Introduction to Software Countermeasures For …heydeman/SCA2019/Cours6_DVigilant.pdfIf the guess is...
Transcript of Introduction to Software Countermeasures For …heydeman/SCA2019/Cours6_DVigilant.pdfIf the guess is...
Introduction to SoftwareCountermeasures For EmbeddedCryptography
David Vigilant
UMPC Master, 30
th November, 2018
Outline
1 Context and Motivations
2 Basic Rules and Countermeasures ExamplesRegarding Timing AttacksRegarding SPA-SEMARegarding Statistical Side-Channel AttacksRegarding Fault Attacks
3 Application Examples for some Cryptographic AlgorithmsApplication examples for RSA-CRTApplication examples for AES-128
4 Conclusion
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 2 / 89
Outline
1 Context and Motivations
2 Basic Rules and Countermeasures ExamplesRegarding Timing AttacksRegarding SPA-SEMARegarding Statistical Side-Channel AttacksRegarding Fault Attacks
3 Application Examples for some Cryptographic AlgorithmsApplication examples for RSA-CRTApplication examples for AES-128
4 Conclusion
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 3 / 89
Resistance of Embedded Implementations
Given a key size, the cryptographic algorithm has an inherenttheoretical resistance to cryptanalysis
But
One implementation on one machine has its own resistanceregarding implementation attacks
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 4 / 89
Attacks on Embedded Implementations
Different techniques may be use to infer sensitive data of acryptographic implementation:
Timing Attacks (TA)
Simple Side-Channel Attacks (SSCA)
Statistical Side-Channel Attacks (DSCA)
Fault Attacks (FA)
) Attack set up may be easier to put in place on embeddedimplementation, since the attacker has the device in hand
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 5 / 89
Attacks on Embedded Implementations
Timing Attacks (TA) :
Measure the crypto process timing for several input values
) From timing exploitation, sensitive data may be inferred
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 6 / 89
Attacks on Embedded Implementations
Simple Side-Channel Attacks (SSCA) :
Simple Power Analysis (SPA) : Measure power consumption ofdevices
Simple ElectroMagnetism Analysis (SEMA) : Measureelectromagnetic field emanated from devices
) From the exploitation of a trace of one execution, sensitive datamay be inferred
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 7 / 89
Attacks on Embedded Implementations
Statistical Side-Channel Attacks (DSCA) :
Differential Power Analysis (DPA/DEMA)
Correlation Power Analysis (CPA/CEMA)
Linear Regression Analysis (LRA)
Template Analysis (TPA) / Deep Learning Attacks (DLA)
) From traces of several executions, statistics may be exploited todeduce information about sensitive data
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 8 / 89
Attacks on Embedded Implementations
Fault Attacks (FA) : Disturb the computation (Program flow or Data)by different ways
TemperatureVoltage/Clock GlitchEM injectionLaser. . .
) From the exploitation of faulty (and correct) results or behaviors,sensitive data may be inferred
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 9 / 89
Hardware LimitationsIt seems difficult to implement protections all in hardware (HW):
Surface limitation:) Implementing insecure crypto algorithms all in HW can evenbe too costly
HW imperfection (increased under extreme conditions):) The combination of HW and software(SW)countermeasures(CMs) may give more confidence
RemarkA lot of very efficient HW countermeasures exist, they are notdiscussed here
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 10 / 89
Embedded Crypto - Hardware ArchitectureExample of architecture in embedded devices:
) Coprocessor may implement arithmetic operations (e.g modularmultiplication)) Coprocessor may implement block ciphers with some CMs
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 11 / 89
Embedded Crypto - Hardware Architecture
Embedded devices have typically limited resources:
CPU: 8, 16, or 32 bits instructions
Frequency: several dozens of Megahertz
RAM: 1 or 2 Kbytes at most for crypto implementation
NVM reserved for constants and program: several dozens ofKbytes
) The overhead added by the countermeasure must be monitoredcarefully
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 12 / 89
Certification and Resistance Assessment
In the context of the certification (Common Criteria, EMVCo, ...) of aproduct:
Source code may be audited to detect weaknesses
Implementation attacks may be tested in practice by mandatedlabs
Vulnerabilities may lead to the failure of certification
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 13 / 89
Countermeasures and Intellectual Property
Innovative countermeasures may be patented:
It may protect from counterfeit
Its usage may be licensed
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 14 / 89
