AdiShamir SCA

7/28/2019 AdiShamir SCA

http://slidepdf.com/reader/full/adishamir-sca 1/50

A Top Viewof

Side Channel Attacks

Adi Shamir

Computer Science DeptThe Weizmann Institute

Israel



The SCA FAQ

In this part of the talk I will address some broad

questions related to side channel attacks:

Power (simple, differential, …)

EM (wires in chips, whole PC’s, …)Timing (in programs, across networks, …)Fault (power glitch, time jitter, …)

Visual (CRT’s, router LED’s, …)Acoustic (PC’s, keyboards, …)Cache (on RSA, AES, …)…



Are side channel attacks new?

Academic researchers started working on SCAbetween 1996-1999

Crypto as a war betweencryptographers and cryptanalysts

Sun Tzu, The Art of War: In war, avoid what isstrong and attack what is weak



Are side channel attacks new?Foreign embassies vs smart cards: Common themes

Externally supplied power and communication links

Vulnerable to probing with microwave radiation

EM and acoustic and eavesdropping attacks

Vulnerable to fault attacks (bribes, blackmail)

Many SCA’s invented and perfected in this environment



Are side channel attacks new?A few weeks ago, the NSA released the table of contents

of its top secret internal technical journal from the years 1956-1980

It covers many topics related to the design and analysis

of cryptosystems

Side channel attacks (especially tempest) is extensivelycovered

Surprisingly, there is absolutely no mention of public keycryptography in any of the titles



First page of the released document:



A typical collection of papers on cryptanalysis:



Did SCA’s have any impact on the

theoretical foundations of crypto?The “standard model” of cryptography:

A cryptosystem is a mathematical function

Its security is a mathematical theorem

Protocols are interacting Turing Machines

A dishonest party can do anything, but an honest partydoes ONLY what it is supposed to do



The difference between

theory and practice:



Is this model still relevant?

The standard model of cryptography is increasinglyproblematic due to the existence of SCA’s

Many scenarios today do not fit our assumptions

However, there is little theoretical analysis of SCA’sin academic research papers



How did SCA’s affect RSA?

A personal perspective

For 20 years I have studied the provable properties ofthe RSA function: Bit security, relationship to factoring,reductions, RSA vs Rabin, provably secure applications

RSA seemed to be very robust and well understood

In 1996: Boneh Demillo and Lipton proved that in RSA-CRT, making any single computational mistake completely

breaks the scheme by factoring the public key

This exposes the incredible fragility of cryptosystems



Is there a systematic approach to SCA’s?

Unfortunately, the situation is similar to airport security:

Each attack utilized a completely different approach

Each countermeasure works only against a specific attack

We have no way to predict the next attack andprotecting against all conceivable attacks is impossible



Is there a systematic approach to SCA’s?This is very different than the classical cryptanalyticproblem of block ciphers in which:

We do not know all the possible attacks, but the numberof completely different ideas seems to be very limited

New attacks are often only of theoretical interest

Most of the attacks can be overcome in principle by thecommon strategy of having sufficiently many rounds, andhaving large margins of safety against known attacks



Should we change the way we

design new cryptosystems?SCA’s even put in doubt our main construction tool:

To build a strong block cipher, compose a large numberof weak steps.

This ignores the fact that intermediate values mayleak out, and weak steps are easy to analyze



Should we change the way we

design new cryptosystems?Perhaps we should:

Use only large chunks of key and data (e.g., 64 bits) tomake it harder to exploit Hamming weight info and toexhaustively search for explanations for partially

exposed intermediate values

Use in a better way the inherent parallelism of modernmicroprocessors

Ask Intel to add a dedicated security coprocessor toimplement AES/RSA in its future microprocessors



Which SCA has a lot of untapped potential?

Timing attacks provide only a few bits of data, and are the

easiest to avoid

Probing attacks on smart cards typically record few wires

Differential power analysis ignores most of the data,looking just for differences in behavior between averages

Simple power analysis provides a huge amount of data, butwe do not currently know how to exploit it. I expect a lotof progress in this area in the next few years



Which area is likely to be least

affected by SCA’s?

Hash functions have no secrets

Collisions are not likely to be known by anyone



Which area is likely to be most

affected by SCA’s?

