Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 1
Introduction to Side-Channel Attacks
F.-X. Standaert
UCL Crypto Group, Universite catholique de Louvain
BCRYPT Course on Embedded Security, June 2009
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 2
Outline
◮ Introduction
◮ Basics of Side-Channel Attacks◮ Origin of the leakages◮ Measurement setups◮ SPA, DPA
◮ Exemplary attack against the DES
◮ Improved attacks
◮ Countermeasures
◮ Further readings
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 3
Cryptographic devices
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 4
Attacks against cryptographic devices
◮ Classical (or Black box) cryptanalysis: only uses thecryptographic primitives inputs and outputs, e.g theplaintexts, ciphertexts for block ciphers
◮ Physical attacks: additionally take advantage ofphysical specificities in the implementations
◮ Probing attacks◮ Side-channel attacks◮ Fault insertion attacks◮ . . .
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 5
Physical attacks
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 6
Classification of physical attacks
◮ According to the type of attack
Active vs. PassiveEx: fault insertion timing attack
Invasive vs. Non invasiveEx: probing … EMA … power analysis
Side-channel attacks
◮ According to the strength of the adversary: commoncriteria, FIPS 140-2, IBM taxonomy, . . .
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 7
Side-channel attacks
◮ Take advantage of physical leakages such as timinginformation (1996), power consumption (1998),electromagnetic radiation (2001), cache hits/misses(2005), branch predictions (2006), . . .
◮ Continuous problem: there is a “certain” amount ofinformation that is leaked ⇒ difficult to model
◮ By contrast probing and fault attacks are discreteproblems: a wire can/cannot be read, a faultcan/cannot be inserted ⇒ easier to model
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 8
Origin of the leakages
◮ Dynamic power consumption in CMOS devices
CL
VDD
Gnd
Rmeas
Rmeas
CL
VDD
Gnd
Rmeas
Rmeas
Pdyn = CLV2DDP0→1f
◮ P0→1 ⇒ data dependent physical leakage
◮ But ; Pdyn is the only source of information
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 9
Origin of the leakages
◮ EM radiation in CMOS devices
dB =µId l× r
4πr 2
◮ Data dependent current intensity◮ As for the power consumption
◮ Field orientation depends on the current direction
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 10
Measurement setups
◮ Target device: smart card ASIC, FPGA, . . .
◮ Measurement circuit: resistor inserted in supply circuit,small antenna (hand made coil), . . .
◮ Digital oscilloscope (1 Gsample/s)
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 11
Measurement setups
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 12
SPA
◮ Operation dependent leakage variations
◮ Example: AES encryption, 10 rounds
◮ Not an attack in itself for block ciphers◮ Preliminary step before other attacks
◮ May be very powerful (e.g. public key cryptography)
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 13
DPA
◮ Data dependent leakage variations
time
volta
ge
8 transitions6 transitions4 transitions2 transitions0 transitions
◮ e.g. CMOS: power consumption dependent on thenumber of bit switches within the target device
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 14
Exemplary attack against the DES
◮ The Data Encryption Standard
◮ FPGA implementation, loop architecture
f
Li Ri
L0 R0
Ki
Ri
Expansion
Ki
S0 S1 S2 S3 S4 S5 S6 S7
Permutation
(a) DES (b) f function
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 15
Exemplary attack against the DES
1. Input selection: random plaintexts
2. Internal values derivation
3. Leakage modeling (Hamming weights)
0 1 2 3
0 5 12 7 2
1 9 0 12 6
2 14 4 1 13
3 7 5 5 8
4 3 10 15 1
Key[0…5]
Ri
Key[0…5]
Ri
0 1 2 3
0 2 2 3 1
1 2 0 2 2
2 3 1 1 3
3 3 2 2 1
4 2 2 4 1
Ri
Expansion
Ki
S0 S1 S2 S3 S4 S5 S6 S7
Permutation
6 known bits
6 known bits6 key bits
4 bits guessed
6 bits guessed
4 bits guessed
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 16
Exemplary attack against the DES
4. Leakage measurement
5. Leakage reduction (select representative samples)
P R(L)
0 1.675
1 1.432
2 1.221
3 1.498
4 1.937
leakage
time
P R(L)
0 1.675
1 1.432
2 1.221
3 1.498
4 1.937
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 17
Exemplary attack against the DES
◮ In practice, power consumption vs. EM radiation