Out of scope
DefinitionWhite Box Crypto (WBC) is the name for embedded crypto running inan environment totally manageable by the attacker. In particular, theattacker has access to and has control of:
Every processor register (including Program Counter)Every memory cellCode execution (i.e. complete debuging capability)
)WBC implementations need dedicated countermeasures
)WBC countermeasures are out of the scope of this presentation
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 15 / 89
Outline
1 Context and Motivations
2 Basic Rules and Countermeasures ExamplesRegarding Timing AttacksRegarding SPA-SEMARegarding Statistical Side-Channel AttacksRegarding Fault Attacks
3 Application Examples for some Cryptographic AlgorithmsApplication examples for RSA-CRTApplication examples for AES-128
4 Conclusion
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 16 / 89
Avoid Vulnerabilities regarding TA
RuleAvoid any timing difference linked to input data and/or internalsensitive data that could lead to the secret recovery
CountermeasureBalanced Branches: Balance sensitive "if . . . then . . ." branches byinjecting events
CountermeasureNo Branch: Eliminate branches and design programs with constanttiming
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 17 / 89
Avoid Vulnerabilities regarding TA
Example:
A user must be authenticated by entering a 8�byte keyThe program grants access to the user only if the key value is theexpected oneThe program runs on an 8-bit CPU
Remark: The expected security strength is 2
64
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 18 / 89
Avoid Vulnerabilities regarding TA
Example (continued):
Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7
Naive program:if x0 = k0 then
if x1 = k1 thenif x2 = k2 thenif x3 = k3 then
if x4 = k4 thenif x5 = k5 then
if x6 = k6 thenif x7 = k7 then
"user granted"else "failure"
Each byte is compared one byone by the program
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 19 / 89
Avoid Vulnerabilities regarding TA
Example (continued):
Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7
Naive program:if x0 = k0 then
if x1 = k1 thenif x2 = k2 thenif x3 = k3 then
if x4 = k4 thenif x5 = k5 then
if x6 = k6 thenif x7 = k7 then
"user granted"else "failure"
Each byte is compared one byone by the program
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 19 / 89
Avoid Vulnerabilities regarding TA
Example (continued):
Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7
Naive program:if x0 = k0 then
if x1 = k1 thenif x2 = k2 thenif x3 = k3 then
if x4 = k4 thenif x5 = k5 then
if x6 = k6 thenif x7 = k7 then
"user granted"else "failure"
The attacker tries the 2
8 possiblevalues for the ith byte, i startingfrom 0
The attacker measures theprocess timing
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 20 / 89
Avoid Vulnerabilities regarding TA
Example (continued):
Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7
Naive program:if x0 = k0 then
if x1 = k1 thenif x2 = k2 thenif x3 = k3 then
if x4 = k4 thenif x5 = k5 then
if x6 = k6 thenif x7 = k7 then
"user granted"else "failure"
The attacker tries the 2
8 possiblevalues for the ith byte, i startingfrom 0
The attacker measures theprocess timing
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 21 / 89
Avoid Vulnerabilities regarding TAExample (continued):
Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7
Naive program:if x0 = k0 then
if x1 = k1 thenif x2 = k2 thenif x3 = k3 then
if x4 = k4 thenif x5 = k5 then
if x6 = k6 thenif x7 = k7 then
"user granted"else "failure"
The attacker tries the 2
8 possiblevalues for the ith byte, i startingfrom 0
The attacker measures theprocess timing
If the guess is incorrect, theprogram ends after thecomparisonShorter timing
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 22 / 89
Avoid Vulnerabilities regarding TAExample (continued):
Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7
Naive program:if x0 = k0 then
if x1 = k1 thenif x2 = k2 thenif x3 = k3 then
if x4 = k4 thenif x5 = k5 then
if x6 = k6 thenif x7 = k7 then
"user granted"else "failure"
The attacker tries the 2
8 possiblevalues for the ith byte, i startingfrom 0
The attacker measures theprocess timing
If the guess is correct, theprogram executes the nextcomparisonLonger timing
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 23 / 89
Avoid Vulnerabilities regarding TA
Example (continued):
Entered Key : x0 x1 x2 x3 x4 x5 x6 x7Expected Key : k0 k1 k2 k3 k4 k5 k6 k7
Naive program:if x0 = k0 then
if x1 = k1 thenif x2 = k2 thenif x3 = k3 then
if x4 = k4 thenif x5 = k5 then
if x6 = k6 thenif x7 = k7 then
"user granted"else "failure"
The attacker tries the 2
8 possiblevalues for the ith byte, i startingfrom 0
The attacker measures theprocess timing
) The security strength can bedecreased to 8 ⇤ 2
8 = 2
11 !!
