Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.
-
Upload
bethanie-jones -
Category
Documents
-
view
222 -
download
0
description
Transcript of Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.
![Page 1: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/1.jpg)
Lecture7 –More on Attacks
Rice ELEC 528/ COMP 538 Farinaz Koushanfar
Spring 2009
![Page 2: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/2.jpg)
Outline
• More on side-channel attacks• Fault injection attacks• Generic attacks on cryptosystems
Slides are mostly courtesy of Michael [email protected]
![Page 3: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/3.jpg)
Simple power analysis (SPA) - example
![Page 4: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/4.jpg)
SPA example (cont’d)
![Page 5: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/5.jpg)
SPA example (cont’d)• Unprotected modular exponentiation – square
and multiply algorithm
![Page 6: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/6.jpg)
Possible counter measure – randomizing RSA exponentiation
![Page 7: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/7.jpg)
Statistical power analysis
• Two categories– Differential power analysis (DPA)– Correlation power analysis (CPA)
• Based on the relationship b/w power consumption & hamming weight of the data
![Page 8: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/8.jpg)
Modeling the power consumption
• Hamming weight model– Typically measured on a bus, Y=aH(X)+b– Y: power consumption; X: data value; H:
Hamming weight• The Hamming distance model
– Y=aH(PX)+b– Accounting for the previous value on the bus
(P)
![Page 9: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/9.jpg)
Differential power analysis (DPA)
• DPA can be performed in any algo that has operation =S(K), is known and K is the segment key
The waveforms are caotured by a scope and Sent to a computer for analysis
![Page 10: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/10.jpg)
What is available after acquisition?
![Page 11: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/11.jpg)
DPA (cont’d)
The bit will classify the wave wi– Hypothesis 1: bit is zero– Hypothesis 2: bit is one– A differential trace will be calculated for each bit!
![Page 12: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/12.jpg)
DPA (cont’d)
![Page 13: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/13.jpg)
DPA (cont’d)
![Page 14: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/14.jpg)
DPA -- testing
![Page 15: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/15.jpg)
DPA -- testing
![Page 16: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/16.jpg)
DPA – the wrong guess
![Page 17: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/17.jpg)
DPA (cont’d)
• The DPA waveform with the highest peak will validate the hypothesis
![Page 18: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/18.jpg)
DPA curve example
![Page 19: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/19.jpg)
DPA (cont’d)
![Page 20: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/20.jpg)
Attacking a secret key algorithm
![Page 21: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/21.jpg)
Typical DPA Target
![Page 22: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/22.jpg)
Example -- DPA
![Page 23: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/23.jpg)
Example – hypothesis testing
![Page 24: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/24.jpg)
DPA (Cont’d)
![Page 25: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/25.jpg)
DPA on DES algorithm
![Page 26: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/26.jpg)
DPA on other algorithms
![Page 27: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/27.jpg)
Correlation power analysis (CPA)
• The equation for generating differential waveforms replaced with correlations
• Rather than attacking one bit, the attacker tries prediction of the Hamming weight of a word (H)
• The correlation is computed by:
![Page 28: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/28.jpg)
Statistical PA -- countermeasures
![Page 29: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/29.jpg)
Anti-DPA countermeasures
![Page 30: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/30.jpg)
Anti-DPA
• Internal clock phase shift
![Page 31: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/31.jpg)
DPA summary
![Page 32: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/32.jpg)
Electromagnetic power analysis
![Page 33: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/33.jpg)
EMA – probe design
![Page 34: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/34.jpg)
EMA signal
![Page 35: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/35.jpg)
Spatial positioning
![Page 36: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/36.jpg)
Spatial positioning
![Page 37: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/37.jpg)
Example: SEMA on RSA
![Page 38: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/38.jpg)
EMA (cont’d)
![Page 39: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/39.jpg)
Counter measures
![Page 40: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/40.jpg)
Fault injection attacks
![Page 41: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/41.jpg)
Fault attacks
![Page 42: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/42.jpg)
Fault injection techniques
• Transient (provisional) and permanent (destructive) faults– Variations to supply voltage– Variations in the external clock– Temperature– White light– Laser light– X-rays and ion beams– Electromagnetic flux
![Page 43: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/43.jpg)
Need some (maybe expensive equipment) – eg, laser
![Page 44: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/44.jpg)
Fault injection steps
![Page 45: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/45.jpg)
Provisional faults
• Single event upsets– Temporary flips in a cell’s logical state to a
complementary state• Multiple event faults
– Several simultaneous SEUs • Dose rate faults
– The individual effects are negligible, but cumulative effect causes fault
• Provisional faults are used more in fault injection
![Page 46: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/46.jpg)
Permanent faults• Single-event burnout faults
– Caused by a parasitic thyristor being formed in the MOS power transistors
• Single-event snap back faults– Caused by self-sustained current by parasitic bipolar transistors
in MOS• Single-event latch-up faults
– Creates a self sustained current in parasitics• Total dose rate faults
– Progressive degradation of the electronic circuit
![Page 47: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/47.jpg)
Fault impacts (model)• Resetting data• Data randomization – could be misleading, no control
over!• Modifying op-code – implementation dependent
![Page 48: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/48.jpg)
Fault attacks – counter measures
![Page 49: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/49.jpg)
Fault attacks – counter measures
![Page 50: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/50.jpg)
Attacks on systems using smart cards
![Page 51: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/51.jpg)
Trusted path
• Normal key validation on a PC
![Page 52: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/52.jpg)
Trusted path• PIN code validation – can you come up with attacks?
![Page 53: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/53.jpg)
Are smart cards good or bad?
![Page 54: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/54.jpg)
Let’s go thru a few common scenarios
![Page 55: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/55.jpg)
A few common scenarios…
![Page 56: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/56.jpg)
A few common scenarios…
![Page 57: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/57.jpg)
A few common scenarios…
![Page 58: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/58.jpg)
A few common scenarios…
![Page 59: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/59.jpg)
A few common scenarios…
![Page 60: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/60.jpg)
A few common scenarios…
![Page 61: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/61.jpg)
A few common scenarios…
![Page 62: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/62.jpg)
A few common scenarios…
![Page 63: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/63.jpg)
A few common scenarios…
![Page 64: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/64.jpg)
A few common scenarios…
![Page 65: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/65.jpg)
A few common scenarios…
![Page 66: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/66.jpg)
Example – fault attack on DES
![Page 67: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/67.jpg)
15-th round DPA
![Page 68: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/68.jpg)
15-th round DPA
![Page 69: Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b3b7f8b9ab05999ecd9/html5/thumbnails/69.jpg)
15-th round DES