SlideShare a Scribd company logo

Scan Based Side Channel Attack on Data Encryption Standard

L
Lei Hsiung

My summary of the paper "Scan Based Side-Channel Attack on Data Encryption Standard" by Yang et al. This work was published in IACR 2004. https://hsiung.cc/posts/yang-scan-based-side-channel-attack-on-des/

Technology
1 of 24
Download to read offline
Scan Based Side Channel Attack on Data Encryption Standard IACR’04 Bo Yang, Kaijie Wu, Ramesh Karri ECE Dept., Polytechnic University, Brooklyn. (Currently NYU Tandon)
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 2
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 3
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Cryptographic algorithms – Application-Specific Integrated Circuits (ASIC) – Cryptographic Coprocessors • Scan-based tests – Validate the function of a hardware system at fabrication time and in field. – High fault coverage, test pattern generation and signature analysis w/o additional hardware. (cp. built-in self test (BIST)) 4
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – Constructs several Scan Chains (SCs) in a chip by tying together internal registers and flip flops and connecting them to the JTAG. – During test synthesis • SCs are inserted by synthesis tool. – During chip packaging • SCs are connected to external JTAG interface pins to provide on-chip debugging and maintenance in field, or left unbound. 5
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – However, unbound scan chains can still be accessed by breaking the package open. 6
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard – DES is a symmetric encryption algorithm developed in the 1970s by IBM. – Encrypts 64-bit data blocks under the control of a 56-bit user key. – DES decryption is the inverse of DES encryption and uses the same user key. 7
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard 8
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Contributions – Show that scan chains can be used to discover the secret keys stored in a cryptographic device. – The approach is simple yet general and powerful and can be adapted to any cryptographic implementation on ASICs or FPGAs or general microprocessors. 9
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 10
Assumptions • Know the DES algorithm. • Have access to high level timing diagrams. • Do not know the exact number of registers used. • Round keys are stored in a secure RAM/ROM. • Round key registers are not included in the scan chain. • Do not know the structure of the scan chain. 11
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 12
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Step 1. Determine Scan Chain Structure • Step 2. Recover DES Round Key • Step 3. Recover DES User Key 13
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Switch the DES circuit between normal mode and test mode. 1. Reset to normal mode -> Load a known plaintext into input register. 2. Switch to test mode -> Scan out the bit stream, pattern 1. 3. Switch to normal mode -> Load the plaintext into L or R registers. 4. Switch to test mode -> Scan out the bit stream, pattern 2. 5. Repeat steps 1 to 3 using a plaintext that is different from the first plaintext in only one-bit position. Save the pattern 3 and pattern 4. 14 Step 1. Determine Scan Chain Structure
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Know the location of L and R registers in the scan chain → Break DES algorithm! 15 Step 2. Recover DES Round Key  L1 = R0 ‚ R1 = L0 ⨁ d ƒ d = permutation(c) „ a = Expand(r) … b = a ⨁ K1 † c = S_box(b) d d L1 L0 R0 R1 r a a c c b b K1
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Reverse the S-box (Substitution Box) – Each S-box compresses the 6-bit input into a 4-bit output. 16 Step 2. Recover DES Round Key (000110)2, (001111)2, (100010)2 or (101101)2 (001110)2, (000111)2, (101010)2 or (100101)2 c2=8 c2=8 c2=4 c2=6 (010111)2 (111100)2 c3=11 c3=5 K148K143 K147K146K145K144
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Each round key contains 48 bits of the 56-bit user key. • By analysis of the DES round key generation algorithm, we only need to recover round keys K1, K2, and K3 to derive the user key. 17 Step 3. Recover DES User Key
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 18
Scan Based Side Channel Attack on Data Encryption Standard Discussion 19 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. – 198 clock cycles to locate one flip flop in the input register. • Total 38016 cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • Total 3561 cycles to discover round keys K1, K2 and K3. – Overall, 41775 clock cycles are required to discover the user key.
Scan Based Side Channel Attack on Data Encryption Standard Discussion 20 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. • 1 cycle for normal operation + 197 cycles for scan operations – 198 clock cycles to locate one flip flop in the input register. • Total 38016 (=192×198) cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • 2 cycles for normal operation + 197 cycles for scan operation + 1 cycle for normal operation + 197 cycles for scan operation • 1191 cycles (397×3) to discover round key K1. • 1185 cycles to discover round keys K2 and K3.
Scan Based Side Channel Attack on Data Encryption Standard Discussion 21 • Extension to a pipelined DES architecture – 16-stage pipeline will have 17 pairs: (L0, R0) … (L16, R16). – L0 and R0 can be located first. – L1 and R1 can be located by observing that L1= R0 and R1=L0⊕f (R0, K1). – If we only change the lowest bit in L0, L1 remains unchanged, then the lowest bit in R1 will switch because f (R0, K1) remains unchanged. – Similarly, we can locate all flip-flops. – Hence, we can recover round key K1, K2 and K3.
Scan Based Side Channel Attack on Data Encryption Standard Discussion 22 • Characteristics of crypto algorithms on hardware – Data-driven: different plaintexts, but the control logic performs the same action. – Avalanche effect: One-bit difference in a round will translate into several bit changes in the next round. • This determines the clock cycle when the plaintext is loaded into the input plaintext register and the L, R registers.
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 23
Scan Based Side Channel Attack on Data Encryption Standard Conclusions • Several side-channel attacks have been proposed. • Show that scan chains and scan-based tests are a potent side- channel. • Propose an attack using only 3 plaintexts to break DES. 24

