. 3. Side channel analysis in 3 minutes 3
  4. 4. 4 http://insidenanabreadshead.com/
  5. 5. 5
  6. 6. Simple power analysis  6 https://www.icmag.com/ic/showthread.php?t=217895
  7. 7. Countermeasure Cost-effective: saves 150M euro yearly in NL http://www.deweblogvanhelmond.nl 7
  8. 8. Differential power analysis + + + … substation households – ∆ ≠ 0? 8
  9. 9. 9
  10. 10. In the remaining 45 minutes: Side channel attacks on embedded devices • When and where are they applicable? • How they work? • What complicates them? 10
  11. 11. Embedded devices A.78% B.92% C.98% 1. G. Borriello and R. Want. Embedded Computation meets the World Wide Web. Commun. ACM, May 2000 Absolute numbers for 2015: 15 billion connected devices2 7 billion people in the world 1 How many out of all computing devices are embedded? 2. John Gantz. The Embedded Internet: Methodology and Findings. IDC, January 2009 11
  12. 12. Examples with secure context code execution keys PayTV Smart grid Mobile payment 12 http://en.wikipedia.org/wiki/File:Mobile_payment_01.jpg
  13. 13. How to protect keys? Pure software (whitebox crypto) Go hardware Recent overview: Dmitry Khovratovich @ 30C3 13
  14. 14. When SW exploitation is not enough flash DDR CPU secure core (crypto) secure storage (keys) internal ROM password protection / lock JTAG, I2C, … encryption Ethernet, USB, UART 14
  15. 15. Secure boot ROM loader code in flash public key signature Fault injection to skip. But when exactly? 20 Ways to Bypass Secure Boot: Job de Haas @ HITB KL 2013 15
  16. 16. Power analysis of secure boot Boot with valid flash image Boot with invalid flash image time to glitch 16
  17. 17. Other examples • Side Channel Analysis Reverse Engineering • Interpretation of SW fuzzing effects • JTAG password check (or PIN verification) 17
  18. 18. Key recovery with SCA Part 1: Basics 18
  19. 19. A simple measurement setup 19
  20. 20. 20
  21. 21. Zoom-in 21
  22. 22. Experiment: Look-up table mov ZH, high(S<<1) mov ZL, R0 lpm R0, Z .ORG $800 S: .db $63,$7c,$77,… 22 𝑆𝑎 𝑆(𝑎)
  23. 23. Hamming weight leakage of S(a) 23
  24. 24. AES-128 24 𝑆𝑎 𝑆(𝑎⨁𝑘) 𝑘
  25. 25. Step 1: Acquire power traces 𝑎1 𝑎2 𝑎 𝑁 random input bytes … 1 2 3 … 25
  26. 26. Step 2: Predict leakage of 𝑆(𝑎⨁𝑘) guesses for 𝑘 𝑎1 𝑎2 𝑎 𝑁 … 0 1 255 … 26
  27. 27. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … 27
  28. 28. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 28
  29. 29. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 29
  30. 30. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 30
  31. 31. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 31
  32. 32. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 32
  33. 33. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 33
  34. 34. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 34
  35. 35. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 35
  36. 36. 36
  37. 37. Key recovery with SCA Part 2: Complications 37
  38. 38. Choice of side channel http://www.dailymail.co.uk/news/article-2606972 38
  39. 39. http://www.dailymail.co.uk/news/article-2606972 39
  40. 40. http://news.bbc.co.uk/2/hi/uk_news/england/leicestershire/8447110.stm 40
  41. 41. EM leakage: where to measure? 41
  42. 42. EM leakage: where to measure? Spectral intensity around 32 MHz 42
  43. 43. EM leakage: where to measure? Spectral intensity around 64 MHz Distance between right and wrong key guesses 43
  44. 44. How to trigger? • If dedicated trigger pin: easy • Else if there is a pattern: – align online (special FPGA solution for triggering on a pattern) – or align offline (processing complexity) • Else attack as is (more traces needed) 44
  45. 45. Misalignment: Spot a pattern 45
  46. 46. Effect of misalignment on DPA well aligned traces misaligned traces Leakage spread across k samples  k2 times more traces 46
  47. 47. Which target variable? • SW AES (ATmega) S-box output • Simple HW AES (ATXmega, 8-bit datapath) S-boxi in XOR S-boxi+1 in • Full-blown HW AES (128-bit datapath) staten-1 XOR staten (requires known inputs!) 47
  48. 48. Which leakage model? • Hamming weight (distance) often works • More precise model  faster attack • Tools for leakage modelling: – Template attacks (profiling) – Linear regression 48
  49. 49. 𝒍 𝒛 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 𝒛 𝟎 Fitting a leakage model 49 𝟏𝟔𝟒 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟎 𝟏𝟓𝟎 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟏 … 𝟏𝟖𝟎 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟏 measured leakage target variable predictions Solution using OLS: 𝜷 𝒄𝒐𝒏𝒔𝒕 = 𝟏𝟔𝟎. 𝟑 𝜷 𝟎 = 𝟔. 𝟑
  50. 50. Effect of a precise leakage model Hamming weight model Model fit using linear regression 50
  51. 51. How to brute force DPA output? … … … … x x x x x.0065 .0063 .0062 .0010 … .0071 .0068 .0067 .009 .0069 .0068 .0067 .0010 .0068 .0067 .0066 .0011 .0072 .0069 .0066 .0013 .0070 .0068 .0065 .008 x… 𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15 51
  52. 52. How to brute force DPA output? … … … … x x x x x.0065 .0063 .0062 .0010 … .0071 .0068 .0067 .009 .0069 .0068 .0067 .0010 .0068 .0067 .0066 .0011 .0072 .0069 .0066 .0013 .0070 .0068 .0065 .008 x… • 5-6 candidates per byte  240 full keys (1 day on a desktop PC) • Solution: key enumeration (e.g. Veyrat-Charvillon et al. @ SAC2012) • Challenge: memory consumption and therefore speed 240 keys needs 70 GB of RAM and 9 days on a desktop PC 𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15 52
  53. 53. Countermeasures • desynchronize • shuffle with dummy crypto operations • masking (split sensitive variables into many) • limit the number of crypto operations smartcards: 65K operations only • frequent key update Most patented by CRI 53
  54. 54. 54
  55. 55. What makes an attack? • Factors (according to JHAS*): – Time – Expertise – Equipment – Knowledge about the target – Number of device samples – Samples with known or chosen keys • Identification ≠ exploitation * Joint Interpretation Library Hardware Attacks Subgroup 55
  56. 56. Complexity indicators Identification Exploitation General-purpose microcontroller < day < hour (< thousand traces) SoC without SCA countermeasures < month < week (millions of traces) SoC with SCA countermeasures > month + advanced SCA skills + high-end DSO > month (billions of traces) 56
  57. 57. Special thanks to my colleagues at Riscure Job de Haas, Jing Pan, Eloi Sanfèlix, Albert Spruit 57 Contact: ilya@riscure.com

×