Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Side-channel basAtt k Th tAttacks, Theory to3. December 2010Amir Moradi
E b dd d S it G R h U i it B hEmbedded Security Group, Ruhr University Bochum
ed Collision P tio Practice
Gm, Germany
Embedded Security Group
Outline Classical side‐channel attac What is a side‐channel bas Implementation platforms A newly introduced side‐chA newly introduced side chcollision attack
Some hints when impleme Some hints when impleme
WAC 2010 | Singapore | 3. December 2010
ckssed collision attack?and problemshannel based correlationhannel based correlation
entingenting
2 Amir Moradi
Embedded Security Group
Classical Side‐Channel At Collecting the side‐channe
– Using an oscilloscope fo• and an electromagnetic analysis attacks
– Using a timer for timing
WAC 2010 | Singapore | 3. December 2010
ttacksl leakageor power analysis attacksprobe for electromagnetic
g attacks
3 Amir Moradi
Embedded Security Group
Classical Side‐Channel AtD fi h h h i l Define the hypothetical po– In differential power an– In correlation power an
Define the distinguisher– In mutual information a
Examine the relation betweand the real measurement– difference of means– correlation coefficient– entropyentropy
WAC 2010 | Singapore | 3. December 2010
ttacksd lower model
nalysisnalysis
analysiseen the (hypothetical) model( yp )ts using statistical tools
4 Amir Moradi
Embedded Security Group
What is a Side‐Channel B avoids any model to predic
– Independent of the lea Examines the similarity of tdifferent processed valuesp– when a collision is founof the secret is revealedof the secret is revealed
WAC 2010 | Singapore | 3. December 2010
Based Collision Attack?ct the power consumptionkage typethe measurements for
nd, a relation between parts dd
5 Amir Moradi
Embedded Security Group
Side‐Channel Based Coll Implementation platform: Target algorithm: the AES e Strategy of the attack: lookconsumption traces for diffp
b ( ) b ( ) Sbox(P1+K1) = Sbox(P2+K2) =WAC 2010 | Singapore | 3. December 2010
ision Attack [example 1]a micro‐controllerencryptionking at the similar power ferent Sbox outputsp
6
=> P1+K1=P2+K2 => K1+K2 = C Amir Moradi
Embedded Security Group
Side‐Channel Based Coll Presence of countermeasu
– Masking: wait till a collmasks and Sbox outputmasking order
– Shuffling: extending theclock cycles, may lead ty , y
– Masking and Shuffling: drastically reduced!drastically reduced!
WAC 2010 | Singapore | 3. December 2010
ision Attack [example 1]uresision may occur on both ts, depends strongly on the
e search area to consider all to false positive resultspefficiency of the attack is
7 Amir Moradi
Embedded Security Group
Side‐Channel Based Coll Implementation platform: Target algorithm: the AES e Strategy of the attack: cannknowing the architectureg
WAC 2010 | Singapore | 3. December 2010
ision Attack [example 2]an FPGA/ASICencryptionnot be decided without
8 Amir Moradi
Embedded Security Group
An Overview of the Arch
WAC 2010 | Singapore | 3. December 2010
hitecture
9 Amir Moradi
Embedded Security Group
How do the power trace 8‐bit architecture
32‐bit architecture32 bit architecture
WAC 2010 | Singapore | 3. December 2010
es look like?
10 Amir Moradi
Embedded Security Group
Side‐Channel Based CollI l i l f Implementation platform: an
Target algorithm: the AES enSt t f th tt k Strategy of the attack: – 8‐bit architecture: rough32 bi hi– 32‐bit architecture: not eprobability of collision
The attack does not work eff The attack does not work eff– Switching noise is addedP ti d– Power consumption depprocessed values
Worse situation in the prese Worse situation in the preseWAC 2010 | Singapore | 3. December 2010
ision Attack [example 2]FPGA/ASICn FPGA/ASICcryption
hly the same as μC caseb f h leasy because of the low
ficientlyficiently in comparison to the μCd l th l tends also on the last
nce of countermeasures11
nce of countermeasures Amir Moradi
Embedded Security Group
What can we do?[Usually a DPA/CPA using HD/ Before developing an attac
– First, averaging based o• 256 mean traces for eac• Variance over mean trac
WAC 2010 | Singapore | 3. December 2010
/HW model works + MIA]ckon plaintext bytes (32‐bit arch.)h plaintext bytep yces (each plaintext byte separately)
12 Amir Moradi
Embedded Security Group
Designing an Attack Supposing knowing a key byte,
corresponding Sbox input byte
For another plaintext byte (unk
How are these mean traces rel
WAC 2010 | Singapore | 3. December 2010
we get mean traces for the
known key), we get mean traces
ated to each other?
