Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]

4,682 views

Published on

  • Be the first to comment

Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]

  1. 1. Hardware Security: Side Channel Attacks<br />Eloi Sanfelix<br />eloi@riscure.com<br />
  2. 2. Protecting your device<br />Tips for developers<br />Introduction: Secure hardware and attacks<br />Side Channel Analysis<br />Conclusion<br />Perturbation attacks<br />Agenda<br />
  3. 3. Protecting your device<br />Tips for developers<br />Introduction: Secure hardware and attacks<br />Side Channel Analysis<br />Conclusion<br />Perturbation Attacks<br />Agenda<br />
  4. 4. Secure Devices<br />Crypto<br />CPU<br />Main<br />CPU<br />Secure Storage<br />Tamper-proof enclosure<br />
  5. 5. Example: smart cards<br />ISO 7816<br />Image source: dhgate.com<br />
  6. 6. Secure device attack types<br />Logical<br />Invasive<br />Side <br />Channel<br />
  7. 7. Agenda<br />Protecting your device<br />Tips for developers<br />Introduction: Secure hardware and attacks<br />Conclusion<br />Perturbation Attacks<br />Side Channel Analysis<br />
  8. 8. Side Channels IRL<br />8<br />Iraq invades Kuwait...<br />
  9. 9. A different threat model<br />But we also need to<br />Beware of leakage<br />Protect run-time integrity<br />Common paradigm<br />Do not trust input<br />Preserve confidentiality and integrity in output<br />Local: at input / output<br />Pervasive: throughout code<br />Code<br />Code<br />▼<br />
  10. 10. Side channel attacks<br />Passive (SCA): Read ‘hidden’ signals<br />timing<br />power consumption<br />electromagnetic emission<br />Active (FI): Signal injection<br />power glitches<br />electromagnetic pulses<br />10<br />
  11. 11. SCA Measurement setup<br />
  12. 12. 12<br />Smart card power reader<br />
  13. 13. Power / EM traces<br /><ul><li>Signal leakage from busses, registers, ALUs, etc</li></ul> PIN verification attempts<br />
  14. 14. 'Simple' Power Analysis<br /><ul><li>Analyse few traces (vs statistical analysis)
  15. 15. Example: COMP128-1 crypto algorithm
  16. 16. C code: x = table_512[k+d]</li></ul>k+d < 256<br />k+d ≥ 256<br />
  17. 17. Data influence<br /><ul><li>Example trace of software DES on smart card
  18. 18. Leaks hamming weight of data</li></ul>Profit! (data)<br />noise<br />
  19. 19. Statistical data detection<br /><ul><li>Where is data processed in presence of noise?</li></li></ul><li>Statistical data detection<br />0<br />0<br />0<br />0<br />1<br />1<br />1<br />1<br /><ul><li>Where is data processed in presence of noise?
  20. 20. Collect many traces with different data (n > 1000)
  21. 21. Use known uniformly random input/output data
  22. 22. We focus on one bit of one variable in the process</li></ul>Group by known data<br />Average trace<br />Subtract<br />Differential trace<br />
  23. 23. Differential trace<br /><ul><li>Input: n traces with known variable (e.g. input or output)
  24. 24. Output: 1 trace with indication where bit causes trace differences</li></li></ul><li>But…you promised keys !?<br /><ul><li>Keys are used in small chunks
  25. 25. Mixed with input data</li></ul>  Use hypothesis testing!<br />H0<br />H1<br />H2<br />H3<br />
  26. 26. Hypothesis incorrect<br /><ul><li>Group traces according to hypothesis
  27. 27. If the actual data does not match the hypothesis:
  28. 28. We group the wrong traces
  29. 29. Statistically, the averages will be similar
  30. 30. Result: noise</li></ul>Average trace<br />0<br />Subtract<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />Group by wrong data<br />
  31. 31. Hypothesis correct<br /><ul><li>Group traces according to hypothesis
  32. 32. If the actual data does match the hypothesis:
  33. 33. Only differences in measurement caused by different data between averages
  34. 34. Result: peaks!</li></ul>Average trace<br />0<br />Subtract<br />0<br />0<br />0<br />1<br />1<br />1<br />1<br />Group by right data<br />
  35. 35. Tricky...<br />
  36. 36. DPA on (3)DES <br />K1<br />K2<br />K15<br />K16<br />?<br />!<br />
  37. 37. Use hypothesis testing<br /><ul><li>Hypothesis testing; each 6-bit subkey value leads to different hypothesis for the sbox output</li></ul>Sbox output<br />H0<br />H1<br />...<br />H63<br />Traces<br />n<br />