Recommended

RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5guestff64339
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersSam Bowne
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream CipherTharindu Weerasinghe
 
OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8nvirters
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
ThesisPresentation_Upd
ThesisPresentation_UpdThesisPresentation_Upd
ThesisPresentation_UpdAshraf ElSharif
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needleSensePost
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPNNetProtocol Xpert
 

Recommended

RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5guestff64339
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersSam Bowne
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream CipherTharindu Weerasinghe
 
OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8nvirters
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
ThesisPresentation_Upd
ThesisPresentation_UpdThesisPresentation_Upd
ThesisPresentation_UpdAshraf ElSharif
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needleSensePost
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPNNetProtocol Xpert
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisRiscure
 
High Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneHigh Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneMahesh Dananjaya
 
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGAVictor Asanza
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponlaonap166
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Cef based switching
Cef based switchingCef based switching
Cef based switchingIsrael Umana
 
Snug 2014 China
Snug 2014 ChinaSnug 2014 China
Snug 2014 Chinajaseel_abdulla
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V International
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếlaonap166
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityAPNIC
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelOlivier Bonaventure
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
Routing basics/CEF
Routing basics/CEFRouting basics/CEF
Routing basics/CEFDmitry Figol
 
8051 micro controller
8051 micro controller8051 micro controller
8051 micro controllerPoojith Chowdhary
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Kentaro Ebisawa
 
icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.Laird Snowden
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arpDavid Clark
 
Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network SecurityDr. Rupa Ch
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 

More Related Content

What's hot

Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisRiscure
 
High Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneHigh Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneMahesh Dananjaya
 
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGAVictor Asanza
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponlaonap166
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Cef based switching
Cef based switchingCef based switching
Cef based switchingIsrael Umana
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V International
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếlaonap166
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityAPNIC
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelOlivier Bonaventure
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
Routing basics/CEF
Routing basics/CEFRouting basics/CEF
Routing basics/CEFDmitry Figol
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Kentaro Ebisawa
 
icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.Laird Snowden
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arpDavid Clark
 

What's hot (20)

Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
 
High Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneHigh Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data Plane
 
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
Cef based switching
Cef based switchingCef based switching
Cef based switching
 