13 Amir Moradi
Embedded Security Group
Designing an Attack The mean traces for the unk
generated for each key byte The correct key byte can be f
traces at each time instancel h l h– Correlation helps here!
• Correlation of two sets of m(is almost 1 for right key (du(is almost 1 for right key (du
WAC 2010 | Singapore | 3. December 2010
nown key bytes can be hypothesisfound comparing the mean
mean traces based on key hypothesis ue to equal power consumption))ue to equal power consumption))
14 Amir Moradi
Embedded Security Group
Extending the Attack If the first key byte (for the
known, what we recover is tk b k k btwo key bytes: k1+k2 , beca
– The same attack shownpossible collisions!
WAC 2010 | Singapore | 3. December 2010
e first mean traces) is not the linear difference between
f dd dk f AESause of addroundkey of AESn on μC but using all
15 Amir Moradi
Embedded Security Group
Why does it work? There are four instances of
– The power consumption cinstance of the S‐box is us
– Power consumption of ancompared to itself in diffe
What does happen for larg– The same netlist for the Splacement and routing, b
• Small differences on powerdifferent instances of the S‐
Th i t f th– The same instances of theWAC 2010 | Singapore | 3. December 2010
f S‐box in the 32‐bit arch.characteristics of the same sed in mean tracesn instance of the S‐box is erent clock cyclesger architecture?S‐boxes, even the same ut still process variations existsr consumption characteristics of ‐box
S b h ld b d16
e S‐box should be compared Amir Moradi
Embedded Security Group
The gain of the attack Relation between key byte
– 8‐bit arch. → 15 rela onskey
– 32‐bit arch. → 12 rela onbit key
How to get the correct key– A pair of plain‐/ciphertext– Continue the attack on theach key candidate
WAC 2010 | Singapore | 3. December 2010
ss, 28 candidates for the 128‐bit
ns, 232 candidates for the 128‐
?the second round of the AES for
17 Amir Moradi
Embedded Security Group
How about Shuffling? Shuffling is done on the orde
Using combing [what’s combg g [
WAC 2010 | Singapore | 3. December 2010
er of Sbox runs
bing?]g ]
18 Amir Moradi
Embedded Security Group
How about Masking? Looking into the literatures
smallest masked AES S‐box by Canright and Batina
1st order leakage is obvious because of glitches
WAC 2010 | Singapore | 3. December 2010 19 Amir Moradi
Embedded Security Group
Results when masking is
WAC 2010 | Singapore | 3. December 2010
implemented
20 Amir Moradi
Embedded Security Group
Masking combined with
Using combing
WAC 2010 | Singapore | 3. December 2010
Shuffling?
21 Amir Moradi
Embedded Security Group
First Hints The attack works when an shared for a computation o
Try to avoid Sbox [hardwar– going through round‐bag g g
• 128‐bit architectures• even unrolled architectu
WAC 2010 | Singapore | 3. December 2010
instance of the Sbox is of a roundre] sharingased implementationp
ures
22 Amir Moradi
Embedded Security Group
Results of on 128‐bit arc
t hi d f ll k b t not achieved for all key byt– because of difference binstances of Sbox
WAC 2010 | Singapore | 3. December 2010
ch. [unmasked]
ttesbetween netlist of different
23 Amir Moradi
Embedded Security Group
How about unrolled imp two rounds per clock cycle
th d l k l three rounds per clock cycl
WAC 2010 | Singapore | 3. December 2010
plementations?
lle
24 Amir Moradi
Embedded Security Group
Second Hints The attack still works on sounrolled implementations
To avoid such an attack it isdifferent netlists for differe– the result will avoid simconsumption of differep
The world still is not enoug– at the end of the day a– at the end of the day, awill recover the secret!
WAC 2010 | Singapore | 3. December 2010
ome key bytes even on
s recommended to used ent instances of the Sboxmilarity of the power nt instances of the Sboxgha statistical tool e g MIAa statistical tool, e.g., MIA,
25 Amir Moradi
Thanks!Any questions?Thanks to my colleagues:
Oliver Mischke
Embedded Security Group, Ruhr University Bochum, Germ
Thomas Eisenbarth
many