Side Channel Attacks: A Primercse.iitkgp.ac.in/conf/IoT/SCASecIoT_DM.pdf · Strong cryptographic...

1

24/10/2016 SecIoT Workshop IIT

Kharagpur

Side Channel Attacks:

A Primer

Debdeep Mukhopadhyay

Department of Computer Science and Engineering

IIT [email protected]

THE BIRD’S EYE VIEW

“…Of Secrecy I am Silence…”

Bhagavad Gita, Vibhuti Yoga, Sloka 38

3


Kharagpur

Cryptographic Communication

Encrypt Decryptplaintext

KbKa

plaintext

ciphertext

A generic use of crypto

4


Kharagpur

Cryptographic Threat Model

Assumptions• Only Alice Knows Ka

• Only Bob Knows Kb

• Mallory has access to E, D and the Communication Channel but does not know the decryption key Kb

E

Ka

D

Kb

CommunicationChannel

Message Message

Mallory

Alice Bobleaked Information

Side Channels in the real worldThrough which a cryptographic module

leaks information to its environment

unintentionally

5


Kharagpur

Side Channel Attacks

6


Kharagpur

Power Attacks

7


Kharagpur

Power

consumption

Strong cryptographic algorithms are

just the beginning!

Data input

Data output

Terminal IC chip

Power supply

00111…

Measure power

consumptionGuess secret information

stored on IC chip memory

0 1 1 1Secret

information0 1

8


Kharagpur FPGA Board

Cu

rren

t

Pro

be

Vcc

Current

Amplifier

Digital

Oscilloscope

Controller Pin

Controller PC

DES/3-DES/AES

CORE LOGIC

(Implemented on

FPGA)

Experiment Set-up @ IIT KGP

1

2

3

http://images.google.com/imgres?imgurl=http://www.testmart.com/webdata/prodimg/TEK_TCPA300_lg.jpg&imgrefurl=http://www.testmart.com/sp.cfm/PROBES/TEK/TCPA300.html&h=220&w=178&sz=10&hl=en&start=3&sig2=kyd5kMiE5j8HEW6yE7d-sg&um=1&tbnid=jLepDPC1GfTN-M:&tbnh=107&tbnw=87&ei=outxR4PZOJGegQOUn6yCBw&prev=/images?q=tektronix+tcpa300&svnum=10&um=1&hl=en

http://images.google.com/imgres?imgurl=http://www.testmart.com/webdata/prodimg/TEK_TCPA300_lg.jpg&imgrefurl=http://www.testmart.com/sp.cfm/PROBES/TEK/TCPA300.html&h=220&w=178&sz=10&hl=en&start=3&sig2=kyd5kMiE5j8HEW6yE7d-sg&um=1&tbnid=jLepDPC1GfTN-M:&tbnh=107&tbnw=87&ei=outxR4PZOJGegQOUn6yCBw&prev=/images?q=tektronix+tcpa300&svnum=10&um=1&hl=en

9


Kharagpur

Power Attacks

SPA – Simple Power Analysis attacks

◦ Fact exploited - Power consumption at an

instant of time is a function of the operation

being carried out by the device

DPA – Differential Power Analysis

◦ Fact exploited - Power consumption of the

same operation at different instants of time

depends on the data being processed.

10


Kharagpur

Simple Power Analysis (SPA)

Directly interprets the power consumption

of the device

Looks for the operations taking place and

also the key!

Trace: A set of power consumptions

across a cryptographic process

1 millisecond operation sampled at 5MHz

yield a trace with 5000 points

11


Kharagpur

A Power Trace

Power Trace of a round of AES.

Observe the variation of power values.

The variations occur because of the operation dependence of power: leads to SPA.

The variations also occur because of data dependence of power: leads to DPA.

12


Kharagpur

Example of SPA- ECC Double

and Add Algorithm

13


Kharagpur

Correlation of Power with bits

Assume power leakage follows Hamming Weight.