Quantum cryptography

Its main claim for fame is its perfect provable security

At least two attacks described so far, and others are likely:– Acoustic attack– Light pulse attack

If found, they can make this expensive and cumbersomesolution unattractive



What are the latest trends in SCA’s?

The original SCA attacks concentrated on small

systems such as smart cards or peripherals

There is new emphasis now on larger systems such asPC’s

There is some initial interest in tiny systems such asRFID tags



Example: How can we apply a lunchtime

power analysis attack to desktop PC’s ?

The attacker cannot easily cut the power cord or

open the box

A possible solution: the USB connector

It supplies both power and data to external devices

Many security programs control the USB connection



The spectrum of USB power

with power cutoff



The real-time signal of USB power at

294 KHz during OPENSSL decryption



Cache Attacks:A new family of side-channel attacks, developed

simultaneously in 2005/6 by:

Bernstein (basic idea, partial AES key recovery)

Percival (attack on RSA)

Osvik Shamir and Tromer (full attack on AES)



Cache Attacks:

Pure software attacks

Very efficient(e.g., full AES key extraction from Linux encrypted file system in65 ms; require only the ability to run code in parallel on the target

machine)

Compromise otherwise well-secured systems(e.g., VPN’s using AES)

Can be used to attack virtualized machines (e.g., j ai l (), Xen, UML, Virtual PC, VMware) using untrustedcode (e.g., ActiveX, Java applets, managed .NET,JavaScript)

N S A U S P ate nt6 ,9 22,7 7 4



CPU core(60% speedincreaseper year)

Main memory(7-9% latency

decrease per year)

CPU CPU cachememory

Basic cache technology

Typical latency: 50-150ns

Typical latency: 0.3ns



D R A M

c

a c h e

cache line

(64 bytes)

memory block

(64 bytes)

c a c h

e s e t

( 4 c a

c h e l i n e

s )



Measuring the effect of the encryption on



Measuring the effect of the encryption onthe cache:

D R A M

c

a c h e

T 0

A t t

a c

k e r

m e m

o r y



Programs compete for cache locations:

D R A M

c

a c h e

T 0

A t t

a c

k e r

m e m

o r y

Measurement via effect of encryption on



Measurement via effect of encryption oncache

D R A M

c

a c h e

T 0

A t t

a c

k e r

m e m

o r y

1. Completelyevict tables

from cache





D R A M

c

a c h e

T 0

A t t

a c

k e r

m e m

o r y


from cache

2. Trigger asingleencryption





D R A M

c

a c h e

T 0

A t t

a c

k e r

m e m

o r y


from cache

2. Trigger asingleencryption

3. Accessattacker memoryagain andsee whichcache setsare slow



Experimental example

Measuring a Linux 2.6.11 dm-crypt encrypted filesystem

with ECB AES on Athlon 64, using 30,000 samples.Horizontal axis: evicted cache setVertical axis: p[0]Brightness: encryption time (normalized)

Left: raw. Right: after subtracting cache set average.



Power Analysis of RFID Tags An RFID tag is a very simple computer,

usually associate with a physical object Tags communicate with a powerful reader

over a wireless link

EPC tags: passive tags, radiativelycoupled, 900MHz, read/write memory



Components of the EPC RFID System

T a g

The reader has a powerful antenna and anexternal power supply

The reader surrounds itself with anelectromagnetic field

The tag is illuminated by this field

Reader



ReaderÙ

Tag Data Exchange

T a g

The reader sends commands to the tagvia pulse amplitude modulation

The tag sends responses to the readervia backscatter modulation

Reader



The lab setup



Summary of the attack:The RF power reflected by an RFID

tag is dependent on its internal powerconsumption

This property allows power analysisattacks to be performed over adistance in a completely passive way

In the short term, it can be used toextract the kill or access passwordsof EPC tags

Cracking passwords with power



Cracking passwords with power

analysisWe send the password to a

secure device bit by bitThe first wrong bit is very

“exciting”Allows password to be

recovered in linear time

Existence of parasitic backscatter



Existence of parasitic backscatter

(1) Trace shows the signal reflected from a

Generation 1 tag during a kill command

Tag is supposed to be completely silent

Is it? Let’s zoom in…

Power Time



Extracting one password bit

Here, the tag is expecting “1111 1111”

Here, it is expecting “0000 0001”

In both cases, tag gets “0000

0000”

Power Time

AdiShamir SCA

Documents

Transcript of AdiShamir SCA