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 24 / 89
Avoid Vulnerabilities regarding TA
CountermeasureBalanced Branches: Balance sensitive "if . . . then . . ." branches byinjecting events
Equal = 0, Difference = 1, Status = 0for (i from 0 to 7) do{
if xi = ki thenStatus |= Equal
elseStatus |= Difference
}if Status = Equal then
"user granted"else
"failure"(Timing balance to be verified practically)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 25 / 89
Avoid Vulnerabilities regarding TA
CountermeasureNo Branch: Eliminate branches and design programs with constanttiming
Status = 0for (i from 0 to 7) do
Status = Status | (xi � ki)
if Status = 0 then"user granted"
else"failure"
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 26 / 89
Avoid Vulnerabilities regarding SPA-SEMARuleAvoid any flow difference (leading to a difference in the trace)linked to input data and/or internal sensitive data that could leadto the secret recovery
CountermeasureBalanced Branches: Introduce or Modify events to remove differencesin the flow
CountermeasureNo Branch: Eliminate branches and design programs with constantflow
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 27 / 89
Avoid Vulnerabilities regarding SPA-SEMA
Example: Implementation of a binary exponentiation algorithmCompute S = md
mod N, d = (d0
, d1
, . . . , dL�1
)2
Naive Binary Algorithm:A = 1
for (i from 0 to L� 1) do{
A = A⇥ A mod N
if di = 1 thenA = A⇥ m mod N
}return(A)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 28 / 89
Avoid Vulnerabilities regarding SPA-SEMA
Example: Implementation of a binary exponentiation algorithmCompute S = md
mod N, d = (d0
, d1
, . . . , dL�1
)2
Naive Binary Algorithm Trace:
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 29 / 89
Avoid Vulnerabilities regarding SPA-SEMA
Example: Implementation of a binary exponentiation algorithmCompute S = md
mod N, d = (d0
, d1
, . . . , dL�1
)2
Naive Binary Algorithm Trace:
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 30 / 89
Avoid Vulnerabilities regarding SPA-SEMAExample (Continued):
CountermeasureBalanced Branches: Introduce events to remove differences in theflow
Square and Multiply Always Algorithm:A = 1
for (i from 0 to L� 1) do {A = A⇥ A mod Nif di = 1 then
A = A⇥ m mod Nelse
B = A⇥ m mod N} (Dummy Multiplication)return(A)
⇡ +33% process timing compared to naive method(Flow balance to be verified practically)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 31 / 89
Avoid Vulnerabilities regarding SPA-SEMAExample (Continued):
CountermeasureNo Branch: Design programs with constant flow
Montgomery Ladder Algorithm:A
0
= 1,A1
= mfor (i from 0 to L� 1) do{
Ad̄i= Ad̄i
⇥ Adi mod NAdi = A2
dimod N
}return(A
0
)
⇡ +33% process timing compared to naive method(Flow balance to be verified practically)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 32 / 89
Avoid Vulnerabilities regarding DSCA
RuleGiven the power of an attacker, detect and remove theappearance of all intermediate sensitive values, that could leadto the secret recovery
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 33 / 89
Avoid Vulnerabilities regarding DSCA
Example:
The attacker is able to exploit a hamming weight leakage by CPAThe attacker can choose the value of a byte X
In the algorithm, X should be XORed with a sensitive byte Y