Divide the HW(s) into two bins:

◦ 0 bin: when LSB is 0

◦ 1 bin: when LSB is 1

Difference-of-Mean (DoM)=20/8-12/8=1

14


Kharagpur

When the partitioning is done

wrt. an uncorrelated bit? Parititioning

done by bits simulated using rand function in C.

Observe the DoM is close to 0, as expected!

15


Kharagpur

A Toy DPA

Consider the operation z=yxmod 256

Assume attacker knows first 4 bits of the secret, x.

Probability of guessing the next bit of x is ½ (with no side channel information).

Now we assume, the attacker varies y and obtains several power traces.

◦ We simulate them through Hamming Weights.

16


Kharagpur

A Toy DPA

For a given y, the attacker now guesses the next bit and computes the probable s after the 3rd

iteration (note that square and multiply starts from bit 6 to bit 0).

Based on the LSB of y, the corresponding trace is put into the 0 bin or 1 bin.

For every guess (there are 2 guesses) the DoMis computed and plotted.

The correct guess is expected to provide large DoM.

17


Kharagpur

A Toy DPA

Correct Key is 0x8F

Next bit is thus 1.

DoM computed after 210 traces.

Significant difference: 0.9 vs 0.2!

18


Kharagpur

Key = 39Key = 20

Key = 41Key = 51

0

500

1000

1500

2000

2500

-0.1

0

0.1

Key Guess

Time (s)

DP

A B

ias (

mV

)

Distinguishable Spikes

SBOX – 3 BIT – 3 TRACE COUNT = 4,000

3D Differential Plot

Differential Power Analysis

Attacks on DES

19


KharagpurSBOX – 4 BIT – 2 TRACE COUNT = 10,000


Key = 39Key = 20

Key = 19Key = 51

0

500

1000

1500

2000

2500-0.2

-0.1

0

0.1

0.2

Key GuessTime (s)

DP

A B

ias (

mV

)



Attacks on 3-DES

20


Kharagpur

Key = 113

Key = 13

Key = 12

Key = 77

0

500

1000

1500

2000

2500

-0.1

0

0.1

Key GuessTime (s)

DP

A B

ias (

mV

)


SBOX – 11 BIT – 8 TRACE COUNT = 15,000



Attacks on AES

21


Kharagpur

Differential Power Analysis: A Summary

22


Kharagpur

Correlation Power Analysis: An Improved DPA technique

23


Kharagpur

Countering DPA

Two broad approaches are taken

◦ Make the power consumption of the device independent of the data processed

Detached power supplies

Logic styles with a data independent power consumption

Noise generators

Insertion of random delays

◦ Methods are costly and not in tune with normal CAD methodologies

24


Kharagpur

Countering DPA

(Second Approach)

◦ Second Approach is to randomize the

intermediate results

◦ Based on the principle that the power

consumption of the device processing

randomized data is uncorrelated to the actual

intermediate results

◦ Masking:Can be applied at the algorithm level

or at the gate level

25


Kharagpur

Gate Level Masking

No wire stores a value that is correlated

to an intermediate result of the algorithm.

Process of converting an unmasked digital

circuit to a masked version can be

automated

26


Kharagpur

Masked AND Gate

( , )

ˆ ( , , , , )

m a

m b

m q

m m a m b q

a a m

b b m

q q m

q f a b

q f a m b m m

27


Kharagpur

Masked AND Gate

m ).mm ))a(m ).mb .b(((a

m )m ).(bm (a

m b)(aq

qbambammm

qbmam

qm

28


Kharagpur

Masked AND Gate

There are 45=1024 possible input transmissions that can occur.

It turns out that the expected value of the energy required for the processing of q=0 and q=1 are identical.

Thus protected against DPA, under the assumption that the CMOS gates switch only once in one clock cycles.

But we know there are glitches, and so the output of gates swing a number of times before reaching a steady state. Hence... the argument continues.

29


Kharagpur

Masked Multiplier

Same Principle may be applied for multiplier circuits.

30


Kharagpur

Evaluating Side Channel

Security of Crypto-systems

31


Kharagpur

Machine Learning as a

Classifier

1k

||Kk

~

||Kk ~

.

