josh benaloh brian lamacchia winter 2011. side-channel attacks breaking a cryptosystem is a frontal...
TRANSCRIPT
- Slide 1
- Josh Benaloh Brian LaMacchia Winter 2011
- Slide 2
- Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side or back door especially on embedded cryptographic devices such as SmartCards and RFIDs. January 27, 2011Practical Aspects of Modern Cryptography2
- Slide 3
- Side-Channel Attacks Some attack vectors January 27, 2011Practical Aspects of Modern Cryptography3
- Slide 4
- Side-Channel Attacks Some attack vectors Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography4
- Slide 5
- Side-Channel Attacks Some attack vectors Fault Attacks Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography5
- Slide 6
- Side-Channel Attacks Some attack vectors Fault Attacks Timing Attacks Cache Attacks January 27, 2011Practical Aspects of Modern Cryptography6
- Slide 7
- Side-Channel Attacks Some attack vectors Fault Attacks Timing Attacks Cache Attacks Power Analysis January 27, 2011Practical Aspects of Modern Cryptography7
- Slide 8
- Side-Channel Attacks Some attack vectors Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions January 27, 2011Practical Aspects of Modern Cryptography8
- Slide 9
- Side-Channel Attacks Some attack vectors Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions January 27, 2011Practical Aspects of Modern Cryptography9
- Slide 10
- Side-Channel Attacks Some attack vectors Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions Information Disclosure January 27, 2011Practical Aspects of Modern Cryptography10
- Slide 11
- Side-Channel Attacks Some attack vectors Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions Information Disclosure others? January 27, 2011Practical Aspects of Modern Cryptography11
- Slide 12
- Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography12
- Slide 13
- Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography13
- Slide 14
- Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography14
- Slide 15
- Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography15
- Slide 16
- Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography16
- Slide 17
- Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography17
- Slide 18
- Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography18
- Slide 19
- Timing Attacks How long does it take to perform a decryption? January 27, 2011Practical Aspects of Modern Cryptography19
- Slide 20
- Timing Attacks How long does it take to perform a decryption? The answer may be data-dependent. January 27, 2011Practical Aspects of Modern Cryptography20
- Slide 21
- Timing Attacks How long does it take to perform a decryption? The answer may be data-dependent. For instance January 27, 2011Practical Aspects of Modern Cryptography21
- Slide 22
- Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography22
- Slide 23
- Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography23
- Slide 24
- Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography24
- Slide 25
- Cache Attacks If you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed. January 27, 2011Practical Aspects of Modern Cryptography25
- Slide 26
- Cache Attacks If you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed. Decryption times may vary in a key-dependent manner based upon which lines have been flushed. January 27, 2011Practical Aspects of Modern Cryptography26
- Slide 27
- Power Analysis Power usage of a device may vary in a key- dependent manner. January 27, 2011Practical Aspects of Modern Cryptography27
- Slide 28
- Power Analysis Power usage of a device may vary in a key- dependent manner. Careful measurement and analysis of power consumption can be used to determine the key. January 27, 2011Practical Aspects of Modern Cryptography28
- Slide 29
- Electromagnetic Emissions One can record electromagnetic emissions of a device often at a distance. January 27, 2011Practical Aspects of Modern Cryptography29
- Slide 30
- Electromagnetic Emissions One can record electromagnetic emissions of a device often at a distance. Careful analysis of the emissions may reveal a secret key. January 27, 2011Practical Aspects of Modern Cryptography30
- Slide 31
- Acoustic Emissions Modular exponentiation is using done with repeated squaring and conditional side multiplications. January 27, 2011Practical Aspects of Modern Cryptography31
- Slide 32
- Acoustic Emissions Modular exponentiation is using done with repeated squaring and conditional side multiplications. It can actually be possible to hear whether or not these conditional multiplications are performed. January 27, 2011Practical Aspects of Modern Cryptography32
- Slide 33
- Information Disclosures (N.B. Bleichenbacher Attack) January 27, 2011Practical Aspects of Modern Cryptography33
- Slide 34
- Information Disclosures (N.B. Bleichenbacher Attack) A protocol may respond differently to properly and improperly formed data. January 27, 2011Practical Aspects of Modern Cryptography34
- Slide 35
- Information Disclosures (N.B. Bleichenbacher Attack) A protocol may respond differently to properly and improperly formed data. Careful manipulation of data may elicit responses which disclose information about a desired key or decryption value. January 27, 2011Practical Aspects of Modern Cryptography35
- Slide 36
- Certificate Revocation January 27, 2011Practical Aspects of Modern Cryptography36
- Slide 37