Snug 2014 China
Snug 2014 ChinaSnug 2014 China
Snug 2014 China
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentor
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tế
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernel
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
Routing basics/CEF
Routing basics/CEFRouting basics/CEF
Routing basics/CEF
 
8051 micro controller
8051 micro controller8051 micro controller
8051 micro controller
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
 
icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
 

Similar to Scan Based Side Channel Attack on Data Encryption Standard

Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network SecurityDr. Rupa Ch
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Smit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_FinalSmit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_FinalSMIT A. PATEL
 
osdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfosdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfgmdvmk
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
my.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxmy.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxhalosidiq1
 
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyTamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyManishgant A Padmanabhan
 
Wpmc2004 phy protection
Wpmc2004 phy protectionWpmc2004 phy protection
Wpmc2004 phy protectionArpan Pal
 
Flip flop& RAM ROM
Flip flop& RAM ROMFlip flop& RAM ROM
Flip flop& RAM ROMBala Ganesh
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxHodaAhmedBekhitAhmed
 
Cryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxCryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxShivaprasad787526
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithmsijsrd.com
 
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUESPERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUESIRJET Journal
 
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHMEFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHMAJAL A J
 
Random access scan
Random access scan Random access scan
Random access scan Harish Peta
 

Similar to Scan Based Side Channel Attack on Data Encryption Standard (20)

Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network Security
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Smit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_FinalSmit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_Final
 
osdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfosdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdf
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
IDEA.ppt
IDEA.pptIDEA.ppt
IDEA.ppt
 
20141105 asfws-norx-slides
20141105 asfws-norx-slides20141105 asfws-norx-slides
20141105 asfws-norx-slides
 
my.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxmy.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptx
 
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyTamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
 
Raptor codes
Raptor codesRaptor codes
Raptor codes
 
Wpmc2004 phy protection
Wpmc2004 phy protectionWpmc2004 phy protection
Wpmc2004 phy protection
 
Flip flop& RAM ROM
Flip flop& RAM ROMFlip flop& RAM ROM
Flip flop& RAM ROM
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptx
 
Cryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxCryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptx
 
sequencea.ppt
sequencea.pptsequencea.ppt
sequencea.ppt
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithms
 
Brkdct 3101
Brkdct 3101Brkdct 3101
Brkdct 3101
 
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUESPERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
 
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHMEFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
 
Random access scan
Random access scan Random access scan
Random access scan
 

Recently uploaded

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Scan Based Side Channel Attack on Data Encryption Standard

