© UCL Crypto group – October 2004 – I0
Low Cost Securityfor Internet-0?
Frontiers and LimitsJean-Jacques Quisquater
(visiting scientist at MIT)
(research director CNRS, France)
Université catholique de Louvain
Louvain-la-Neuve, Belgium
UCL Crypto Group
http://uclcrypto.org
© UCL Crypto group October 2004 - I0 2
b
questionsquestionsquestionsquestions
• security?• existence of secure objects?• low cost security?• state-of-the art?
• security?• existence of secure objects?• low cost security?• state-of-the art?
© UCL Crypto group October 2004 - I0 3
Goal of security for I-0
• Accidental access by neighbors• Malicious access by others• Cloning?• Security from internet-1?: many solutions:
ssh, tls, https, ipsec, …• Many crypto algorithms are not designed for
low power or for small implementations (compression?)
• Similar situation: smart card (contact or contactless) versus card reader
© UCL Crypto group October 2004 - I0 4
Cost of security?
• Implementation (not the losses)
• Comms
• Silicon area
• Programs (protocols)
• Detectors (intrusion) and firewalls
• Physical security (tamperresistance)
• Update: the third version syndrome
© UCL Crypto group October 2004 - I0 5
Internet-0
• Low cost object
• Slow and close communication
• « serial » communication
• …
© UCL Crypto group October 2004 - I0 6
Cost of security? Smart cards
• Implementation (not the risk)
• Comms 9600b-100kb-…-
• Silicon area 3mm2-O.1…
• Programs (protocols) 2kBytes-
• Detectors (intrusion) and firewalls %
• Physical security (tamperresistance) !!!???
• Update: Java applets
© UCL Crypto group October 2004 - I0 7
Security is a dynamic process
• Best at the beginning of the system life, if static
• Initialisation (keys, names, …): here we need some physical security (context)
• Uses: new applications and contexts
• Update, new attacks (algo, hardware, …)
• End of life
© UCL Crypto group – October 2004 – I0
Short Story of Smart Cards
• René Barjavel (1966) « La nuit des temps » (Gondas) • several inventors in USA (IBM - 1968), Japan,
Germany, France• Roland Moreno (F) pushed the right version (1974)• Michel Ugon and Louis Guillou were the technical
inventors (~ 1977)• SPOM: single chip (security): 1981: first crypto algo
and protocol (secret key): tests in France• first DES: 1985 (TRASEC, Belgium,TB100 -> Proton)• first RSA: CORSAIR(Philips): 1989 (coprocessor)• first RISC 32 bits: 1997 (CASCADE-> GemExpresso)• first JAVA smart card: 1997 (Schlumberger-software)• ...
© UCL Crypto group October 2004 - I0 10
The chip (a complete computer)
• CPU• security logic and sensors• ROM: OS - including self-test procedures• RAM (mainly static)• (E)EPROM and/or flash memory
– cryptographic keys– PIN– biometric profiles– applications
• serial I/O• internal bus(ses)• accelerators for cryptoalgorithms DES, RSA ...
(coprocessors)
© UCL Crypto group October 2004 - I0 11
The chip (IC)
ROMROM EEPROMflash memory
EEPROMflash memory
CPUCPU I/OI/O coprocessorDES – RSA -ECC
coprocessorDES – RSA -ECC
securitylogic
securitylogic
RAMRAM
sensorssensorsfirewall
Reset Ground Volt Clock
© UCL Crypto group October 2004 - I0 13
Standards for (secure) chips
• ISO-7816
• GSM 11.*
• EMV
• FIPS 140-1,-2
• …
• Do you need it?
© UCL Crypto group October 2004 - I0 14
Lesson learned from smart cards
• Design for:– access for payTV,– phone coins,– banking cards,– common property: easy to trace or small loss.
• Security is « easy »: avoiding intrusion• But used for many applications with high
targets (SWIFT, …)• Problems of side-channels (1996)
© UCL Crypto group October 2004 - I0 15
identification
possessionpossession
knowledgeknowledge
(biological)(biological)characteristicscharacteristics
PIN - passwordPIN - passwordPIN - passwordPIN - password
passportpassportsmart cardsmart cardI-0 deviceI-0 device
passportpassportsmart cardsmart cardI-0 deviceI-0 device
biometrybiometrybiometrybiometry
IEEE spectrumIEEE spectrumFeb. 94Feb. 94
IEEE spectrumIEEE spectrumFeb. 94Feb. 94
proof?proof?
proof?proof?proof?proof?
© UCL Crypto group October 2004 - I0 16
(Physical) naming process
• By an authority (TTP)
• Self-nomination (using some random process)
• Distributed // election of a leader in a group
© UCL Crypto group October 2004 - I0
transform or add redondancy : cryptography
SENDER(Alice)
SENDER(Alice)
RECEIVER(Bob)Trust!