  38. 38. Calculate differential traces<br />Sbox output<br />H0<br />H1<br />H56<br />H63<br />n<br />64 differential traces<br />
  39. 39. Find best candidate<br />64 differential traces<br />Repeat for other sboxes and rounds for full key<br />
  40. 40. DEMOs<br />
  41. 41. Reality check<br /><ul><li>Smart card manufacturers know about DPA
  42. 42. Often difficult finding correct filtering and alignment
  43. 43. Advanced preprocessing necessary
  44. 44. Countermeasures in hard- and software
  45. 45. On embedded systems, not so much...</li></li></ul><li>Agenda<br />Protecting your device<br />Tips for developers<br />Side Channel Analysis<br />Conclusion<br />Perturbation attacks<br />Introduction: Secure hardware and attacks<br />
  46. 46. Fault Injection<br />Chip/Hardware operating conditions<br />Temperature<br />Frequency<br />Power supply (input voltage)<br />Localized energy increase (Laser, EM, others?)<br />Fault injection modifies operating conditions<br />Bring chip outside normal situation to make it fail<br />
  47. 47. Fault Injection Setup<br />
  48. 48. Voltage glitching<br />1<br />0<br />A power dip at the moment of reading a memory cell<br />
  49. 49. Fault Injection Effects<br />Laser/voltage<br />glitch<br />Data/Memory manipulation<br />
  50. 50. Fault Injection Effects<br />Laser/voltage<br />glitch<br />Program flow manipulation<br />
  51. 51. Differential Fault Analysis<br />Correct result<br />Correct result<br />Correct result<br />Correct result<br />DFA<br />Faulty result<br />Faulty result<br />Faulty result<br />Faulty result<br />
  52. 52. RSA and RSA-CRT<br />RSA works with modular exponentiations<br />RSA-CRT splits big exponentiation in two smaller ones<br />S = Md(mod n)<br />dp = d mod (p-1)<br />dq = d mod (q-1)<br />K = p-1 mod q<br />Sp = Mdp mod p<br />Sq = Mdq mod q<br />S = ( ( (Sq - Sp)*K ) mod q ) * p + Sp<br />
  53. 53. Bellcore attack on RSA-CRT<br />Suppose single fault into one exponentiation<br />Now, subtract S’ from S<br />Now take gcd(s-s’,n)<br />gcd(x*p,p*q) = p<br />Compute q=n/p and you’re done!<br />An attack variant exists that only requires S’ and M<br />S’ = ( ( (S’q - Sp)*K ) mod q ) * p + Sp<br />S - S’ = (((Sq - Sp)*K) mod q)*p - (((S’q - Sp)*K) mod q)*p<br /> = (x1-x2)*p mod N<br />
  54. 54. Demo: Bellcore’s attack<br />
  55. 55. Agenda<br />Protecting your device<br />Tips for developers<br />Side Channel Analysis<br />Conclusion<br />Perturbation Attacks<br />Introduction: Secure hardware and attacks<br />
  56. 56. SCA Countermeasures<br />Application level<br />NEVER brew your own crypto<br />Introduce random delays between critical functions<br />Avoid branches related to secret data<br />See helpful patterns in reference [1]<br />Operating System level<br />Masking and hiding countermeasures. See e.g. [2],[3]<br />Have your systems tested<br />Side channel vulnerabilities can be very subtle!<br />
  57. 57. Fault Injection countermeasures<br />Double check critical results<br />Encrypt-Decrypt-Compare<br />Two comparisons in authentication checks<br />Add a random wait between the two checks<br />Protect code flow integrity<br />Introduce ‘shadow program counters’<br />Never output wrong results<br />Most DFA attacks are based on this!<br />See more at [1]<br />
  58. 58. Protecting your device<br />Tips for developers<br />Side Channel Analysis<br />Perturbation Attacks<br />Introduction: Secure hardware and attacks<br />Conclusion<br />Agenda<br />
  59. 59. Conclusion<br />Devices under attacker’s control<br />Physical threats need to be considered<br />Complete protection very difficult<br />Countermeasures based on increasing attack effort<br />Side channel problems are difficult to spot<br />Compiler and hardware behavior could break your code!<br />Impossible to know without testing<br />
  60. 60. Thank you!!<br />eloi@riscure.com<br />
  61. 61. References<br />[1] Secure Application Programming in the Presence of Side Channel Attacks – Download link<br />[2] Power Analysis Attacks – http://www.dpabook.org<br />[3] Cryptography Research Inc. – DPA Countermeasures<br />[4] Riscure – Publications<br />[5] E. Bhiam, A.Shamir – Differential Fault Analysis of Secret Key Cryptosystems<br />

×