1 The attacker acquires power traces for different input values2 The attacker localizes the targeted XOR, and synchronizes
curves on this operation3 For each of the 2
8 guesses, the attacker calculates thecorrelation coefficient between the hamming weight of XORresult, and the samples of the power traces acquired
4 The attacker can reduce the space of possible values for Y, if thecorrect guess gives one of the best scores
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 34 / 89
Avoid Vulnerabilities regarding DSCA
CountermeasureSecret Sharing:
If the attacker has the power to realize a DSCA of order n� 1
If a sensitive value X is targetedThe sensitive value X can be split in n random shares, X
0
,X1
,Xn�1
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 35 / 89
Avoid Vulnerabilities regarding DSCA
CountermeasureSecret Sharing:
If the attacker has the power to realize a DSCA of order n� 1
If a sensitive value X is targetedThe sensitive value X can be split in n random shares, X
0
,X1
,Xn�1
Example: Additive sharingX = X
1
+ X2
, where X1
and X2
are random valuesOnly X
1
and X2
are manipulated in the implementation
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 36 / 89
Avoid Vulnerabilities regarding DSCA
CountermeasureSecret Sharing:
If the attacker has the power to realize a DSCA of order n� 1
If a sensitive value X is targetedThe sensitive value X can be split in n random shares, X
0
,X1
,Xn�1
Example: Boolean sharingX = X
1
� X2
� X3
, where X1
, X2
and X3
are random valuesOnly X
1
, X2
and X3
are manipulated in the implementation
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 37 / 89
Avoid Vulnerabilities regarding DSCA
Example:
The attacker is able to exploit a hamming weight leakage by CPAThe attacker can choose the value of a byte X
In the algorithm, X should be XORed with a sensitive byte Y
Program using the secret sharing countermeasure:Generate a random byte Z
0
Z1
= Y � Z0
Z1
= Z1
� Xstore Z
0
in RAMstore Z
1
in RAM. . .
) the sensitive value Z is shared among Z0
and Z1
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 38 / 89
Avoid Vulnerabilities regarding DSCA
Example:
The attacker is able to exploit a hamming distance (HD) leakageby CPAThe attacker can choose the value of a byte X
In the algorithm, X should be XORed with a sensitive byte Y
Program using the secret sharing countermeasure:Generate a random byte Z
0
Z1
= Y � Z0
Z1
= Z1
� Xstore Z
0
in RAMstore Z
1
in RAMZ
0
and Z1
transit on the BUS successively, BUS would pass from Z0
to Z1
, HD = Z. . .
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 39 / 89
Avoid Vulnerabilities regarding DSCA
Example:
The attacker is able to exploit a hamming distance (HD) leakageby CPAThe attacker can choose the value of a byte X
In the algorithm, X should be XORed with a sensitive byte Y
Program using the secret sharing countermeasure:Generate a random byte Z
0
Z1
= Y � Z0
Z1
= Z1
� Xstore Z
0
in RAMstore Z
1
in RAMZ
0
and Z1
transit on the BUS successively, BUS would pass from Z0
to Z1
, HD = Z. . .
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 39 / 89
Avoid Vulnerabilities regarding DSCA
CountermeasureBlinding - Randomization (Mathematical Context): Randomize avariable X into a random data X0 such that good mathematicalproperties are kept (result can be recovered), and the targeted valuedoes not appear.