.

.

.

.

.

Given a trace, find the key k used for the

encryption.

?k

32


Kharagpur

Develop Suitable Metrics to

Certify Chips Lt =Φt(Sk) + Nt

SNR: Var(E[Lt|Sk])/Var(Lt-E[Lt|Sk])

NICV/SR: Var(E[Lt|Sk])/Var(Lt)

Key Less Evaluation: From impulse response of linear filter which maximizes the leakage

33


Kharagpur

Test Vector Leakage

Assessment Pass-Fail test

It is similar to statistical t-test

T=

Safe criteria: C>|T|, C is a predefined safe value

34


Kharagpur

Success Rate and Signal Ratio

TVLA, though certifies a chip, it does not quantify how safe or unsafe the chip is

Success rate can be defined in the terms of number of power traces and Signal Ratio (SR)

Success Rate= F(q,SR) where F is the cumulative probability distribution of zero mean gaussian distribution and q is the number of power traces

35


Kharagpur

Frequency Dependence of Side

Channel Resistance The table denotes average key ranking

result obtained after executing CPA on AES at different frequency

36


Kharagpur

Frequency Dependence of Side

Channel Resistance Tis table denotes average key ranking

result obtained after executing CPA on noisy AES at different frequency

FAULT ATTACKS:

“WHEN A SECRET IS REVEALED, IT IS

THE FAULT OF THE MAN WHO CONFIDED

IT.”

38


KharagpurTaken from "The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006

39



40



41



42



43



44



45


Kharagpur

Fault Attacks : RSA Cipher

A generate keys:

◦ Select p,q large prime numbers (at least hundred digits) and denote N=pq

◦ Select a small odd integer e relatively prime (only common factor is 1) to

◦ Find integer d so that

◦ (e,N) – public key; (d,N) – private key

B wants to send A a message M

◦ B encrypts M using A's public key

M is restricted to 0 M N-1

◦ A decrypts using private key d -

)1)(1()( qpN

)(mod1 Nde

NMS e mod

MNMNS ded modmod

46


Kharagpur

Fault Attacks

Another attack – by injecting faults◦ Vary the supply voltage – generate a spike◦ Vary the clock frequency – generate a glitch◦ Overheat the device◦ Expose to intense light – camera flash or

precise laser beam◦ Faults injected into a byte or a few bits

47


Kharagpur

Fault Attacks on RSA

Only decryption is subject to attacks

Assume:

◦ 1. Attacker can flip a single bit in key d 2. S and corresponding message M known to attacker

◦ Decryption device generates satisfying

◦ If then

◦ If then

M̂

NS

S

M

M

i

i

i

i

d

d

modˆ

2

2

NSMMi

mod1ˆ 2

NSMMi

modˆ 20id

1id

48


Kharagpur

Fault Attacks on AES

PLAIN TEXT

ENCRYPTION ALGORITHM

FAULT FREECIPHER TEXT

PLAIN TEXT

ENCRYPTION ALGORITHM

FAULTY CIPHER TEXT

ANALYSIS

RANDOM

FAULTS

49


Kharagpur

Fault Attacks on RSA

◦ Assume that the attacker flips randomly a bit in d.

Example: (e,N)=(7,77), d=43

◦ Ciphertext=37 producing M=9 if no fault is injected and if a fault is injected

◦ Search for i such that i=3 since

2012345 101011dddddd

67ˆ M

77mod)3767(9 2i

977mod)5367(77mod)3767( 8

)1( 3 d

50


Kharagpur

Fault Models

M0: One Diagonal affected.

M1: Two Diagonals affected.

M2: Three Diagonals affected.

M3: Four Diagonals affected.

