- Attack allows to retrieve a secret
- Trace power consumption of device
- Trace: Measurement of consumption during a single execution
- Depends on the secret and input
- Simple Power Analysis (SPA) uses a single trace
- Differential Power Analysis (DPA):
- Statistical analysis of multiple traces
- similar to timing cryptanalysis
- Assumption: power consumption depends not only on instruction but also the value of the operands
- storing 1 vs. 0 in a register/memory
- shifts and rotations depend on number of positions
- logical and arithmetic
- ... TODO ...
- High-Order Differential Power Analysis uses complex statistical methods, again multiple traces
- Primary Targets: Smartcards, RFID chips, Sensor nodes, etc. Basically embedded devices
- Physical access to device needed
- Power describes the consumed energy per unit time
- Dynamic power consumption
- Power to charge transistor gate
- State changes
- Discharge (e.g. from 1 to 0) is free => if state changes \(f\) times only \(\frac{f}{2}\) times a charge happens which adds up to the dynamic power consumption.
- Static power consumption
- Power consumed while no states changes happen (i.e. no gates need charging)
- CMOS gates
- \(0 \to 0, 1 \to 1\) nearly no power needed
- \(0 \to 1, 1 \to 0\) high power consumption
- While measuring use average to reduce noise
- Create trace containing instructions depending on the key
- Interesting instruction sets
- rounds in DES
- square vs. multiply in RSA exponentiation (see exercise)
- hamming weights of words
- Attack on top-down square and multiply exponentiation
- done during signing and decryption
- Observation
- Squaring followed by squaring \(\Rightarrow\) bit of the exponent is zero
- Squaring followed by multiplication \(\Rightarrow\) bit of the exponent is one
- On slides: Square has higher power consumption than multiplication
- In Exercise: ... TODO ...
- Desynchronization: change power consumption randomly
- e.g. insert dummy instructions
- Dummy instructions can be recognised by SPA
- Noise generator: piece of hardware to randomise consumption
- Using larger set of traces can counter this. Noise can be filtered out.
- Filter at power input & physical shielding
- In case of physical access, can be removed/deactivated
- Software balancing
- Results in significant overhead to the computation (not very practical)
- Hardware balancing
- Processor needs the same amount of power for all instructions, operand's values
- Costly and hard to design
- TODO: Shamir's countermeasure
- Differential attack
- ... TODO ... read paper
- Can recover the secret key by measuring the time
- Attacker sends specific plaintext (known-plaintext attack) to server and receives the ciphertext. Measures the time the server needs.
- Attack possible due to AES Design: Very hard to write constant time high performance AES software for general-purpose computers.
- Vulnerability exists because implementations use lookup tables for internal operations, such as S-Boxes.
- Time to access a specific table depends on the address of the position
- Data will be in cache or in memory, different access times
- L1 and L2 caches, RAM, Disk
- Attack can learn about the address being accessed by looking at the time needed for access
- In AES table lookup, i.e. memory addresses, are derived from the secret key and plaintext
- ... TODO ... after reading paper slides 41ff
- Lessons learned
- General: write constant time security software
- Cache-timing attacks countermeasures:
- avoid memory access
- alternative lookup tables
- data-oblivious memory access patterns
- application specific masking
- static or disabled caches
- dynamic table storage
- hiding the timing
- Most countermeasures are expensive in regard to money (e.g. redesign cipher, redesign hardware) or in regard to performance
- Compromise emanation generated by electrical equipment
- May be sensed and transmitted over air, water, electrical lines, etc.
- Examples of such electrical equipment: Display, Keyboard, Cable, Processor
- Emissions by cables connecting a computer to the computer's display
- Impulses in the wiring generates emissions
- Emissions can be recoded by a receiver and processed
- Screen content can be easily read
- Use telescope to see reflections and read what is on the screen
- Many surfaces work: Spoon, Eye, Glasses, Tea pots, etc.
- Wired and wireless keyboards vulnerable
- Tamper Resistant: Bank vault approach; make sure no one can break-in
- Tamper Responding: Burglar alarm approach; real-time detection of intrusion and prevention of access to sensitive data
- Tamper Evident: Evidence of break-in is left by the break-in; design system in a way that a break-in leaves evidence
- Basic Properties
- hold secret keys
- can perform crypto operations
- access protection using PIN
- limited tamper resistance
- Possible to do invasive attack
- remove everything around the smart card chip (depackaging chip)
- read out content of memory by initiating the usual protocol, read data on bus and record it
- Memory Read-Out Protection
- authentication that card talks to a trusted entity before reading/using secret stored on card
- Use of multiple algorithm and key variations. Switching between them every few weeks using a signed message send to the card. Attacker can't read out secret before card switches to it
- Still possible to counter these protections
- Invasive Attack Protections:
- Use a sensor mesh in the top metal layer, if broken or shortened card destroys itself
- Hide lower layer's structure by chemical and mechanical polishing
- These protections can be circumvented
- Focused Ion Beam (FIB): Possible to drill small holes to attach equipment to circuit lines the attacker is interested in, without breaking any possible sensor meshes
- Glitch Attack
- Replace critical machine instruction with an other one
- Also possible to corrupt data values while in transfer
- Possible ways to introduce a glitch:
- clock signal (e.g. increase clock frequency for one or more half cycles, flipflops sample input before it's ready)
- power supply
- external electrical fields
- Most Smart Cards include hardware countermeasures against such attacks
- Low/High voltage sensor
- Frequency sensor and filters
- Light sensor
- Glitch sensor
- Temperature sensor
- Life test function for sensor
- Software countermeasures also used
- Basic Properties
- hold secret keys
- perform crypto operations
- TPM functionality
- access protected with master key
- advanced tamper resistance
- Typical attacks
- Cryptanalysis: exploit design flaws in crypto primitives
- Protocol analysis
- Protocol attack: flaws in protocol in which crypto primitives are used
- API attack: extends protocol attacks/analysis to APIs
- «Security API»
- top-level software component of a cryptoprocessor
- extends cryptographic API by enforcing policy on the interactions
- ... TODO ... Lecture 3 slides 35ff
- Such attacks computationally simple and fast
- Attacker needs access to devices or the network connecting them
- Countermeasures:
- Access Control
- Only enable what is required, disable access/functionality of everything else
- Physical security of device not important for this attack
- API analysis seems to be similar to analyzing authentication/key exchange protocols