Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Successfully reported this slideshow.

Like this presentation? Why not share!

- How to detect side channel attacks ... by Pasquale Puzio 4538 views
- nabdullin_brcrdu_dark by Nikita Abdullin 266 views
- Hta t17 by SelectedPresentat... 194 views
- Tech Talks @NSU: Side Channel Attacks by Tech Talks @NSU 230 views
- Construction of sfiCAN: a star-base... by balDYxan 618 views
- Track 5 session 2 - st dev con 20... by ST_World 863 views

2,132 views

Published on

Published in:
Technology

No Downloads

Total views

2,132

On SlideShare

0

From Embeds

0

Number of Embeds

21

Shares

0

Downloads

73

Comments

0

Likes

2

No embeds

No notes for slide

Runtime control:

shut down the infrastructure

implant malware -> run botnet

Keys:

- resell content

fuzzing: distinguish between the freezes

JTAG password check: divide and conquer attack

- 1. Side channel analysis Practice and a bit of theory Ilya Kizhvatov
- 2. About myself • Senior security analyst at Riscure, Delft • PhD, University of Luxembourg • Diploma in IT security, ФЗИ РГГУ, Moscow 2
- 3. Side channel analysis in 3 minutes 3
- 4. 4 http://insidenanabreadshead.com/
- 5. 5
- 6. Simple power analysis 6 https://www.icmag.com/ic/showthread.php?t=217895
- 7. Countermeasure Cost-effective: saves 150M euro yearly in NL http://www.deweblogvanhelmond.nl 7
- 8. Differential power analysis + + + … substation households – ∆ ≠ 0? 8
- 9. 9
- 10. In the remaining 45 minutes: Side channel attacks on embedded devices • When and where are they applicable? • How they work? • What complicates them? 10
- 11. Embedded devices A.78% B.92% C.98% 1. G. Borriello and R. Want. Embedded Computation meets the World Wide Web. Commun. ACM, May 2000 Absolute numbers for 2015: 15 billion connected devices2 7 billion people in the world 1 How many out of all computing devices are embedded? 2. John Gantz. The Embedded Internet: Methodology and Findings. IDC, January 2009 11
- 12. Examples with secure context code execution keys PayTV Smart grid Mobile payment 12 http://en.wikipedia.org/wiki/File:Mobile_payment_01.jpg
- 13. How to protect keys? Pure software (whitebox crypto) Go hardware Recent overview: Dmitry Khovratovich @ 30C3 13
- 14. When SW exploitation is not enough flash DDR CPU secure core (crypto) secure storage (keys) internal ROM password protection / lock JTAG, I2C, … encryption Ethernet, USB, UART 14
- 15. Secure boot ROM loader code in flash public key signature Fault injection to skip. But when exactly? 20 Ways to Bypass Secure Boot: Job de Haas @ HITB KL 2013 15
- 16. Power analysis of secure boot Boot with valid flash image Boot with invalid flash image time to glitch 16
- 17. Other examples • Side Channel Analysis Reverse Engineering • Interpretation of SW fuzzing effects • JTAG password check (or PIN verification) 17
- 18. Key recovery with SCA Part 1: Basics 18
- 19. A simple measurement setup 19
- 20. 20
- 21. Zoom-in 21
- 22. Experiment: Look-up table mov ZH, high(S<<1) mov ZL, R0 lpm R0, Z .ORG $800 S: .db $63,$7c,$77,… 22 𝑆𝑎 𝑆(𝑎)
- 23. Hamming weight leakage of S(a) 23
- 24. AES-128 24 𝑆𝑎 𝑆(𝑎⨁𝑘) 𝑘
- 25. Step 1: Acquire power traces 𝑎1 𝑎2 𝑎 𝑁 random input bytes … 1 2 3 … 25
- 26. Step 2: Predict leakage of 𝑆(𝑎⨁𝑘) guesses for 𝑘 𝑎1 𝑎2 𝑎 𝑁 … 0 1 255 … 26
- 27. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … 27
- 28. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 28
- 29. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 29
- 30. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 30
- 31. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 31
- 32. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 32