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 40 / 89
Avoid Vulnerabilities regarding DSCA
Example:Group exponentiation in ((Z/NZ)⇤,⇥), S = md
mod N, d is sensitive
The attacker is able to choose values for m
The attacker is able to exploit a hamming weight model leakageon successive powers of m mod N
The attacker performs a DPA for each bit of d, building 2 setsdepending on the hamming weight (high or small) of some bytes ofthe targeted intermediate powers of m
Program using the Blinding countermeasure:Generate R a random numberN0 = N ⇥ RS0 = md
mod N0
S = S0mod N
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 41 / 89
Avoid Vulnerabilities regarding DSCAExample:
We define a group G as follows:✏ : { (x, y) 2 (Fp ⇥ Fp) | y2 = x3 + ax + b mod p }with p prime, and 4a3 + 27b2
mod p 6= 0
We define an addition law over ✏ : P + Q = Rif P 6= Q, �R is the intersection of the line passing through P andQ with ✏, R is the opposite of �R regarding the x axisif P = Q, �R is the intersection of the tangent of ✏ in P, R is theopposite of �R regarding the x axis
We define1 such that P +1 = P, 8P 2 ✏. If the line passing throughP and Q has no other intersection with ✏, then P + Q =1 (orP + P =1)
G ⇢ ✏, G =< g > , s.t. n.g =1 , n large primeThese groups are commonly used in cryptography
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 42 / 89
Avoid Vulnerabilities regarding DSCAExample (continued):We consider the point multiplication S = d.M, M 2 G, d 2 Nd is a sensitive value
The attacker is able to choose values for the point MThe attacker is able to exploit a hamming weight model leakageof the x-coordinate of successive multiples of M
The attacker performs a DPA for each bit of d, building 2 setsdepending on the x-coordinate hamming weight (high or small) onsome bytes of the targeted intermediate multiples of M
Program using the Blinding countermeasure:Generate r a random numberd0 = d + (n⇥ r)S = d0.M
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 43 / 89
Avoid Vulnerabilities regarding DSCA
Coming back to Previous Example:
1 The attacker acquires power traces for different input values2 The attacker localizes the targeted XOR operation, and
synchronizes curves on this operation3 For each of the 2
8 guesses, the attacker calculates thecorrelation coefficient between the hamming weight of XORresult, and the power traces acquired
4 The attacker can reduce the space of possible values for Y, if thecorrect guess gives one of the best scores
) One critical step for the attacker is the timing localization of aspecific sensitive operation, and its synchronization overmultiple traces
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 44 / 89
Avoid Vulnerabilities regarding DSCA
RuleRemove the possibility for an attacker to find "easily" a sensitivemanipulation. Remove also the possibility to synchronize"easily" this manipulation over multiple traces
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 45 / 89
Avoid Vulnerabilities regarding DSCA
CountermeasureDesynchronization: Introduce dummy events of random duration,before and/or after the targeted manipulation.
Example:Program using the desynchronization (sensitive XOR X � Y):Generate a random Ri = 0while ((+ + i)! = R)”dummy operation”
Z = X � Y. . .
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 46 / 89
Avoid Vulnerabilities regarding DSCA
CountermeasureOrder Randomization of Operations: Perform operations in anunpredictable order, different each time, to avoid an easysynchronization on sensitive events
Example:Program using the Order Randomization of Operations (sensitiveXORs Xi � Yi, i = 0 . . . 7):for i from 0 to 7 in random order
Zi = Xi � Yi
) Harder for the attacker to locate the XOR for a specific index
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 47 / 89
Avoid Vulnerabilities regarding FA-DFA
Example: Program disturbance
Program for a PIN verification:if ENTERED_PIN = STORED_PIN then
GrantAccess()else
Mute()
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 48 / 89
Avoid Vulnerabilities regarding FA-DFA
Example: Program disturbance
Normal behavior: The user enters a wrong PIN
Program for a PIN verification:if ENTERED_PIN = STORED_PIN then
GrantAccess()else
Mute()
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 49 / 89
Avoid Vulnerabilities regarding FA-DFA
Example: Program disturbance
Faulty behavior: The user enters a wrong PIN, program is disturbed
Program for a PIN verification:if ENTERED_PIN = STORED_PIN then( Fault injected
GrantAccess()else
Mute()
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 50 / 89
Avoid Vulnerabilities regarding FA-DFA
RuleRemove the possibility for an attacker to find "easily" the keytiming in the program for an exploitable fault injection
See previous countermeasures
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 51 / 89
Avoid Vulnerabilities regarding FA-DFA
RuleWarning when executing or not fake operations depending onthe secret value
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 52 / 89
Avoid Vulnerabilities regarding FA-DFA
Example:Square and Multiply Always Algorithm:A = 1
for (i from 0 to L� 1) do{
A = A⇥ A mod Nif di = 1 then
