Side Channel Analysis: Practice and a Bit of Theory

1,895 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,895
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
63
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • PayTV – Conditional Access
    Runtime control:
    shut down the infrastructure
    implant malware -> run botnet
    Keys:
    - resell content
  • side channel disassembler
    fuzzing: distinguish between the freezes
    JTAG password check: divide and conquer attack
  • 9 (nine) different traces, 9!
  • - lack harmonics
  • - lack harmonics
  • R2 – coefficient of determination
  • 7 times less traces! Week -> day.
  • Side Channel Analysis: Practice and a Bit of Theory

    1. 1. Side channel analysis Practice and a bit of theory Ilya Kizhvatov
    2. 2. About myself • Senior security analyst at Riscure, Delft • PhD, University of Luxembourg • Diploma in IT security, ФЗИ РГГУ, Moscow 2
    3. 3. Side channel analysis in 3 minutes 3
    4. 4. 4 http://insidenanabreadshead.com/
    5. 5. 5
    6. 6. Simple power analysis  6 https://www.icmag.com/ic/showthread.php?t=217895
    7. 7. Countermeasure Cost-effective: saves 150M euro yearly in NL http://www.deweblogvanhelmond.nl 7
    8. 8. Differential power analysis + + + … substation households – ∆ ≠ 0? 8
    9. 9. 9
    10. 10. In the remaining 45 minutes: Side channel attacks on embedded devices • When and where are they applicable? • How they work? • What complicates them? 10
    11. 11. Embedded devices A.78% B.92% C.98% 1. G. Borriello and R. Want. Embedded Computation meets the World Wide Web. Commun. ACM, May 2000 Absolute numbers for 2015: 15 billion connected devices2 7 billion people in the world 1 How many out of all computing devices are embedded? 2. John Gantz. The Embedded Internet: Methodology and Findings. IDC, January 2009 11
    12. 12. Examples with secure context code execution keys PayTV Smart grid Mobile payment 12 http://en.wikipedia.org/wiki/File:Mobile_payment_01.jpg
    13. 13. How to protect keys? Pure software (whitebox crypto) Go hardware Recent overview: Dmitry Khovratovich @ 30C3 13
    14. 14. When SW exploitation is not enough flash DDR CPU secure core (crypto) secure storage (keys) internal ROM password protection / lock JTAG, I2C, … encryption Ethernet, USB, UART 14
    15. 15. Secure boot ROM loader code in flash public key signature Fault injection to skip. But when exactly? 20 Ways to Bypass Secure Boot: Job de Haas @ HITB KL 2013 15
    16. 16. Power analysis of secure boot Boot with valid flash image Boot with invalid flash image time to glitch 16
    17. 17. Other examples • Side Channel Analysis Reverse Engineering • Interpretation of SW fuzzing effects • JTAG password check (or PIN verification) 17
    18. 18. Key recovery with SCA Part 1: Basics 18
    19. 19. A simple measurement setup 19
    20. 20. 20
    21. 21. Zoom-in 21
    22. 22. Experiment: Look-up table mov ZH, high(S<<1) mov ZL, R0 lpm R0, Z .ORG $800 S: .db $63,$7c,$77,… 22 𝑆𝑎 𝑆(𝑎)
    23. 23. Hamming weight leakage of S(a) 23
    24. 24. AES-128 24 𝑆𝑎 𝑆(𝑎⨁𝑘) 𝑘
    25. 25. Step 1: Acquire power traces 𝑎1 𝑎2 𝑎 𝑁 random input bytes … 1 2 3 … 25
    26. 26. Step 2: Predict leakage of 𝑆(𝑎⨁𝑘) guesses for 𝑘 𝑎1 𝑎2 𝑎 𝑁 … 0 1 255 … 26
    27. 27. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … 27
    28. 28. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 28
    29. 29. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 29
    30. 30. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 30
    31. 31. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 31
    32. 32. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 32
    33. 33. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 33
