lejla ba na - cosic · crypto:&theory&vs&physical&reality& power &ming...
TRANSCRIPT
Intro to side-‐channel analysis
Lejla Batina
Digital Security Group Ins7tute for Compu7ng and Informa7on Sciences (ICIS)
Radboud University Nijmegen The Netherlands
and KU Leuven, Belgium
Summer school on Design and Security of Cryptographic Func6ons, Algorithms and Devices
Albena, July 2, 2013
Crypto: theory vs physical reality
power
&ming
sound Algorithms are (supposed to be)
theoretically secure
fault injec&on
Implementations leak in physical world
2
Side-‐channels
Outline
• Implementa7on of security vs secure implementa7ons – Embedded cryptographic devices – Embedded security
• Side-‐channel analysis basics • Power analysis aSacks • Other side-‐channels • Countermeasures • Recent advances • Conclusions
3
Introduction
4
Embedded cryptographic devices
Embedded security: -‐ resource limita7on -‐ physical accessibility
5
RFID tags and alikes • Supply chain management • Product authen7ca7on • Vehicles tracking • Medical care • RFID passports • Mobile credit card payment systems • Transporta7on payment systems • Spor7ng events (7ming / tracing) • Animal iden7fica7on
Source:http://www.flickr.com
6
(In)security for Embedded Systems “Researchers have extracted information from nothing more than the reflection of a computer monitor off an eyeball or the sounds emanating from a printer.” Scientific American, May 2009. “Secustick gives false sense of security” April 12, 2007 http://tweakers.net/reviews/683 Security completely broken “You can no longer rely on encryption to protect a BlackBerry.” InfoWorld, October 1, 2010. The data is passed from the device to the computer in a plain, unencrypted form, so it takes 3 days to brute-force the password.
7
Our scope: Implementa7on ASacks
“Remote keyless entry system for cars and buildings is hacked” March 31, 2008 -‐ KeeLoq: eavesdropping from up to 100 m -‐ 2 mesages are enough -‐ Even SPA is possible, July 19, 2009 www.crypto.rub.de/keeloq
PS3 hack -‐ ECDSA implementa7on failed -‐ resulted in PS3 master key recovery
Contactless Smartcards with Mifare Classic, DESFire, Atmel CryptoMemory,…
8
Embedded Security We NEED BOTH
• Efficient Implementa7on – Within power, area, 7ming budgets – Public key: 1024 bits RSA on 8 bit μC and
100 mW
– Public key: ECC on a passive RFID tag
• Secure (trustworthy) implementa7on – Resistant to aSacks – Ac7ve aSacks: probing, (power) glitches,
JTAG scan chain, cold-‐boot, … – Passive aSacks: power consump7on,
electromagne7c emana7on, sound, temperature, …
9
Slide credit: I. Verbauwhede
Side-‐channel security: before and today • Tempest – known since early 1960s that computers generate
EM radia7on that leaks info about the data being processed • In 1965, MI5: microphone near the rotor-‐cipher machine
used by the Egyp7an Embassy the click-‐sound the machine produced was analyzed to deduce the core posi7on of the machines rotors
• First academic publica7ons by Paul Kocher: 1996 (7ming) and 1999 (power)
• Many successful aSacks published on various plahorms and real products e.g. KeeLoq, CryptoMemory, (numerous) contactless cards
• Models, theory, leakage resilient crypto i.e. provable physical security
10
Concepts of side-‐channel leakage
• Side-‐channel leakage is based on (non-‐inten7onal) physical informa7on
• Can enable new kind of aSack • Oien, op7miza7ons enable leakages
o Cache: faster memory access o Fixed computa7on paSerns o Square vs mul7ply (for PK)
11
Basic idea
“Breaking into a safe is hard, because one has to solve a single, very hard problem...”
… b r e a k i n g d o w n a problem into two or more sub-problems that are simple enough to be solved directly
12
Side-channel attacks basics
13
Concept: Black box model
Standardized algor7hms are secure
Cryptographic device Plain text Cipher text
14
Sources of side-‐channel informa7on • Timing (Kocher 1996), Power (KJJ 1999), EM (UCL & Gemplus
2001) • Temperature (Naccache et al.)
– informa7on about the device's malfunc7on leaked-‐out via its temperature
• Light (Kuhn) – Reading CRT-‐displays at a distance – Observing high-‐frequency varia7ons of the light emiSed
• Sound (Shamir and Tromer) – Dis7nguishing an idle from a busy CPU – Dis7nguish various paSerns of CPU opera7ons and memory access (RSA
signatures)
• Photonic emissions (TU Berlin)
15
Leakage is explorable
• Due to the (dependency of leakages on) sequences of instruc7ons executed
• Due to the data (even sensi7ve!) being processed • Due to other physical effects • …
• And remember:
16
ASack categories
• Side-‐channel aSacks – this talk – use some physical (analog) characteris7c and assume access to it
• Faults – see the talk of J.-‐ M. Schmidt – use abnormal condi7ons causing malfunc7ons in the system
• Microprobing – accessing the chip surface directly in order to observe, learn and manipulate the device
17
Taxonomy of Implementa7on ASacks • Ac7ve versus passive
– Ac7ve • The key is recovered by exploi7ng some abnormal behavior e.g.