- Certificate Revocation Every reasonable certification should include an expiration. January 27, 2011Practical Aspects of Modern Cryptography37
- Slide 38
- Certificate Revocation Every reasonable certification should include an expiration. It is sometimes necessary to revoke a certificate before it expires. January 27, 2011Practical Aspects of Modern Cryptography38
- Slide 39
- Certificate Revocation Reasons for revocation January 27, 2011Practical Aspects of Modern Cryptography39
- Slide 40
- Certificate Revocation Reasons for revocation Key Compromise January 27, 2011Practical Aspects of Modern Cryptography40
- Slide 41
- Certificate Revocation Reasons for revocation Key Compromise False Issuance January 27, 2011Practical Aspects of Modern Cryptography41
- Slide 42
- Certificate Revocation Reasons for revocation Key Compromise False Issuance Role Modification January 27, 2011Practical Aspects of Modern Cryptography42
- Slide 43
- Certificate Revocation Two primary mechanisms January 27, 2011Practical Aspects of Modern Cryptography43
- Slide 44
- Certificate Revocation Two primary mechanisms Certificate Revocation Lists (CRLs) January 27, 2011Practical Aspects of Modern Cryptography44
- Slide 45
- Certificate Revocation Two primary mechanisms Certificate Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP) January 27, 2011Practical Aspects of Modern Cryptography45
- Slide 46
- Certificate Revocation Lists A CA revokes a certificate by placing the its identifying serial number on its Certificate Revocation List (CRL) Every CA issues CRLs to cancel out issued certs A CRL is like anti-matter when it comes into contact with a certificate it lists it cancels out the certificate Think 1970s-style credit-card blacklist Relying parties are expected to check the most recent CRLs before they rely on a certificate The cert is valid unless you hear something telling you otherwise January 27, 2011Practical Aspects of Modern Cryptography46
- Slide 47
- The Problem with CRLs Blacklists have numerous problems They can grow very large because certs cannot be removed until they expire. They are not issued frequently enough to be effective against a serious attack. Their size can make them expensive to distribute (especially on low-bandwidth channels). They are vulnerable to simple DOS attacks. (What do you do if you cant get the current CRL?) January 27, 2011Practical Aspects of Modern Cryptography47
- Slide 48
- More Problems with CRLs January 27, 2011Practical Aspects of Modern Cryptography48
- Slide 49
- Yet More Problems with CRLs Revoking a cert used by a CA to issue other certs is even harder since this may invalidate an entire set of certs. Self-signed certificates are often used as a syntactic convenience. Is it meaningful for a cert to revoke itself? January 27, 2011Practical Aspects of Modern Cryptography49
- Slide 50
- Even More Problems with CRLs CRLs cant be revoked. If a cert has been mistakenly revoked, the revocation cant be reversed. CRLs cant be updated. Theres no mechanism to issue a new CRL to relying parties early even if theres an urgent need to issue new revocations. January 27, 2011Practical Aspects of Modern Cryptography50
- Slide 51
- Short-Lived Certificates If you need to go to a CA to get a fresh CRL, why not just go to a CA to get a fresh cert? January 27, 2011Practical Aspects of Modern Cryptography51
- Slide 52
- CRLs vs. OCSP Responses Aggregation vs. Freshness CRLs combine revocation information for many certs into one long-lived object OCSP Responses designed for real-time responses to queries about the status of a single certificate Both CRLs & OCSP Responses are generated by the issuing CA or its designate. (Generally this is not the relying party.) January 27, 2011Practical Aspects of Modern Cryptography52
- Slide 53
- Online Status Checking OCSP: Online Certificate Status Protocol A way to ask is this certificate good right now? Get back a signed response from the OCSP server saying, Yes, cert C is good at time t Response is like a freshness certificate OCSP response is like a selective CRL Client indicates the certs for which he wants status information OCSP responder dynamically creates a lightweight CRL-like response for those certs January 27, 2011Practical Aspects of Modern Cryptography53
- Slide 54
- January 27, 2011Practical Aspects of Modern Cryptography54 OCSP in Action End-entity CA Relying Party Cert CertRequest OCSP Request OCSPForCert OCSP Response Transaction Response Cert + Transaction
- Slide 55
- Final thoughts on Revocation From a financial standpoint, its the revocation data that is valuable, not the issued certificate itself. For high-valued financial transactions, seller wants to know your cert is good right now. This is similar to credit cards, where the merchant wants the card authorized right now at the point-of-sale. Card authorizations transfer risk from merchant to bank thus theyre worth $$$. January 27, 2011Practical Aspects of Modern Cryptography55
- Slide 56
- Design Charrette How would you design a transit fare card system? January 27, 2011Practical Aspects of Modern Cryptography56
- Slide 57
- Fare Card System Elements An RFID card for each rider Readers on each vehicle and/or transit station (Internet connected?) Card purchase/payment machines A web portal for riders to manage and/or enrich their cards January 27, 2011Practical Aspects of Modern Cryptography57