Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]

4,208 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,208
On SlideShare
0
From Embeds
0
Number of Embeds
1,175
Actions
Shares
0
Downloads
268
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]

  1. 1. Hardware Security: Side Channel Attacks<br />Eloi Sanfelix<br />eloi@riscure.com<br />
  2. 2. Protecting your device<br />Tips for developers<br />Introduction: Secure hardware and attacks<br />Side Channel Analysis<br />Conclusion<br />Perturbation attacks<br />Agenda<br />
  3. 3. Protecting your device<br />Tips for developers<br />Introduction: Secure hardware and attacks<br />Side Channel Analysis<br />Conclusion<br />Perturbation Attacks<br />Agenda<br />
  4. 4. Secure Devices<br />Crypto<br />CPU<br />Main<br />CPU<br />Secure Storage<br />Tamper-proof enclosure<br />
  5. 5. Example: smart cards<br />ISO 7816<br />Image source: dhgate.com<br />
  6. 6. Secure device attack types<br />Logical<br />Invasive<br />Side <br />Channel<br />
  7. 7. Agenda<br />Protecting your device<br />Tips for developers<br />Introduction: Secure hardware and attacks<br />Conclusion<br />Perturbation Attacks<br />Side Channel Analysis<br />
  8. 8. Side Channels IRL<br />8<br />Iraq invades Kuwait...<br />
  9. 9. A different threat model<br />But we also need to<br />Beware of leakage<br />Protect run-time integrity<br />Common paradigm<br />Do not trust input<br />Preserve confidentiality and integrity in output<br />Local: at input / output<br />Pervasive: throughout code<br />Code<br />Code<br />▼<br />
  10. 10. Side channel attacks<br />Passive (SCA): Read ‘hidden’ signals<br />timing<br />power consumption<br />electromagnetic emission<br />Active (FI): Signal injection<br />power glitches<br />electromagnetic pulses<br />10<br />
  11. 11. SCA Measurement setup<br />
  12. 12. 12<br />Smart card power reader<br />
  13. 13. Power / EM traces<br /><ul><li>Signal leakage from busses, registers, ALUs, etc</li></ul> PIN verification attempts<br />
  14. 14. 'Simple' Power Analysis<br /><ul><li>Analyse few traces (vs statistical analysis)
  15. 15. Example: COMP128-1 crypto algorithm
  16. 16. C code: x = table_512[k+d]</li></ul>k+d < 256<br />k+d ≥ 256<br />
  17. 17. Data influence<br /><ul><li>Example trace of software DES on smart card
  18. 18. Leaks hamming weight of data</li></ul>Profit! (data)<br />noise<br />
  19. 19. Statistical data detection<br /><ul><li>Where is data processed in presence of noise?</li></li></ul><li>Statistical data detection<br />0<br />0<br />0<br />0<br />1<br />1<br />1<br />1<br /><ul><li>Where is data processed in presence of noise?
  20. 20. Collect many traces with different data (n > 1000)
  21. 21. Use known uniformly random input/output data
  22. 22. We focus on one bit of one variable in the process</li></ul>Group by known data<br />Average trace<br />Subtract<br />Differential trace<br />
  23. 23. Differential trace<br /><ul><li>Input: n traces with known variable (e.g. input or output)
  24. 24. Output: 1 trace with indication where bit causes trace differences</li></li></ul><li>But…you promised keys !?<br /><ul><li>Keys are used in small chunks
  25. 25. Mixed with input data</li></ul>  Use hypothesis testing!<br />H0<br />H1<br />H2<br />H3<br />
  26. 26. Hypothesis incorrect<br /><ul><li>Group traces according to hypothesis
  27. 27. If the actual data does not match the hypothesis:
  28. 28. We group the wrong traces
  29. 29. Statistically, the averages will be similar
  30. 30. Result: noise</li></ul>Average trace<br />0<br />Subtract<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />Group by wrong data<br />
  31. 31. Hypothesis correct<br /><ul><li>Group traces according to hypothesis
  32. 32. If the actual data does match the hypothesis:
  33. 33. Only differences in measurement caused by different data between averages
  34. 34. Result: peaks!</li></ul>Average trace<br />0<br />Subtract<br />0<br />0<br />0<br />1<br />1<br />1<br />1<br />Group by right data<br />
  35. 35. Tricky...<br />
  36. 36. DPA on (3)DES <br />K1<br />K2<br />K15<br />K16<br />?<br />!<br />
  37. 37. Use hypothesis testing<br /><ul><li>Hypothesis testing; each 6-bit subkey value leads to different hypothesis for the sbox output</li></ul>Sbox output<br />H0<br />H1<br />...<br />H63<br />Traces<br />n<br />