power glitches or laser pulses • Inser7on of signals
– Passive • The device operates within its specifica7on • Reading hidden signals
• Invasive versus non-‐invasive – Invasive aka expensive: the strongest type e.g. bus probing – Semi-‐invasive: the device is de-‐packaged but no contact to the chip e.g.
op7cal aSacks that read out memory cells – Non-‐invasive aka low-‐cost: power/EM measurements
• Side-‐channel aSacks: passive and non-‐invasive
18
Analysis capabili7es
• “Simple” aSacks: one or a few measurements -‐ visual inspec7on
• Differen7al aSacks: mul7ple measurements – Use of sta7s7cs, signal processing, etc.
• Higher order aSacks: n-‐th order is using n different samples
• Combining two or more side-‐channels • Combining side-‐channel aSack with theore7cal cryptanalysis
19
Devices under aSack • Smart card • FPGA, ASIC • RFID, PDAs • Phones, USBs, ... • Actual products
Clock
Meas. VDD
Meas. GND
RS 232 ASIC Trigger
20
Measurement setup
oscilloscope
analyzing device
FPGA
21
Prac7cal Issues
• Quality of measurements – Noise issues
• Sources: power supply, clock gen. • Algorithmic, sampling, external, intrinsic, quan7za7on • Averaging mul7ple observa7ons helps
• Aligning the measurements – Due to 7me randomiza7on, permu7ng execu7on or hardware countermeasures
22
Misalignment
23
Power Analysis
• Direct aSacks • Simple Power Analysis (1999) • Differen7al Power Analysis (1999) • Correla7on Power Analysis (2004) • Collision ASacks (2003)
• Two-‐stage aSacks • Template ASacks (2002) • Stochas7c Models (2005) • Linear Regression Analysis (LRA)
• Advanced aSacks: Mutual Informa7on Analysis -‐ MIA (2008), Diff. cluster analysis (2009), PCA (2011), ...
24
Simple Power Analysis (SPA)
25
Simple Power Analysis (SPA)
• Based on one or a few measurements • Mostly discovery of data-‐(in)dependent but instruc7on-‐
dependent proper7es e.g. – Symmetric:
• Number of rounds (resp. key length) • Memory accesses (usually higher power consump7on)
– Asymmetric: • The key (if badly implemented, e.g. RSA / ECC) • Key length • Implementa7on details: for example RSA w/wo CRT
• Search for repe77ve paSerns
conditional operation
26
Simple Power Analysis
time axis
27
Using SPA to find a good place to aSack
28
Insecure RSA implementa7on
RSA modular exponentiation In: message m,key e(l bits) Output: me mod n
A = 1
for j = l – 1 to 0
A = A2 mod n /* square */ if (bit j of k) is 1 then A = A x m mod n /* multiply */
Return A
j < 0
Loop Init
bit j of k = 1?
A = A x m
j = j - 1
Return A A = A2
Side-Channel
29
SPA examples -‐ PK
30
Intro to Sta7c CMOS
• Consumes power when output makes a 0 to 1 transi7on
• Most popular circuit style! • A power analysis aSack explores the fact that the instantaneous power cons. depends on the data and instruc7ons being processed
0-‐>0: sta7c (low) 0-‐>1: sta7c + dynamic (high) 1-‐>0: sta7c + dynamic (high) 1-‐>1: sta7c (low)
31
Correla7on DPA (CPA)
Model of side-channel
Real key Key hypothesis Real side-channel
Input
Real output Hypothetical output
Statistical analysis
Hypothesis correct? [Brier et al.]
32
CPA Example: AES, soiware • Take highest correla7on value achieved by each key hypothesis (0...255)
• The correct key leads to the highest value
33
Ins&tute for Compu&ng and Informa&on Sciences Radboud University Nijmegen, The Netherlands
*[email protected] 8www.cs.ru.nl/B.Ege
Prac7cal aSacks: plahorms & dis7nguishers
• Plahorms: – 4-‐bit, 8-‐bit, 32-‐bit, contactless Java cards, … – ASICs, FPGAs
• All algorithms: secret-‐key, public-‐key, stream ciphers, MACs,…
• Side-‐channel dis7nguishers: – Used as the selec7on func7on but also to assist other aSacks e.g. to find “interes7ng points” in 7me
– DoM with single-‐bit or mul7-‐bit, Pearson correla7on coefficient
35
Power Models
• Bit model: two bins or mul7ple bins • Hamming weight model
– Typically for pre-‐charged busses • Hamming distance model
– Typically for register outputs in ASIC’s • Weighted Hamming weight/distance model • Dedicated models for combina7onal circuits
36
Power consump7on of smartcard µC
37 37
Other side-channels
38
EM – side-‐channel
• EM field is propor7onal to current • Probe acts as a coil:
– a small magne7c coil is used allowing precise posi7oning
• The near field distance is oien more convenient • However, EMA is usually more difficult than PA – the issue of antenna posi7oning, etc.
