"The generation of random numbers is too important to be left to chance.”

1

-- Robert R. CoveyouOak Ridge National Laboratory

n (modulus) = product of secret primes p and q

e (public key) = relatively prime to (p-1)(q-1)

d (private key) = e-1 mod ((p-1)(q-1)))

Encrypt c=me mod n

Decrypt m=cd mod n

Eve gets ciphertext message c from Alice, wants to read it

i.e., she wants to find m = cd

Choose random r < n, and use Alice’s public key e

x=re mod n

y=xc mod n

t=r-1 mod n

Note if x=re mod n, then r=xd mod n !

Eve tricks Alice into encrypting (signing) y with her d

Alice sends Eve u=yd mod n

Eve then calculates

tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m2

Chosen ciphertext attack against RSA -Schneier

ECRYPT 2012 Key Length Advice

3See www.keylength.com/en/3

Captured One-Time Pads

Russian One-Time Pad captured by MI5

5

Don’t reuse those one-time pads!If

C1=P1 K1C2=P2 K1C3=P3 K1

Then tryC1 C2 => P1 K1 P2 K1 => P1 P2C1 C3 => P1 K1 P3 K1 => P1 P3C2 C3 => P2 K1 P3 K1 => P2 P3and (P1 P2) (P1 P3) => (P2 P3)(P1 P2) (P2 P3) => (P1 P3) …

6

7

+

+

+

From Rick Smith: http://cryptosmith.com/archives/70

Don’t reuse those one-time pads!

Key? What Key?

• Alice encrypts: P K=>C• Bob knows the key and decrypts: C K=>P• They agree on a dummy plaintext D and if

they’re ever captured, they will give up the key K’=C D

• If the authorities decrypt C K’ => D

8

Case study: Heartbleed SSL Bug

http://xkcd.com/1353/

struct { HeartbeatMessageType type; uint16 payload_length; uchar payload [HeartbeatMessage.payload_length]; uchar padding[padding_length];    } HeartbeatMessage;

9

10

Power Analysis

11

Simple Power Analysis: `DES Parity Check

DES-CheckParity(byte Key[8])

for i = 8 down to 1

parity=0;

for j = 8 down to 1

if (bit j of Key[i] is set) // CONDITIONAL

parity = parity+1 // OPERATION

endif

endfor

if (parity is even) parity_error();

endfor

end DES-CheckParity

12

SPA Attack on DES-Parity

13

EM History

• Classified TEMPEST standards. Some parts declassified Jan '01, http://www.cryptome.org.

• Published work– EM Leakages from Peripherals, E.g., Monitors: Van Eck,

Anderson & Kuhn.– EM Leakage from smart-cards during Computation.

• J.-J. Quisquater & David Samyde, E-smart 2001,• Gemplus Team [GMO ’01], CHES ’01.

– SEMA/DEMA attacks.

• Best results require "decapsulation" of chip packaging and/or precise micro-antennas positioning on chip surface

Rao et.al.’s Work`

• Deeper understanding of the EM leakages.– Similar to declassified TEMPEST literature.

• Key Insights/Results– Plenty of EM signals are available, provided

you know what to look for and where.• Superior signals and attacks possible without micro-

antennas or decapsulation. • Some attacks possible from a distance.

– EM side-channel(s) >> Power side-channel• EM can break DPA-resistant implementations.

EM Emanations Background

• Origin/Types of EM Emanations– Direct emanations from intended currents.

• Maxwell’s equations, Ampere’s and Faraday’s laws.

– Unintentional emanations from coupling effects.• Depend on physical factors, e.g., circuit geometry.• Most couplings ignored by circuit designers. • Manifest as modulation of carriers (e.g. clock

harmonics) present/generated/introduced in device.– AM or Angle (FM/Phase) Modulation.

• Compromising signals available via demodulation.

• Propagation of EM– Radiation, Conduction, Combination of both.

• E.g., Faint EM signals riding on power line.

EM Capturing Equipment

• Antennas (Far-field) and Near-field probes

• Current probes.• Analog processing: Filters/Amplifiers,

Tunable wideband receiver or equivalent $$

• Digital sampling hardware.

ICOM wideband radio receiver with IF output

MAKE YOUR OWN

EM vs. Power

• Sometimes, EM is the only side-channel available.– Filtered power supplies, restricted access…– E.g. Crypto Tokens, SSL Accelerators,...

Time (10ns)

Am

plitu

de

EM Signal from SSL Accelerator S at 15 feet

EM vs. Power

• Is EM useful in the presence of power?• Yes, several EM carriers: Generated,

Ambient, Introduced…– Experimentally verified:

• Different carriers carry different information.• Some EM leakages substantially different from Power

leakages.

Bad Instructions

• Instructions where some EM leakage >> Power leakage.

• Typically CPU intensive rather than bus intensive.

• All architectures have BAD Instructions.• Example: Bit-test on several 6805 based

systems leaks tested bit.

EM Attack Example2 signals, different data, same exp & modulus

24

OTESTED BIT = 0 IN BOTH TRACES

OTESTED BIT DIFFERENT

Countermeasures

• Require sound vulnerability assessment.• Countermeasures include:

– Circuit redesign to reduce unintentional emanations.– Reducing S/N ratio

• EM Shielding• Noise introduction• Physically secure zones.

– Randomization based software countermeasures similar to DPA countermeasures.