51


Kharagpur

Propagation of Fault Induced

f f’ f’ 2f’

f’

f’

3f’

F1

F2

F3

F4

F1

F2

F3

F4

8th Round

Byte Sub

8th round

ShiftRow

8th Round

MixColumn

9th Round

ByteSub

9th Round

ShiftRow

2F1 F4 F3 3F2

F1 F4 3F3 2F2

F1 3F4 2F3 F2

3F1 2F4 F3 F2

A1 A2 A3 A4

A5 A6 A7 A8

A9 A10 A11 A12

A13 A14 A15 A16

A1 A2 A3 A4

A5A6 A7 A8

A9 A10A11 A12

A16 A15A14A13

9th Round

MixColumn

10th Round

Byte Sub

10th Round

Shift Row

52


Kharagpur

Features of the proposed attack

The attack is the strongest of its class in the literature.

Needs just one byte random fault induction.

◦ Previous best attack reduced key space to 240.

◦ Our attack reduced to 232 (revealed in 400 sec on an Intel Xeon Server with 8 cores).

Debdeep Mukhopadhyay, An Improved Fault Based Attack of the Advanced

Encryption Standard. AFRICACRYPT 2009: LNCS 5580, pp 421-434

The work was developed as a project from NTT Laboratory, Japan.

53


Kharagpur

DFA with a single Fault!

Current research shows that the AES key size can be reduced from 232 to 28 for a single byte fault.

The small complexity of the attack makes it feasible on real life FPGA implementations of AES using less sophisticated techniques, like clock glitching.

Michael Tunstall and DebdeepMukhopadhyay, Differential Fault Analysis of the Advanced Encryption

Standard using a Single Fault, Cryptology ePrint Archive: Report 2009/575

54


Kharagpur

Fault Injection Setup

Tools Used:

◦ AES Core Implemented on Xilinx Spartan 3E.

◦ Agilent Wavefrom (80 MHz)Generator

◦ Xilinx Chipscope Pro Embedded Logic Analyzer.

55


Kharagpur

Experimental Results

ATTACK REGIONDhiman Saha, Debdeep Mukhopadhyay, Dipanwita Roy Chowdhury: A Diagonal Fault Attack on

the Advanced Encryption Standard. IACR Cryptology ePrint Archive 2009: 581 (2009)

56


Kharagpur

Bypassing the Counter-measures

Parity-1, Parity-16 (linear codes) and Robust Codes (nonlinear codes) all miss some faults!

The missed faults also can lie in the DFA-exploitable space.

•An attacker can operate at a region

where the faults are missed.

•Probability of faults getting missed

is much higher if the fault space is

not uniform.

•Can we have fault tolerance

techniques which have provable

100% security. w.r.t. all the DFA

exploitable faults?

Note that the DFA exploitable space

is quite small…

57


Kharagpur

Common Countermeasure

Against Power and Fault

Attack: DRECON

58


Kharagpur

Can Side Channels be Eliminated

by design?

59


Kharagpur

60


Kharagpur

Application of DRECON

61


Kharagpur

62


Kharagpur

63


Kharagpur

64


Kharagpur

65


Kharagpur

DRECON against Fault Attack

In each execution different S-Box is chosen depending upon tweak.

Differential fault analysis fails due to this different S-Box access

Secured against multiple fault injection also

66


Kharagpur

Is that the end?-- Side Channels with Process Scaling

Mathieu Renauld, François-Xavier Standaert, Nicolas Veyrat-Charvillon, Dina Kamel, Denis Flandre: A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices. EUROCRYPT 2011: 109-128

67


Kharagpur

Process Scaling and Side

Channels Process variation is a central issue in deep-

submicron technology.

Research shows that the leakage models change: they become non-linear!

In the absence of variations, one can develop a power model, but due to variations one need to infer correct leakage for each chip.

Also, countermeasures assume independent leakage

◦ But below 65nm, there would be cross-talk!

68


Kharagpur

A Quick Look into Cache

Attacks

69


Kharagpur

Cache Memory Leaks Information

If there is a Cache Hit◦ Access time is less

◦ Power Consumption is less

Microprocessor

Main Memory

Cache Memory

If there is a Cache Miss◦ Access time is more

◦ Power Consumption is more

70


Kharagpur

Cache Attacks : The Principle

Power and Time for the second access depends on the previous sbox access.◦ If cache hit :

Since we know P0 and P1, we can determine

…but we need to differentiate between a cache hit and miss.