- 33. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 33
- 34. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 34
- 35. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 35
- 36. 36
- 37. Key recovery with SCA Part 2: Complications 37
- 38. Choice of side channel http://www.dailymail.co.uk/news/article-2606972 38
- 39. http://www.dailymail.co.uk/news/article-2606972 39
- 40. http://news.bbc.co.uk/2/hi/uk_news/england/leicestershire/8447110.stm 40
- 41. EM leakage: where to measure? 41
- 42. EM leakage: where to measure? Spectral intensity around 32 MHz 42
- 43. EM leakage: where to measure? Spectral intensity around 64 MHz Distance between right and wrong key guesses 43
- 44. How to trigger? • If dedicated trigger pin: easy • Else if there is a pattern: – align online (special FPGA solution for triggering on a pattern) – or align offline (processing complexity) • Else attack as is (more traces needed) 44
- 45. Misalignment: Spot a pattern 45
- 46. Effect of misalignment on DPA well aligned traces misaligned traces Leakage spread across k samples k2 times more traces 46
- 47. Which target variable? • SW AES (ATmega) S-box output • Simple HW AES (ATXmega, 8-bit datapath) S-boxi in XOR S-boxi+1 in • Full-blown HW AES (128-bit datapath) staten-1 XOR staten (requires known inputs!) 47
- 48. Which leakage model? • Hamming weight (distance) often works • More precise model faster attack • Tools for leakage modelling: – Template attacks (profiling) – Linear regression 48
- 49. 𝒍 𝒛 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 𝒛 𝟎 Fitting a leakage model 49 𝟏𝟔𝟒 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟎 𝟏𝟓𝟎 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟏 … 𝟏𝟖𝟎 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟏 measured leakage target variable predictions Solution using OLS: 𝜷 𝒄𝒐𝒏𝒔𝒕 = 𝟏𝟔𝟎. 𝟑 𝜷 𝟎 = 𝟔. 𝟑
- 50. Effect of a precise leakage model Hamming weight model Model fit using linear regression 50
- 51. How to brute force DPA output? … … … … x x x x x.0065 .0063 .0062 .0010 … .0071 .0068 .0067 .009 .0069 .0068 .0067 .0010 .0068 .0067 .0066 .0011 .0072 .0069 .0066 .0013 .0070 .0068 .0065 .008 x… 𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15 51
- 52. How to brute force DPA output? … … … … x x x x x.0065 .0063 .0062 .0010 … .0071 .0068 .0067 .009 .0069 .0068 .0067 .0010 .0068 .0067 .0066 .0011 .0072 .0069 .0066 .0013 .0070 .0068 .0065 .008 x… • 5-6 candidates per byte 240 full keys (1 day on a desktop PC) • Solution: key enumeration (e.g. Veyrat-Charvillon et al. @ SAC2012) • Challenge: memory consumption and therefore speed 240 keys needs 70 GB of RAM and 9 days on a desktop PC 𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15 52
- 53. Countermeasures • desynchronize • shuffle with dummy crypto operations • masking (split sensitive variables into many) • limit the number of crypto operations smartcards: 65K operations only • frequent key update Most patented by CRI 53
- 54. 54
- 55. What makes an attack? • Factors (according to JHAS*): – Time – Expertise – Equipment – Knowledge about the target – Number of device samples – Samples with known or chosen keys • Identification ≠ exploitation * Joint Interpretation Library Hardware Attacks Subgroup 55
- 56. Complexity indicators Identification Exploitation General-purpose microcontroller < day < hour (< thousand traces) SoC without SCA countermeasures < month < week (millions of traces) SoC with SCA countermeasures > month + advanced SCA skills + high-end DSO > month (billions of traces) 56
- 57. Special thanks to my colleagues at Riscure Job de Haas, Jing Pan, Eloi Sanfèlix, Albert Spruit 57 Contact: ilya@riscure.com

No public clipboards found for this slide

Be the first to comment