  • 1. Scan Based Side Channel Attack on Data Encryption Standard IACR’04 Bo Yang, Kaijie Wu, Ramesh Karri ECE Dept., Polytechnic University, Brooklyn. (Currently NYU Tandon)
  • 2. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 2
  • 3. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 3
  • 4. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Cryptographic algorithms – Application-Specific Integrated Circuits (ASIC) – Cryptographic Coprocessors • Scan-based tests – Validate the function of a hardware system at fabrication time and in field. – High fault coverage, test pattern generation and signature analysis w/o additional hardware. (cp. built-in self test (BIST)) 4
  • 5. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – Constructs several Scan Chains (SCs) in a chip by tying together internal registers and flip flops and connecting them to the JTAG. – During test synthesis • SCs are inserted by synthesis tool. – During chip packaging • SCs are connected to external JTAG interface pins to provide on-chip debugging and maintenance in field, or left unbound. 5
  • 6. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – However, unbound scan chains can still be accessed by breaking the package open. 6
  • 7. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard – DES is a symmetric encryption algorithm developed in the 1970s by IBM. – Encrypts 64-bit data blocks under the control of a 56-bit user key. – DES decryption is the inverse of DES encryption and uses the same user key. 7
  • 8. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard 8
  • 9. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Contributions – Show that scan chains can be used to discover the secret keys stored in a cryptographic device. – The approach is simple yet general and powerful and can be adapted to any cryptographic implementation on ASICs or FPGAs or general microprocessors. 9
  • 10. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 10
  • 11. Assumptions • Know the DES algorithm. • Have access to high level timing diagrams. • Do not know the exact number of registers used. • Round keys are stored in a secure RAM/ROM. • Round key registers are not included in the scan chain. • Do not know the structure of the scan chain. 11
  • 12. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 12
  • 13. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Step 1. Determine Scan Chain Structure • Step 2. Recover DES Round Key • Step 3. Recover DES User Key 13
  • 14. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Switch the DES circuit between normal mode and test mode. 1. Reset to normal mode -> Load a known plaintext into input register. 2. Switch to test mode -> Scan out the bit stream, pattern 1. 3. Switch to normal mode -> Load the plaintext into L or R registers. 4. Switch to test mode -> Scan out the bit stream, pattern 2. 5. Repeat steps 1 to 3 using a plaintext that is different from the first plaintext in only one-bit position. Save the pattern 3 and pattern 4. 14 Step 1. Determine Scan Chain Structure
  • 15. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Know the location of L and R registers in the scan chain → Break DES algorithm! 15 Step 2. Recover DES Round Key  L1 = R0 ‚ R1 = L0 ⨁ d ƒ d = permutation(c) „ a = Expand(r) … b = a ⨁ K1 † c = S_box(b) d d L1 L0 R0 R1 r a a c c b b K1
  • 16. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Reverse the S-box (Substitution Box) – Each S-box compresses the 6-bit input into a 4-bit output. 16 Step 2. Recover DES Round Key (000110)2, (001111)2, (100010)2 or (101101)2 (001110)2, (000111)2, (101010)2 or (100101)2 c2=8 c2=8 c2=4 c2=6 (010111)2 (111100)2 c3=11 c3=5 K148K143 K147K146K145K144
  • 17. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Each round key contains 48 bits of the 56-bit user key. • By analysis of the DES round key generation algorithm, we only need to recover round keys K1, K2, and K3 to derive the user key. 17 Step 3. Recover DES User Key
  • 18. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 18
  • 19. Scan Based Side Channel Attack on Data Encryption Standard Discussion 19 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. – 198 clock cycles to locate one flip flop in the input register. • Total 38016 cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • Total 3561 cycles to discover round keys K1, K2 and K3. – Overall, 41775 clock cycles are required to discover the user key.
  • 20. Scan Based Side Channel Attack on Data Encryption Standard Discussion 20 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. • 1 cycle for normal operation + 197 cycles for scan operations – 198 clock cycles to locate one flip flop in the input register. • Total 38016 (=192×198) cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • 2 cycles for normal operation + 197 cycles for scan operation + 1 cycle for normal operation + 197 cycles for scan operation • 1191 cycles (397×3) to discover round key K1. • 1185 cycles to discover round keys K2 and K3.
  • 21. Scan Based Side Channel Attack on Data Encryption Standard Discussion 21 • Extension to a pipelined DES architecture – 16-stage pipeline will have 17 pairs: (L0, R0) … (L16, R16). – L0 and R0 can be located first. – L1 and R1 can be located by observing that L1= R0 and R1=L0⊕f (R0, K1). – If we only change the lowest bit in L0, L1 remains unchanged, then the lowest bit in R1 will switch because f (R0, K1) remains unchanged. – Similarly, we can locate all flip-flops. – Hence, we can recover round key K1, K2 and K3.
  • 22. Scan Based Side Channel Attack on Data Encryption Standard Discussion 22 • Characteristics of crypto algorithms on hardware – Data-driven: different plaintexts, but the control logic performs the same action. – Avalanche effect: One-bit difference in a round will translate into several bit changes in the next round. • This determines the clock cycle when the plaintext is loaded into the input plaintext register and the L, R registers.
  • 23. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 23
  • 24. Scan Based Side Channel Attack on Data Encryption Standard Conclusions • Several side-channel attacks have been proposed. • Show that scan chains and scan-based tests are a potent side- channel. • Propose an attack using only 3 plaintexts to break DES. 24