A = A⇥ m mod Nelse
B = A⇥ m mod N}return(A)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 53 / 89
Avoid Vulnerabilities regarding FA-DFA
Example:Square and Multiply Always Algorithm:A = 1
for (i from 0 to L� 1) do{
A = A⇥ A mod Nif di = 1 then
A = A⇥ m mod N ( Fault Injectedelse
B = A⇥ m mod N}return(A)
If the attacker introduces a fault in a real multiplication, result is faulty
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 54 / 89
Avoid Vulnerabilities regarding FA-DFA
Example:Square and Multiply Always Algorithm:A = 1
for (i from 0 to L� 1) do{
A = A⇥ A mod Nif di = 1 then
A = A⇥ m mod Nelse
B = A⇥ m mod N ( Fault Injected}return(A)
If the attacker introduces a fault in a fake multiplication, result is safe
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 55 / 89
Avoid Vulnerabilities regarding FA-DFA
RulePut error detectors in the code to guarantee the correctexecution of the program
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 56 / 89
Avoid Vulnerabilities regarding DSCA
CountermeasureConsistency check: Use verifications of consistency. Check that theprogram executes and ends as expected
Example:Program using consistency check (inverse operation):C = AES� 128 encrypt(P,K)X = AES� 128 decrypt(C,K)if X 6= P
"Fault Detected"
There are many ways of checking consistency
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 57 / 89
Outline
1 Context and Motivations
2 Basic Rules and Countermeasures ExamplesRegarding Timing AttacksRegarding SPA-SEMARegarding Statistical Side-Channel AttacksRegarding Fault Attacks
3 Application Examples for some Cryptographic AlgorithmsApplication examples for RSA-CRTApplication examples for AES-128
4 Conclusion
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 58 / 89
RSA-CRT system
RSA-CRT parameters:(N, e) Public key(p, q, dp, dq, iq) Private key
such that
8>>>>>>>><
>>>>>>>>:
N = p⇥ q, (p, q large primes)
gcd((p� 1), e) = 1
gcd((q� 1), e) = 1
dp = e�1
mod (p� 1)
dq = e�1
mod (q� 1)
iq = q�1
mod p
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 59 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature
Input: m, p, q, dp, dq, iq,Nmp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 60 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature
Input: m, p, q, dp, dq, iq,Nmp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 61 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature
Input: m, p, q, dp, dq, iq,Nmp = m mod p Vulnerability to TASp = mdp
p mod pmq = m mod q Vulnerability to TASq = mdq
q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S
An attacker could proceed by dichotomy to find min(p, q)) If m < min(p, q), no modular reduction) If m � min(p, q), modular reduction
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 62 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature (+Vulnerability Corrected)
Input: m, p, q, dp, dq, iq,Nm = m + Nmp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S
) whatever m, modular reduction
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 63 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature
Input: m, p, q, dp, dq, iq,Nmp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod q� = iq ⇥ (Sp � Sq) mod pS = Sq + q⇥ �RETURN(S)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 64 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature
Input: m, p, q, dp, dq, iq,Nmp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod q� = iq ⇥ (Sp � Sq) mod pS = Sq + q ⇥ � ( Let us considering sensitivity to DSCARETURN(S)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 65 / 89
Application examples for RSA-CRTDSCA on the recombination in RSA-CRT
1 The attacker makes several acquisitions and collects thesignature results
2 The attacker tries to discover q byte per byte from MSB to LSB(most to least significant)
3 The attacker makes an hypothesis for the ith byte :b = 2
8 ⇤ b + hypothesis(qi) (Starting from b = 0)
4 The attacker computes ! = S/b
5 The attacker tries to correlate ! with � when it is manipulated inthe recombination
6 If the guess for the byte is correct, ! values are highly correlatedwith �
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 66 / 89
Application examples for RSA-CRTProcess of a naive RSA-CRT signature (+Vulnerability Corrected)
Input: m, p, q, dp, dq, iq,N, emp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod qip = p�1
mod qS = p⇥ ip ⇥ Sq + q⇥ iq ⇥ Sp mod NRETURN(S)
) Remove the appearance of � by using Gauss’ formula for therecombination
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 67 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature
Input: m, p, q, dp, dq, iq,Nmp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 68 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature (with FA effect)
Input: m 2 ZN , p, q, dp, dq, iqmp = m mod pSp = mdp
mod p( Fault Injectionmq = m mod qSq = mdq
mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)return S
) Vulnerability to FA: gcd(S� S mod N,N) = q
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 69 / 89
Application examples for RSA-CRT
Process of a naive RSA-CRT signature (with FA effect)
Why gcd(S� S mod N,N) = q ??