  38. 38. Calculate differential traces<br />Sbox output<br />H0<br />H1<br />H56<br />H63<br />n<br />64 differential traces<br />
  39. 39. Find best candidate<br />64 differential traces<br />Repeat for other sboxes and rounds for full key<br />
  40. 40. DEMOs<br />
  41. 41. Reality check<br /><ul><li>Smart card manufacturers know about DPA
  42. 42. Often difficult finding correct filtering and alignment
  43. 43. Advanced preprocessing necessary
  44. 44. Countermeasures in hard- and software
  45. 45. On embedded systems, not so much...</li></li></ul><li>Agenda<br />Protecting your device<br />Tips for developers<br />Side Channel Analysis<br />Conclusion<br />Perturbation attacks<br />Introduction: Secure hardware and attacks<br />
  46. 46. Fault Injection<br />Chip/Hardware operating conditions<br />Temperature<br />Frequency<br />Power supply (input voltage)<br />Localized energy increase (Laser, EM, others?)<br />Fault injection modifies operating conditions<br />Bring chip outside normal situation to make it fail<br />
  47. 47. Fault Injection Setup<br />
  48. 48. Voltage glitching<br />1<br />0<br />A power dip at the moment of reading a memory cell<br />
  49. 49. Fault Injection Effects<br />Laser/voltage<br />glitch<br />Data/Memory manipulation<br />
  50. 50. Fault Injection Effects<br />Laser/voltage<br />glitch<br />Program flow manipulation<br />
  51. 51. Differential Fault Analysis<br />Correct result<br />Correct result<br />Correct result<br />Correct result<br />DFA<br />Faulty result<br />Faulty result<br />Faulty result<br />Faulty result<br />
  52. 52. RSA and RSA-CRT<br />RSA works with modular exponentiations<br />RSA-CRT splits big exponentiation in two smaller ones<br />S = Md(mod n)<br />dp = d mod (p-1)<br />dq = d mod (q-1)<br />K = p-1 mod q<br />Sp = Mdp mod p<br />Sq = Mdq mod q<br />S = ( ( (Sq - Sp)*K ) mod q ) * p + Sp<br />
  53. 53. Bellcore attack on RSA-CRT<br />Suppose single fault into one exponentiation<br />Now, subtract S’ from S<br />Now take gcd(s-s’,n)<br />gcd(x*p,p*q) = p<br />Compute q=n/p and you’re done!<br />An attack variant exists that only requires S’ and M<br />S’ = ( ( (S’q - Sp)*K ) mod q ) * p + Sp<br />S - S’ = (((Sq - Sp)*K) mod q)*p - (((S’q - Sp)*K) mod q)*p<br /> = (x1-x2)*p mod N<br />
  54. 54. Demo: Bellcore’s attack<br />
  55. 55. Agenda<br />Protecting your device<br />Tips for developers<br />Side Channel Analysis<br />Conclusion<br />Perturbation Attacks<br />Introduction: Secure hardware and attacks<br />
  56. 56. SCA Countermeasures<br />Application level<br />NEVER brew your own crypto<br />Introduce random delays between critical functions<br />Avoid branches related to secret data<br />See helpful patterns in reference [1]<br />Operating System level<br />Masking and hiding countermeasures. See e.g. [2],[3]<br />Have your systems tested<br />Side channel vulnerabilities can be very subtle!<br />
  57. 57. Fault Injection countermeasures<br />Double check critical results<br />Encrypt-Decrypt-Compare<br />Two comparisons in authentication checks<br />Add a random wait between the two checks<br />Protect code flow integrity<br />Introduce ‘shadow program counters’<br />Never output wrong results<br />Most DFA attacks are based on this!<br />See more at [1]<br />
  58. 58. Protecting your device<br />Tips for developers<br />Side Channel Analysis<br />Perturbation Attacks<br />Introduction: Secure hardware and attacks<br />Conclusion<br />Agenda<br />
  59. 59. Conclusion<br />Devices under attacker’s control<br />Physical threats need to be considered<br />Complete protection very difficult<br />Countermeasures based on increasing attack effort<br />Side channel problems are difficult to spot<br />Compiler and hardware behavior could break your code!<br />Impossible to know without testing<br />
  60. 60. Thank you!!<br />eloi@riscure.com<br />
  61. 61. References<br />[1] Secure Application Programming in the Presence of Side Channel Attacks – Download link<br />[2] Power Analysis Attacks – http://www.dpabook.org<br />[3] Cryptography Research Inc. – DPA Countermeasures<br />[4] Riscure – Publications<br />[5] E. Bhiam, A.Shamir – Differential Fault Analysis of Secret Key Cryptosystems<br />

×