securizarea avansata a sistemelor de calcul · a sistemelor de calcul marios choudary upb...

Securizarea avansata a sistemelor de calcul

Marios Choudary UPB

Side-channel attacks

Smartcards used in many applications (e.g. banking)

Other examples: Pay-TV, transport

2

Microcontroller in smartcards

microcontroller

3

Microcontrollers “leak” information via physical side-channel

example of leakage: EM, power

4

Microcontrollers “leak” information via physical side-channel

• We may target:

• cryptographic algorithms (secret keys)

• instructions (reverse engineering)

• data (bus eavesdropping)

5

CMOS leakage

A

B

A

B

VDDIDD

ZCL

Pull upNetwork

Pull downNetwork

Typical NAND gateA = 0 or B = 0:

CL charges => current flows out

CMOS leakage

A

B

A

B

VDDIDD

ZCL

Pull upNetwork

Pull downNetwork

Typical NAND gateA = B = 1:

CL discharges => current flows in

CMOS leakage

A

B

A

B

VDDIDD

ZCL

Pull upNetwork

Pull downNetwork

Typical NAND gateA = B = 1:

CL discharges => current flows in

CL may be input of next gate or bus lines (large capacitance)

Use an oscilloscope to measure power consumption of a microcontroller

Trigger signal

USB to PC

Clock signal

Atmel XMEGA

Power supply Active probe

Transition of all CMOS gates affect overall power consumption

1125 1126 1127 1128 1129 1130 1131 11325

5.5

6

6.5

Sample index

mA

k=0k=255

(loading a value into a register, when the previous value on the bus was 0)

Power consumption of loading one byte with different values

k = 0, 1, …, 9

3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 4.8 50

0.5

1

1.5

2

2.5

Milliamps

0123456789

Leakage for one sample

11

Beginnings of power analysisPaul Kocher, 1997

(see “Differential Power Analysis”, Kocher et al., CRYPTO ’98)

Differential power analysis

13

1. Select target computation: typically the S-box lookup in a block cipher (DES, AES)

CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29

k �

p

S-box

u

v

Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.

the task of finding the full master key into smaller tasks of attacking only small parts k

of the entire key.

2.1.3 Side-channel attacks

I now briefly describe the most common side-channel attacks evaluated in the academic

community.

Simple Power Analysis (SPA)

Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-

troller, it is possible to reveal the sequence of instructions being executed. This may be

used to extract the secret key of a cryptographic algorithm by targetting the key schedule

if this involves conditional branching, by targetting comparison operations, or by target-

ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].

Simple and e�cient countermeasures for SPA rely on preventing the use of secret data

for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA

will probably fail on most hardware implementations of block ciphers due to their small

power consumption variation. As a result SPA is not considered a major security threat

if simple precautions are taken, but the following attacks are.

Di↵erential Power Analysis (DPA)

Kocher et al. [58] also showed a much more powerful attack against DES (which also

works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits

a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),

2This assumes knowledge of the target algorithm.

Differential power analysis

14

CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29

k �

p

S-box

u

v

Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.

the task of finding the full master key into smaller tasks of attacking only small parts k

of the entire key.

2.1.3 Side-channel attacks

I now briefly describe the most common side-channel attacks evaluated in the academic

community.

Simple Power Analysis (SPA)

Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-

troller, it is possible to reveal the sequence of instructions being executed. This may be

used to extract the secret key of a cryptographic algorithm by targetting the key schedule

if this involves conditional branching, by targetting comparison operations, or by target-

ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].

Simple and e�cient countermeasures for SPA rely on preventing the use of secret data

for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA

will probably fail on most hardware implementations of block ciphers due to their small

power consumption variation. As a result SPA is not considered a major security threat

if simple precautions are taken, but the following attacks are.

Di↵erential Power Analysis (DPA)

Kocher et al. [58] also showed a much more powerful attack against DES (which also

works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits

a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),

2This assumes knowledge of the target algorithm.

2. Apply “divide et impera”:

a good block cipher cannot be brute-forced due to large key size:

=> we target one byte at a time: reduce brute-force from 2128 to 16*28 (in best case)

(AES ≥128 bits)

Differential power analysis

15

3. Take a large number (thousands, millions) of leakage traces 0 2 4 6 8 10

0

2

4

6

8

Time [µs]

Current

[mA]

Typically interested in a single sample

0 2 4 6 8 100

2

4

6

8

Time [µs]

Current

[mA]

0 2 4 6 8 100

2

4

6

8

Time [µs]

Current

[mA]

ti

x1

x2

xN

…

Differential power analysis

16

4. Split samples based on the value of some bit b that is a function of k and p

CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29

k �

p

S-box

u

v

Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.

the task of finding the full master key into smaller tasks of attacking only small parts k

of the entire key.

2.1.3 Side-channel attacks

I now briefly describe the most common side-channel attacks evaluated in the academic

community.

Simple Power Analysis (SPA)

Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-

troller, it is possible to reveal the sequence of instructions being executed. This may be

used to extract the secret key of a cryptographic algorithm by targetting the key schedule

if this involves conditional branching, by targetting comparison operations, or by target-

ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].