S is s.t.
(S ⌘ S mod qS 6= S mod p
S� S mod N is s.t.
(S� S mod N ⌘ 0 mod qS� S mod N 6= 0 mod p
) S� S mod N is a multiple of q
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 70 / 89
Application examples for RSA-CRTProcess of a naive RSA-CRT signature (+Vulnerability Corrected)
Input: m, p, q, dp, dq, iq,N, emp = m mod pSp = mdp
p mod pmq = m mod qSq = mdq
q mod qS = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)if (Se
mod N = m)RETURN(S)
else"Fault Detected"
Use a consistency check with inverse operation
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 71 / 89
Application examples for RSA-CRTProcess of a naive RSA-CRT signature (+ Shamir CM FA), e notavailable
Input: m, p, q, dp, dq, iq,Nselect t a small randomCompute d s.t. d mod (p� 1) = dp and d mod (q� 1) = dq
mp = m mod ptSpt = md
p mod ptmq = m mod qtSqt = md
q mod qtSp = Spt mod p, Sq = Sqt mod q,S = Sq + q⇥ (iq ⇥ (Sp � Sq) mod p)if (Spt mod t = Sqt mod t)
RETURN(S)else
"Fault Detected"
Use a consistency check with modulus extension30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 72 / 89
Application examples for AES-128
Process of a naive AES-128
Input: K = 16�byte Key P = 16�byte PlaintextState PRoundKey KAddRoundKey(State,RoundKey)Round 0
while(Round < 9){
SubBytes(State)ShiftRow(State)MixColumn(State)KeySchedule(RoundKey,Round)AddRoundKey(State,RoundKey)Round ++
}SubBytes(State)ShiftRow(State)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 73 / 89
Application examples for AES-128
Process of a naive AES-128
Input: K = 16�byte Key P = 16�byte PlaintextState PRoundKey KAddRoundKey(State,RoundKey)( Considering sensitivity to DSCARound 0
while(Round < 9){
SubBytes(State)ShiftRow(State)MixColumn(State)KeySchedule(RoundKey,Round)AddRoundKey(State,RoundKey)Round ++
}SubBytes(State)ShiftRow(State)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 74 / 89
Application examples for AES-128
Secret sharing and AddRoundKey:
Split the state S = S0
, S1
, . . . , S15
into 2 shares:
S1 and S2 s.t. S = S1� S2
Thus AddRoundKey operation on state S = S0
, S1
, . . . , S15
can beperformed for one of the 2 shares:
e.g. S1 = S1� K
Values of S1 and S2 before and after AddRoundKey not predictable
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 75 / 89
Application examples for AES-128
Process of a naive AES-128
Input: K = 16�byte Key P = 16�byte PlaintextState PRoundKey KAddRoundKey(State,RoundKey)Round 0
while(Round < 9){
SubBytes(State)ShiftRow(State)MixColumn(State)KeySchedule(RoundKey,Round)AddRoundKey(State,RoundKey)Round ++
}SubBytes(State)ShiftRow(State)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 76 / 89
Application examples for AES-128
Process of a naive AES-128
Input: K = 16�byte Key P = 16�byte PlaintextState PRoundKey KAddRoundKey(State,RoundKey)Round 0
while(Round < 9){
SubBytes(State)( Considering sensitivity to DSCA at round 0
ShiftRow(State)MixColumn(State)KeySchedule(RoundKey,Round)AddRoundKey(State,RoundKey)Round ++
}SubBytes(State)ShiftRow(State)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 77 / 89
Application examples for AES-128
The SubBytes operation:
Aply 16 times (each byte) a non linear operation:{0, 1}8 ! {0, 1}8
Can be seen as an inversion composed with an affinetransformation in GF(28)
Can be implemented as a Look Up Table (LUT) of 256 bytes
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 78 / 89
Application examples for AES-128
Secret sharing and SubBytes with LUT: The basic method
Split the 16-byte state S = S0
||S1
|| . . . ||S15
into 2 shares maskedS and T:
S = maskedS� T
with 16-byte parameter T = X||X|| . . . ||X, X 2 [0, 255]
SubBytes operation on state S = S0
, S1
, . . . , S15
can be performed onthe share maskedS but with a modified Substitution Box(pre-computation):