Sbox

XOR

P0

K0

Sbox

XOR

P1

K1

1010

1100

PPKK

KPKP

10 KK

71


Kharagpur

Classes of Cache Attacks

Three ways to identify cache behavior

Cache Trace Attacks

Cache Access Attacks

Cache Timing Attacks

72


Kharagpur

Cache Trace Attacks

The Power Profile of the system gives away

cache behavior.

Without Cache Miss

With Cache Miss

73


Kharagpur

Cache Access Attacks : Osvik’s Attack

Uses a spy program to determine cache behavior

Microprocessor

Spy

AES

Memory

Cache MemoryPart of the cache memory

occupied by tablesCache Miss

Cache Hit

74


Kharagpur

Cache Timing Attack

Based on measuring the total time for encryption.

Used to attack a remote server.

Server running Encryption Software

Remote Attacker

Network

Trigger Encryption &Measure time taken

K *T N *T NTime Execution mmhh

75


Kharagpur

Bernstein’s Cache Timing Experiment

AES

RandomP0 = 00 - FF

Cipher Text

Characteristic of Plaintext Byte P0

(Deviation from mean time)EncryptionforTimeObtain

EncryptionAESInvoke

randomlytextsplainremainingtheVary

iterationsFor

P

15

0

2

255to0For

76


Kharagpur

Bernstein’s Cache Timing Attack

Put key to all ZEROs and

perform experiment

76

Repeat experiment with

unknown key

Correlate the two results

77


Kharagpur

Why Cache Attacks Work on AES

The AES Structure

◦ Add initial Key

◦ Nine Rounds of

Byte Substitution

Shift Row

Mix Column

Add Round Key

◦ Final Round

Byte Substitution

Shift Row

Add Round Key

Substitute 16 bytes from a 256 byte lookup table

Chester Rebeiro, Mainack Mandal, Debdeep Mukhopadhyay, "Pinpointing Cache Timing Attacks on AES",

VLSID 2010,

78


Kharagpur

Software Implementations of AES

(OpenSSL) Merges all round operations into 4 lookups.

Uses 4 tables T0, T1, T2, T3 , each of size 1024 byte.

The Software Structure is

78

a0 =T0[b024] ^ T1[b116] ^ T2[b28] ^ T4[b30] ^ rk[4]

a1 =T0[b124] ^ T1[b216] ^ T2[b38] ^ T4[b00] ^ rk[5]

a2 =T0[b224] ^ T1[b316] ^ T2[b08] ^ T4[b10] ^ rk[6]

a3 =T0[b324] ^ T1[b016] ^ T2[b18] ^ T4[b20] ^ rk[7]

b0 =T0[a024] ^ T1[a116] ^ T2[a28] ^ T4[a30] ^ rk[8]

b1 =T0[a124] ^ T1[a216] ^ T2[a38] ^ T4[a00] ^ rk[9]

b2 =T0[a224] ^ T1[a316] ^ T2[a08] ^ T4[a10] ^ rk[10]

b3 =T0[a324] ^ T1[a016] ^ T2[a18] ^ T4[a20] ^ rk[11]

Round 1

Round 2

79


Kharagpur

AES Execution Time big and small

Tables

79

Cache Attack works because of

varying execution time.

Cache AttacksBelieved to be not possible

Big Tables

Small Tables

80


Kharagpur

Attack of Clefia: A Block cipher

with small tables

Clefia is a block cipher designed by Sony Corporations

It has small tables of 256 bytes.

It was designed specifically to be protected against cache timing attacks.

◦ Our project from NTT Lab, was to analyze cache timing attacks on a Clefia code written by Sony itself..

81


Kharagpur

Clefia Attack Results In around 226 Clefia encryptions

the cipher can be shown to break in the face of cache timing attacks

3 GHz Intel Core 2 Duo

32 kB L1 Cache

1 GB RAM

Linux (Ubuntu 8.04)

gcc -4.2.4 with O3 optimization.