0 50 100 150 200 250 300 350 4000
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
time samples
pow
er c
onsu
mpt
ion
0 50 100 150 200 250 300 350 400−0.2
−0.15
−0.1
−0.05
0
0.05
0.1
0.15
0.2
0.25
time samples
EM
rad
iatio
n
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 18
Exemplary attack against the DES
6. Statistical test◮ e.g. correlation coefficient
Key[0…5] 0 1 2 3
corr -0.09 0.05 0.32 -0.11
corr(M, L) =
∑m∈M,l∈L
(m − M
)·
(l − L
)
√∑
m∈M
(m − M
)2·
∑l∈L
(l − L
)2
0 50 100 150 200−1
−0.8
−0.6
−0.4
−0.2
0
0.2
0.4
0.6
0.8
1
number of measurement queries
corr
elat
ion
correct key candidate
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 19
Improved attacks
◮ Improved measurement setups◮ Adaptive selection of the inputs◮ Pre-processing of the traces (e.g. averaging, filtering)◮ Improved leakage models by profiling, characterization◮ Exploitation of multiple samples, multivariate statistics
◮ Higher-order attacks◮ Template attacks
◮ Different statistical tests◮ Difference of mean◮ Correlation analysis◮ Bayesian classification
◮ Combine different channels (e.g. power, EM)
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 20
Improved attacks
◮ Example: univariate template attack◮ Optimal statistical test◮ Profiled leakage model◮ Most powerful type of attack◮ 6= multivariate
◮ Mainly identical to the previous attack◮ Only 3 steps vary...
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 21
Improved attacks
0. Preparation of the leakage model◮ Assume Gaussian noise:
N (R(li )|µis , σ
is) =
1
σis
√2π
exp−(R(li ) − µ
is)
2
2σis2
◮ Estimate the means µis ’s and variances σ
is ’s for each
key class s from Nt leakage traces
3. Leakage modeling: use Pr[R(li)|s∗] = N (R(li)|µis∗, σ
is∗)
◮ In place of Hamming weights
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 22
Improved attacks
6. Statistical test: L(s∗) = Pr[s∗|R(lq)]
0 10 20 30 40 50 60 70 800
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
number of measurement queries
likel
ihoo
d
correct key candidate
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 23
Countermeasures
◮ Never perfect (only make the attack harder)◮ Physical level
◮ Shields, conforming glues, PUFs, detectors◮ Detachable power supplies
◮ Technological level◮ Dynamic and differential logic styles◮ Noise addition
◮ Algorithmic level◮ Time randomization, encryption of the buses◮ Hiding, masking
◮ Protocol level (e.g. key updates)
◮ vs. implementation cost !
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 24
Countermeasure 1: masking
◮ Goal: have data-independent leakage
◮ How: by “randomizing” the computation
◮ e.g. block cipher S-box
S
S’
p
k
m
= S(p k) q
q
S(p k m)
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 25
Countermeasure 1: masking
◮ R1(L) ⊥⊥ k, R2(L) ⊥⊥ k
time
leakage
S(p k) q S’(p,k,m) = q
R1(L)R2(L)
◮ But ∃f such that f (R1(L), R2(L)) ∝ k
◮ Univariate → bivariate◮ The rest of the attack remains unchanged
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 26
Countermeasure 2: hiding
◮ Goal: have data-independent leakage
◮ How: by forcing constant leakage
◮ e.g. dual rail precharged logic WDDL
p k WDDL
S-BOXp k
S(p k)
S(p k)
CMOS
S-BOXp k S(p k)
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 27
Countermeasure 2: hiding
◮ Hamming weight/distance models seem meaningless
◮ But ∃ data dependent leakage variations
◮ ∃ f such that R(L) ∝ f (p, k)
◮ An efficient attack may require to◮ Change the leakage model
◮ But possibly involves a 6= adversarial context
◮ Use device-independent attacks
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 28
Countermeasures: cost
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 29
Summary
◮ Practical attacks (against real world devices)
◮ Usually ad hoc attacks: statistics, leakage model, ...
◮ Usually ad hoc (and expensive) countermeasures
◮ Can be sophisticated, combined with other (classical,computational) cryptanalytic techniques
◮ Main issue: how to formally analyze the security of aleaking cryptographic implementation?
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 30
Further readings
◮ Recent results on side-channel attacks can be found inthe proceedings of the CHES conference:http://www.sigmod.org/dblp/db/conf/ches/index.html
◮ e.g. correlation attacks, template attacks, collisionattacks, masking schemes, higher-order attacks . . .
UCL Crypto GroupMicroelectronics Laboratory Introduction to Side-Channel Attacks - June 2009 31
Thanks