    34. 34. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 34
    35. 35. Step 3: Distinguish the right guess 𝑎1 𝑎2 𝑎 𝑁 0 1 255 1 2 3 … … correlation 35
    36. 36. 36
    37. 37. Key recovery with SCA Part 2: Complications 37
    38. 38. Choice of side channel http://www.dailymail.co.uk/news/article-2606972 38
    39. 39. http://www.dailymail.co.uk/news/article-2606972 39
    40. 40. http://news.bbc.co.uk/2/hi/uk_news/england/leicestershire/8447110.stm 40
    41. 41. EM leakage: where to measure? 41
    42. 42. EM leakage: where to measure? Spectral intensity around 32 MHz 42
    43. 43. EM leakage: where to measure? Spectral intensity around 64 MHz Distance between right and wrong key guesses 43
    44. 44. How to trigger? • If dedicated trigger pin: easy • Else if there is a pattern: – align online (special FPGA solution for triggering on a pattern) – or align offline (processing complexity) • Else attack as is (more traces needed) 44
    45. 45. Misalignment: Spot a pattern 45
    46. 46. Effect of misalignment on DPA well aligned traces misaligned traces Leakage spread across k samples  k2 times more traces 46
    47. 47. Which target variable? • SW AES (ATmega) S-box output • Simple HW AES (ATXmega, 8-bit datapath) S-boxi in XOR S-boxi+1 in • Full-blown HW AES (128-bit datapath) staten-1 XOR staten (requires known inputs!) 47
    48. 48. Which leakage model? • Hamming weight (distance) often works • More precise model  faster attack • Tools for leakage modelling: – Template attacks (profiling) – Linear regression 48
    49. 49. 𝒍 𝒛 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 𝒛 𝟎 Fitting a leakage model 49 𝟏𝟔𝟒 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟎 𝟏𝟓𝟎 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟏 … 𝟏𝟖𝟎 = 𝜷 𝒄𝒐𝒏𝒔𝒕 + 𝜷 𝟎 ∙ 𝟏 measured leakage target variable predictions Solution using OLS: 𝜷 𝒄𝒐𝒏𝒔𝒕 = 𝟏𝟔𝟎. 𝟑 𝜷 𝟎 = 𝟔. 𝟑
    50. 50. Effect of a precise leakage model Hamming weight model Model fit using linear regression 50
    51. 51. How to brute force DPA output? … … … … x x x x x.0065 .0063 .0062 .0010 … .0071 .0068 .0067 .009 .0069 .0068 .0067 .0010 .0068 .0067 .0066 .0011 .0072 .0069 .0066 .0013 .0070 .0068 .0065 .008 x… 𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15 51
    52. 52. How to brute force DPA output? … … … … x x x x x.0065 .0063 .0062 .0010 … .0071 .0068 .0067 .009 .0069 .0068 .0067 .0010 .0068 .0067 .0066 .0011 .0072 .0069 .0066 .0013 .0070 .0068 .0065 .008 x… • 5-6 candidates per byte  240 full keys (1 day on a desktop PC) • Solution: key enumeration (e.g. Veyrat-Charvillon et al. @ SAC2012) • Challenge: memory consumption and therefore speed 240 keys needs 70 GB of RAM and 9 days on a desktop PC 𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15 52
    53. 53. Countermeasures • desynchronize • shuffle with dummy crypto operations • masking (split sensitive variables into many) • limit the number of crypto operations smartcards: 65K operations only • frequent key update Most patented by CRI 53
    54. 54. 54
    55. 55. What makes an attack? • Factors (according to JHAS*): – Time – Expertise – Equipment – Knowledge about the target – Number of device samples – Samples with known or chosen keys • Identification ≠ exploitation * Joint Interpretation Library Hardware Attacks Subgroup 55
    56. 56. Complexity indicators Identification Exploitation General-purpose microcontroller < day < hour (< thousand traces) SoC without SCA countermeasures < month < week (millions of traces) SoC with SCA countermeasures > month + advanced SCA skills + high-end DSO > month (billions of traces) 56
    57. 57. Special thanks to my colleagues at Riscure Job de Haas, Jing Pan, Eloi Sanfèlix, Albert Spruit 57 Contact: ilya@riscure.com

    ×