for y from 0 to 255
Sbox0[y� X] = Sbox[y]� X
) Requires 256 extra bytes in RAM) There are much more elaborate methods
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 79 / 89
Outline
1 Context and Motivations
2 Basic Rules and Countermeasures ExamplesRegarding Timing AttacksRegarding SPA-SEMARegarding Statistical Side-Channel AttacksRegarding Fault Attacks
3 Application Examples for some Cryptographic AlgorithmsApplication examples for RSA-CRTApplication examples for AES-128
4 Conclusion
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 80 / 89
Conclusion
It is not always easy to verify that a countermeasure is efficient
By Code Audit• But Compiler could remove countermeasures• But Cache could create vulnerabilities
Practical Realization of the Attacks• May be costly to realize all possible attacks• But if no vulnerability found, was the attack set up efficient?
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 81 / 89
Conclusion
It is not always easy to verify that a countermeasure is efficient
Hand Methods• List exhaustively all intermediate variables (regarding DSCA)• List exhaustively all fault effects (regarding FA)• How to be confident that the list is exhaustive?
Towards the usage of Formal Methods• Use trusted provers to prove the resistance• For now, mainly used for fault resistance assessment only
) Difficult to guarantee that the abstraction level is correct) Proof isoften correct only for a specific implementation (HW specific)
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 82 / 89
Conclusion
It is not always easy to identify the assets
Assets may be different depending on the application
• RSA signature S = mdmod N
• RSA decipher S = mdmod N
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 83 / 89
Conclusion
It is not always easy to identify the assets
Assets may be different depending on the application
• RSA signature S = mdmod N
• RSA decipher S = mdmod N
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 84 / 89
Conclusion
It is not always easy to identify the assets
Assets may be different depending on the application
• RSA cipher m = Semod N
• RSA verification m = Semod N
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 85 / 89
Conclusion
It is not always easy to identify the assets
Assets may be different depending on the application
• RSA cipher m = Semod N
• RSA verification m = Semod N Comparison that comes after
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 86 / 89
Conclusion
It is not always easy to identify all attack paths
All existing attacks should be considered: the list is huge
Attacks are always in motion, new ones appear regularly
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 87 / 89
Some must references (not exhaustive)
On the Importance of Eliminating Errors in CryptographicComputations, Boneh et al., BellCore Report, ’96Method and apparatus for protecting PK schemes from timingand fault attacks, Shamir ’97DPA, Kocher et al. CHES’99Timing Attacks on Implementations of DH, RSA, DSS, and OtherSystems, Kocher et al, ’99DES and DPA: the "Duplication" Method, Goubin et al., CHES’99Resistance against DPA for ECC, Coron et al, CHES’99
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 88 / 89
Some must references (not exhaustive)
PKCS#1: RSA Cryptographic Standard, RSA LaboratoryANSI X9.63, Public Key Cryptography for the financial IndustryFIPS 197: AES, NIST, ’01A Sound Method for Switching between Boolean and ArithmeticMasking, Goubin et al., CHES’01The Montgomery Powering Ladder, Joye et al., CHES’02DFA on AES, Dusart et al, ’03CPA with a leakage model, Brier et al., CHES’04. . .
30
th November, 2018 Introduction to Software Countermeasures For Embedded Cryptography 89 / 89