Simple and e�cient countermeasures for SPA rely on preventing the use of secret data

for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA

will probably fail on most hardware implementations of block ciphers due to their small

power consumption variation. As a result SPA is not considered a major security threat

if simple precautions are taken, but the following attacks are.

Di↵erential Power Analysis (DPA)

Kocher et al. [58] also showed a much more powerful attack against DES (which also

works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits

a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),

2This assumes knowledge of the target algorithm.

b = f (k, p)e.g. b = MSB(S-box(p k)) for AES

Dan$Boneh$

AES$is$a$Subs\Perm$network$(not$Feistel)$

inpu

t$

⨁$

S1$S2$S3$

S8$

�

output$

subs.$layer$

perm.$layer$ inversion$

k1$

⨁$

S1$S2$S3$

S8$

�

k2$S1$S2$S3$

S8$

�

⨁$

�$

kn$

5. Find k for which difference between average power consumption in the two groups is largest:

Differential power analysis

17

�k = (powerb=0 � powerb=1)

1

CHAPTER 2. OBTAINING SIDE-CHANNEL LEAKAGE TRACES 29

k �

p

S-box

u

v

Figure 2.3: A general S-box scenario, where k is a part of the secret key of a block cipher.

the task of finding the full master key into smaller tasks of attacking only small parts k

of the entire key.

2.1.3 Side-channel attacks

I now briefly describe the most common side-channel attacks evaluated in the academic

community.

Simple Power Analysis (SPA)

Kocher et al. [58] showed that, by simply observing a single power trace of a microcon-

troller, it is possible to reveal the sequence of instructions being executed. This may be

used to extract the secret key of a cryptographic algorithm by targetting the key schedule

if this involves conditional branching, by targetting comparison operations, or by target-

ting the exponentiators needed in public-key cryptographic algorithms such as RSA [88].

Simple and e�cient countermeasures for SPA rely on preventing the use of secret data

for conditional branching operations. Furthermore, Kocher et al. mentioned that SPA

will probably fail on most hardware implementations of block ciphers due to their small

power consumption variation. As a result SPA is not considered a major security threat

if simple precautions are taken, but the following attacks are.

Di↵erential Power Analysis (DPA)

Kocher et al. [58] also showed a much more powerful attack against DES (which also

works very well against AES), known as Di↵erential Power Analysis (DPA). It exploits

a known2 relation (such as the input-output relationship of the S-box in Figure 2.3),

2This assumes knowledge of the target algorithm.

Differential power analysis

18

current [mA]0

k=0

b==0b==1

avg( ) - avg( ) 0 ≈

5. Find k for which difference between average power consumption in the two groups is largest:

�k = (powerb=0 � powerb=1)

1

b = f (k, p)

Differential power analysis

19

current [mA]0

k=1

b==0b==1

avg( ) - avg( ) 0 ≈

5. Find k for which difference between average power consumption in the two groups is largest:

�k = (powerb=0 � powerb=1)

1

b = f (k, p)

Differential power analysis

20

current [mA]0

k=42 (correct)

b==0b==1

avg( ) - avg( ) max=�k = (powerb=0 � powerb=1)

1

5. Find k for which difference between average power consumption in the two groups is largest:

b = f (k, p)

Differential power analysis

21

393Differential Power Analysis

[Kocher et al. ’99]

Correlation Power Analysis

• Test correlation between actual leakage samples (e.g. obtained with an oscilloscope) and hypothetical leakage (e.g. with Hamming Weight model and key candidate)

• Most common candidate: HW(S-box(p k))

Correlation Power Analysis• Pearson’s correlation for 2 variables X, Y:

• When X, Y are correlated, then is high

• Idea for side-channel attacks:

• Use actual leakage for X

• Use expected leakage from HW model with candidate k for Y:Y = HW(S-box(p k))

• Compute for all possible byte values k and choose k with highest

⇢XY =

PNi=1(xi � x)(yi � y)

qPNi=1 (xi � x)2 ·

qPNi=1 (yi � y)2

1

⇢XY =

PNi=1(xi � x)(yi � y)

qPNi=1 (xi � x)2 ·

qPNi=1 (yi � y)2

1

⇢XY =

PNi=1(xi � x)(yi � y)

qPNi=1 (xi � x)2 ·

qPNi=1 (yi � y)2

1

⇢XY =

PNi=1(xi � x)(yi � y)

qPNi=1 (xi � x)2 ·

qPNi=1 (yi � y)2

1

Correlation Power AnalysisExample from attack on real cryptographic ASIC

Left: correlation with good key as function of number of traces (N) Right: correlation as a function of key candidate for fixed N

Figure from https://iis-people.ee.ethz.ch/~kgf/acacia/c3.html

Defences andSecure IC industry

Countermeasures

26

• Noise generation: try to keep the data-dependent signal below the noise floor

• Randomise computations: make it hard to align traces

• Masking: split data into several shares and compute on those such that leakage does not depend on key/data but on random values

• Dual rail and other special hardware architectures

Industrial impact• Development of countermeasures (hardware,

software) - see Infineon, Gemalto, NXP, etc.

• Common Criteria evaluation

• Evaluation and certification laboratories

• National security evaluations

• One evaluation may cost > 100.000 EUR