RECEIVER(Bob)Trust!
message10010100111
© UCL Crypto group October 2004 - I0
authentication
PROVERPROVER VERIFIERVERIFIER password
computerwarden
carlamplamp
userpersondriverswitchswitch
identity
spy (on line) fake prover (copy or fake identity) fake verifier
© UCL Crypto group October 2004 - I0
Authentication today
PROVERPROVERVERIFIERVERIFIER
contract
commitment
surprise
answer
© UCL Crypto group October 2004 - I0
proof:
– specific protocol: theory invented in 1984, called “zero-knowledge”
new proof (fresh):– verifier must be convinced it is not a replay
tamper-resistant object:– “smart card”– secure and powerful microprocessor– important subject of research
Solutions
© UCL Crypto group – October 2004 – I0
Alice Bob
Query: (d-bit string)
Response: (t-bit string)q ← getRandomCorner();
send (q);
r ← receive();
if (abs(r-f(q))<tol)
accept;
else reject;
q ← receive();
R ← f(q)
send(r);
© UCL Crypto group October 2004 - I0 23
Generic model of card for passive attacks
ChipChipChipChip
CLK
GRD
VCC
RST
I/O
2. SPA-DPA2. SPA-DPA1. timing1. timing
3. probing3. probing4. measuresof radiations
4. measuresof radiations
© UCL Crypto group October 2004 - I0 24
Side Story of Side Channel Analysis
• 1986: PIN code of smart card broken by timing attack …• 1992: TNO discovers a relation between smart card power
consumption and program code• 1992: Philips did the same …• 1994: TNO develops software to visualise program structure• 1995: BellCore invents the “MicroWave Attack”, and
Differential Fault Analysis (DFA)• 1995: Paul Kocher invents timing attack• 1997: Paul Kocher invents Differential Power Analysis (DPA)• 1998: TNO implements DPA• 1998: Gemplus invents Voltage Manipulation (VM)• 1999: TNO implements VM for Single Fault Injection (SFI)• 2000: Q.-Samyde implements Electromagnetic Analysis (EMA)
TNO©
© UCL Crypto group October 2004 - I0 26
Analysis of a simple model (Vernam)
EXOREXOR
secret key ki
output ciinput mi
mi ki ci
0 0 00 1 11 0 11 1 0
mi ki ci
0 0 00 1 11 0 11 1 0
if for some reason the two zeroes are not the same (SPA ...)this perfect system is completely broken.
© UCL Crypto group October 2004 - I0 27
Timing attacks
ChipChipChipChip
CLK
GRD
VCC
RST
I/O
1. timing1. timing
• the measure of the timing and the (some) knowledge of the implementation of the used cryptographic algorithm together a lot of well chosen inputs-outputs with some statistical treatment give the secret key in use (works well for RSA-like algorithms)• countermeasure: I/O not related to the key at all (constant run-time for instance).
© UCL Crypto group October 2004 - I0 29
Implementation problems(Joye, Lenstra, Q.)
- optimisation: minimisation of the number of multiplications and squareError or attack? Bug Pentium …
- Chinese Remainder Theorem
mod pmod p
mod qmod q
expexpmm
expexp
combinecombine
error!error! p and qare in danger!
p and qare in danger!
© UCL Crypto group October 2004 - I0 30
ElectroMagnetic Analysis
• Similar processing as PA, sensing and leakage are different.
• Use a different probe (that not interferes with the chip): – Hand-made (Gemplus)– RF receiver (IBM)– Flat inductor and MEMS (UCL)
3 mm
0.5 mm
© UCL Crypto group October 2004 - I0 31
Spatial positioning
• Horizontal cartography (XY plane)– to pinpoint instruction related areas– better if automated
CPU
EEPROM
EEPROM
ROM
ROM
RAM
CRYPTO
Probe
4.5 mm
5.5 mm
Gemplus©
© UCL Crypto group October 2004 - I0 32
Side Channel Conclusion
• Direct and serious threat to the security of crypto systems
• Applicable to all algorithms
• (mostly) a non-destructive class of attacks
• Can be developed in order of weeks, repeated in order of hours
• Can be prevented or discouraged by (combinations of) countermeasures
© UCL Crypto group October 2004 - I0 33
Faults insertion
- Eddy Currents (ESmart 2002)
• Aim: Cryptanalysis of an algorithm using fault(s)
- Local heating
- Optical attack (Ches 2002)
- Glitch attack clock
- Local ionisation (Rads 2003)- UV light applied to a certain location
- X-rays
© UCL Crypto group October 2004 - I0 35
Countermeasures
• Scramble the memory structure
• Dedicated sensors
• Opaque passivation layer or top-layer shielding
• Self-timed circuit & Dual-rail logic
• CRC
• Software countermeasures
© UCL Crypto group October 2004 - I0 36
Countermeasures• Software
– Check each bit before to set/reset it– Test integrity of all ( Data, Crypto, … )
• Hardware :– Scramble the memory structure– Implement CRC (Well chosen)– Build new architecture for error
detection/corrections– Asynchronous processors (www.g3card.org)– Dedicated sensors and avoid static sensors
If there is a CRC check, there’s a transistor to give a right or wrong value…
It could then be possible to lock the value (FPGA,…).
UCL©
© UCL Crypto group October 2004 - I0 37
Countermeasures
• A lot: New hardware design, new technology, …
• Randomize carefully!• No difference between square and multiply
(add and doubling): subtle solutions,• Verify the result before outputs,• …• Very mathematical, very cryptographic,• Another story (see recent thesis of Mathieu
Ciet – UCL, June 2003 about ECC, aso).