Attack Time:◦ First Phase (with known key):

1300 sec

◦ Second Phase (with unknown key): 312.5 sec

Chester Rebeiro, Debdeep Mukhopadhyay, Junko Takahashi and Toshinori Fukunaga, "Cache Timing Attacks on Clefia", Indocrypt 2009.

The work was developed as a project from

NTT Laboratory, Japan.

The attack is mentioned in website of SONY.

82


Kharagpur

Correlation Results on CLEFIA

82

83


Kharagpur

Conclusions

Side Channel Analysis is an extremely important topic

We have studied some of the well known side channels in cryptography.

Need for development of formalisms:◦ Information Theory

◦ Side Channel Analysis is now not a topic for only engineers: theoreticians are also worried!

A suitable security metric can be used to compare counter-measures:◦ And thus help to develop more robust designs.

84


Kharagpur

Moral of the Story

85


Kharagpur

References

Dag Arne Osvik and Adi Shamir and Eran Tromer, “Cache attacks and Countermeasures: the Case of AES”, Cryptology ePrint Archive, 2005

Daniel J. Bernstein, “Cache-timing attacks on AES”, 2005, http://cr.yp.to/antiforgery/

Chester Rebeiro and Debdeep Mukhopadhyay, "Pinpointing Cache Timing Attacks on AES", VLSID 2010

Joan Daemen, Vincent Rijmen: The Design of Rijndael: AES - The Advanced Encryption Standard Springer 2002

Gilles Piret and Jean-Jacques Quisquater, A Differential Fault Attack Technique against SPNStructures, with Application to the AES and KHAZAD, CHES 2003

Dan Boneh, Richard A. DeMillo and Richard J. Lipton: On the importance of checking cryptographic protocols for faults, Journal of Cryptology 2001.

Chester Rebeiro, Debdeep Mukhopadhyay, Junko Takahashi and Toshinori Fukunaga, "Cache Timing Attacks on Clefia", To appear Indocrypt 2009.

AES and Combined Encryption/ Authenti-cation Modes, http://gladman.plushost.co. uk/oldsite/AES/index.php

86


Kharagpur

Eli Biham, Adi Shamir, “Differential Fault Analysis of Secret Key Cryptosystems”, Crypto 1997.

Oliver Kömmerling and Markus Kuhn “Design Principles for Tamper-Resistant Smartcard Processors”, USENIX 1999.

Sergei P. Skorobogatov and Ross J. Anderson “Optical Fault Induction Attacks”, CHES 2002.

Bar-El, H. Choukri, H. Naccache, D. Tunstall, M. Whelan, C. , “The Sorcerer's Apprentice Guide to Fault Attacks”, FDTC 2006

Debdeep Mukhopadhyay, "An Improved Fault Based Attack of the Advanced Encryption

Standard", Africacrypt 2009

Debdeep Mukhopadhyay, "A New Fault Attack on the Advanced Encryption Standard Hardware", ECCTD 2009, Antalya, Turkey ( Invited Paper ).

Benedikt Gierlichs, Lejla Batina, Pim Tuyls and Bart Preneel, “Mutual Information Analysis - A Generic Side-Channel Distinguisher”, CHES 2008

Stefan Dziembowski and Krzysztof Pietrzak, “Leakage-Resilient Cryptography”, FOCs,

2009

Shay Gueron, Geoffrey Strongin, Jean-Pierre Seifert, Derek Chiou, Resit Sendag, Joshua J.

Yi, “Where does Security Stand? New Vulnerabilities vs. Trusted Computing”, 2007,

IEEE Computer Society...

References

Side Channel Attacks: A Primercse.iitkgp.ac.in/conf/IoT/SCASecIoT_DM.pdf · Strong cryptographic...

Documents

Transcript of Side Channel Attacks: A Primercse.iitkgp.ac.in/conf/IoT/SCASecIoT_DM.pdf · Strong cryptographic...