Skip to content
This repository has been archived by the owner on Jan 6, 2019. It is now read-only.

Latest commit

 

History

History
173 lines (159 loc) · 7.73 KB

part1.md

File metadata and controls

173 lines (159 loc) · 7.73 KB

Part 1

Side Channel Attack

Power Analysis Attack (Power Cryptanalysis Attack)

  • Attack allows to retrieve a secret
  • Trace power consumption of device
  • Trace: Measurement of consumption during a single execution
    • Depends on the secret and input
  • Simple Power Analysis (SPA) uses a single trace
  • Differential Power Analysis (DPA):
    • Statistical analysis of multiple traces
    • similar to timing cryptanalysis
    • Assumption: power consumption depends not only on instruction but also the value of the operands
      • storing 1 vs. 0 in a register/memory
      • shifts and rotations depend on number of positions
      • logical and arithmetic
    • ... TODO ...
  • High-Order Differential Power Analysis uses complex statistical methods, again multiple traces
  • Primary Targets: Smartcards, RFID chips, Sensor nodes, etc. Basically embedded devices
  • Physical access to device needed

Technical Details

  • Power describes the consumed energy per unit time
  • Dynamic power consumption
    • Power to charge transistor gate
    • State changes
    • Discharge (e.g. from 1 to 0) is free => if state changes \(f\) times only \(\frac{f}{2}\) times a charge happens which adds up to the dynamic power consumption.
  • Static power consumption
    • Power consumed while no states changes happen (i.e. no gates need charging)
  • CMOS gates
    • \(0 \to 0, 1 \to 1\) nearly no power needed
    • \(0 \to 1, 1 \to 0\) high power consumption
  • While measuring use average to reduce noise

Practice

  • Create trace containing instructions depending on the key
  • Interesting instruction sets
    • rounds in DES
    • square vs. multiply in RSA exponentiation (see exercise)
    • hamming weights of words

SPA on RSA (Exercise)

  • Attack on top-down square and multiply exponentiation
    • done during signing and decryption
  • Observation
    • Squaring followed by squaring \(\Rightarrow\) bit of the exponent is zero
    • Squaring followed by multiplication \(\Rightarrow\) bit of the exponent is one
  • On slides: Square has higher power consumption than multiplication
  • In Exercise: ... TODO ...

Protections

  • Desynchronization: change power consumption randomly
    • e.g. insert dummy instructions
    • Dummy instructions can be recognised by SPA
  • Noise generator: piece of hardware to randomise consumption
    • Using larger set of traces can counter this. Noise can be filtered out.
  • Filter at power input & physical shielding
    • In case of physical access, can be removed/deactivated
  • Software balancing
    • Results in significant overhead to the computation (not very practical)
  • Hardware balancing
    • Processor needs the same amount of power for all instructions, operand's values
    • Costly and hard to design
  • TODO: Shamir's countermeasure

Side Channel Attack: Cache-timing Attack on AES

  • Differential attack
  • ... TODO ... read paper
  • Can recover the secret key by measuring the time
  • Attacker sends specific plaintext (known-plaintext attack) to server and receives the ciphertext. Measures the time the server needs.
  • Attack possible due to AES Design: Very hard to write constant time high performance AES software for general-purpose computers.
  • Vulnerability exists because implementations use lookup tables for internal operations, such as S-Boxes.
    • Time to access a specific table depends on the address of the position
    • Data will be in cache or in memory, different access times
      • L1 and L2 caches, RAM, Disk
    • Attack can learn about the address being accessed by looking at the time needed for access
  • In AES table lookup, i.e. memory addresses, are derived from the secret key and plaintext
  • ... TODO ... after reading paper slides 41ff
  • Lessons learned
    • General: write constant time security software
    • Cache-timing attacks countermeasures:
      • avoid memory access
      • alternative lookup tables
      • data-oblivious memory access patterns
      • application specific masking
      • static or disabled caches
      • dynamic table storage
      • hiding the timing
    • Most countermeasures are expensive in regard to money (e.g. redesign cipher, redesign hardware) or in regard to performance

TEMPEST: Transmitted Elector-Magnetic Pulse / Energy Standards & Testing

  • Compromise emanation generated by electrical equipment
  • May be sensed and transmitted over air, water, electrical lines, etc.
  • Examples of such electrical equipment: Display, Keyboard, Cable, Processor

Computer Screen

Attack 1: Cable Emissions

  • Emissions by cables connecting a computer to the computer's display
  • Impulses in the wiring generates emissions
  • Emissions can be recoded by a receiver and processed
  • Screen content can be easily read

Attack 2: Reflections

  • Use telescope to see reflections and read what is on the screen
  • Many surfaces work: Spoon, Eye, Glasses, Tea pots, etc.

Keyboard

  • Wired and wireless keyboards vulnerable

Tamper Resilience

  • Tamper Resistant: Bank vault approach; make sure no one can break-in
  • Tamper Responding: Burglar alarm approach; real-time detection of intrusion and prevention of access to sensitive data
  • Tamper Evident: Evidence of break-in is left by the break-in; design system in a way that a break-in leaves evidence

Smart Cards

  • Basic Properties
    • hold secret keys
    • can perform crypto operations
    • access protection using PIN
    • limited tamper resistance
  • Possible to do invasive attack
    • remove everything around the smart card chip (depackaging chip)
    • read out content of memory by initiating the usual protocol, read data on bus and record it
  • Memory Read-Out Protection
    • authentication that card talks to a trusted entity before reading/using secret stored on card
    • Use of multiple algorithm and key variations. Switching between them every few weeks using a signed message send to the card. Attacker can't read out secret before card switches to it
    • Still possible to counter these protections
  • Invasive Attack Protections:
    • Use a sensor mesh in the top metal layer, if broken or shortened card destroys itself
    • Hide lower layer's structure by chemical and mechanical polishing
    • These protections can be circumvented
      • Focused Ion Beam (FIB): Possible to drill small holes to attach equipment to circuit lines the attacker is interested in, without breaking any possible sensor meshes
  • Glitch Attack
    • Replace critical machine instruction with an other one
    • Also possible to corrupt data values while in transfer
    • Possible ways to introduce a glitch:
      • clock signal (e.g. increase clock frequency for one or more half cycles, flipflops sample input before it's ready)
      • power supply
      • external electrical fields
  • Most Smart Cards include hardware countermeasures against such attacks
    • Low/High voltage sensor
    • Frequency sensor and filters
    • Light sensor
    • Glitch sensor
    • Temperature sensor
    • Life test function for sensor
  • Software countermeasures also used

Crypto-Processors

  • Basic Properties
    • hold secret keys
    • perform crypto operations
    • TPM functionality
    • access protected with master key
    • advanced tamper resistance
  • Typical attacks
    • Cryptanalysis: exploit design flaws in crypto primitives
    • Protocol analysis
      • Protocol attack: flaws in protocol in which crypto primitives are used
      • API attack: extends protocol attacks/analysis to APIs

Protocol-level / API Attacks (example on Crypto-Processor)

  • «Security API»
    • top-level software component of a cryptoprocessor
    • extends cryptographic API by enforcing policy on the interactions
  • ... TODO ... Lecture 3 slides 35ff
  • Such attacks computationally simple and fast
  • Attacker needs access to devices or the network connecting them
  • Countermeasures:
    • Access Control
    • Only enable what is required, disable access/functionality of everything else
  • Physical security of device not important for this attack
  • API analysis seems to be similar to analyzing authentication/key exchange protocols