39
DEMA -‐ posi7oning
40
DEMA – spectrum informa7on
41
Also possible for contactless smartcards
42
Countermeasures
43
Countermeasures
Purpose: destroy the link between intermediate values and power consump7on – Masking
• A random mask concealing every intermediate value • Can be on all levels (arithme7c -‐> gate level)
– Hiding • Making power consump7on independent of the intermediate values and of the opera7ons
• Special logic styles, randomizing in 7me domain, lowering SNR ra7o
44
Soiware Countermeasures • Time randomiza7on: the opera7ons are randomly shiied in 7me – use of NOP opera7ons – add random delays – use of dummy variables and instruc7ons (sequence scrambling)
– data balancing (a data element is represented redundantly to make H.w. constant)
• Permuted execu7on – rearranged instruc7ons e.g. S-‐boxes
• Masking techniques
45
Hardware countermeasures • Noise genera7on
– hw noise generator would include the use of RNG – total power is increased (problem for handheld devices)
• Power signal filtering – ex.: RLC filter (R-‐resistor, C-‐capacitor, L-‐inductor) smoothing the pow. cons. signal by removing high frequency components
– one should use ac7ve comp. (transistors) in order to keep pow. cons. rela7vely constant -‐ problem for mob. phones
– detached power supplies -‐ Shamir • Novel circuit designs
– special logic styles
46
Masking
• Random masks used to hide the correla7on between the power consump7on and the secret data
• Two types of masking – Boolean masking-‐ use ⊕, – Arithme7c masking -‐ use addi7on and subtrac7on modulo 2w (where w is the digit size), e.g.
– The conversion from one type to another • Costs for an example plahorm (Motorola card, T. Messerges) – cycle count: factor 1.96 – RAM: 6.27, ROM: 1.36
xrxx ⊕=ʹ′
wxrxx 2mod)( −=ʹ′
47
Masking AES
• A masking func7on: – * addi7ve or mul7plica7ve masking
• AES includes all linear transforma7ons except S-‐boxes
• several solu7ons: – Re-‐computa7on of masked S-‐box s.t. – Mul7plica7ve masking – Masking in tower fields
f (x,m) = x∗m
S(x +m) = S(x)+ !m ≠ S(x)+ S(m)
Masked S(x +m) = S(x)+mS(x) = A× x−1 + b
48
Issues with masking
• A TRNG is required • Masked implementa7on leak due to glitches
– More in the talk of Svetla
• Masking public-‐key algorithms – Many algorithmic/arithme7c op7ons
49
Hardware countermeasures – details in the talk of Ingrid
• Dynamic and differen7al logic (pre-‐charged dual rail) • Duplicate logic • Bits are encoded as pairs, e.g. 0 = (1,0) and 1 = (0,1)
• Circuit is pre-‐charged, e.g. to all zero (0,0) • Each DRP gate toggles exactly once per evalua7on
– The number of bit flips is constant and data independent
50
STD CELL WDDL
51
secure WDDL insecure
STD
Doesn’t work for small devices!
CMOS vs. WDDL (Tiri, Verbauwhede 2004)
Some new directions
52
Can we do more to protect against SCA? • Besides more conven7onal methods i.e. hiding and masking schemes can we add some addi7onal but intrinsic protec7on against DPA?
• In block algorithms S-‐boxes are the main source of confusion
• In 2005, E. Prouff introduced new property of S-‐boxes: transparency order that is related to the resistance of S-‐boxes to DPA aSacks
Evolu7onary computa7on • Evolu7onary computa7on techniques draw inspira7on from the process of natural evolu7on
• Used in the past for: – evolving Boolean func7ons (op7mizing on nonlinearity and autocorrela7on)
– evolving S-‐boxes • Preserving bijec7vity
– can we also use it to improve transparency order?
In short • Finding balanced S-‐boxes with high nonlinearity and low transparency order is hard problem
• There exist no algebraic methods for solving this problem
• For example, AES S-‐box has transparency order of 7.86 (the worst possible value is 8)
55
Conclusions and open problems
• Physical access allows many aSack paths • Trade-‐offs between assump7ons and computa7onal complexity
• Requires knowledge in many different areas • Combining SCA with theore7cal cryptanalysis
56
SCA: Recent developments
• Theory – Framework for side-‐channel analysis – Leakage resilient crypto
• Prac7ce – Even more advances in aSacks: algorithm specific (combined with cryptanalysis)
– Machine learning methods – Similar techniques apply to traffic analysis – New countermeasures – New models (going sub-‐micron)
57
Questions?
58