Introduc)on to physical a2acks: Tamper resistance &
Side-‐channel analysis basics Lejla Batina
Digital Security Group
Ins)tute for Compu)ng and Informa)on Sciences (ICIS) Radboud University Nijmegen
The Netherlands
Hardware Security Zagreb, Croa)a May 23, 2014
Crypto: theory vs physical reality
power
&ming
sound Algorithms are (supposed to be)
theoretically secure
fault injec&on
Implementations leak in physical world
2
Side-‐channels
R. Anderson and M. Kuhn, P. Kocher, 1996
Outline • RU Nijmegen • Intro: Implementa)on of security vs secure implementa)ons
– Embedded cryptographic devices – Tamper resistance is “problema)c”
• Side-‐channel analysis basics • Power analysis a2acks
– SPA vs DPA – Direct and 2-‐step a2acks
• Other side-‐channels • Countermeasures • A few words about SCA prac)cum
3
Digital Security group
• A part of ICIS – Ins)tute for Compu)ng and Informa)on Sciences
• Research topics: – Applied cryptography – Privacy and iden)ty management – User-‐centric aspects of security – SoYware verifica)on – Quantum logic
Research topics
• Hardware security – Side-‐channel analysis and countermeasures – Fault a2acks
• Machine learning for crypto • Lightweight cryptography
– Protocols – Implementa)ons – Privacy issues
Our network and research partners
COST project TRUDEVICE (2012-2016)
Research projects
" STW project SIDES " NWO project ProFil
NoE
ECRYPT(II) theory
prac*ce
Embedded cryptographic devices
Embedded security: -‐ resource limita)on -‐ physical accessibility
10
What do attackers want to achieve?
(In)security for Embedded Systems “Researchers have extracted information from nothing more than the reflection of a computer monitor off an eyeball or the sounds emanating from a printer.” Scientific American, May 2009.
11
More Insecurity for Embedded Systems “Devices That Tell On You: The Nike+iPod Sport Kit” T. Saponas, J. Lester, C. Hartung, T. Kohno h2p://www.cs.washington.edu/research/systems/privacy.html Dec. 2006 -‐ Tracks up to 60 feet = 20 meter (even without iPod) -‐ No privacy measures included
[www.apple.com: nike+ipod]
12
The goals of a2ackers • Secret keys/data • Unauthorized access • IP/piracy • (Loca)on) privacy • (Theore)cal) cryptanalysis [RS01] • Reverse engineering (h2p://www.flylogic.net/blog/) • Finding backdoors in chips [SW12] • …
13
Our scope: Implementa)on A2acks
“Remote keyless entry system for cars and buildings is hacked” March 31, 2008, [EK+08]
-‐ KeeLoq: eavesdropping from up to 100 m -‐ 2 mesages are enough
Even SPA is possible, July 19, 2009, [KK+09] www.crypto.rub.de/keeloq
PS3 hack -‐ ECDSA implementa)on failed -‐ resulted in PS3 master key recovery
Contactless Smartcards with Mifare Classic [KS+10], DESFire, Atmel CryptoMemory [BG+12], etc.
14
Embedded Security We NEED BOTH
• Efficient Implementa)on – Within power, area, )ming budgets – Public-‐key: 1024 bits RSA on 8 bit μC and
100 mW
– Public key: ECC on a passive RFID tag
• Secure (trustworthy) implementa)on – Resistant to a2acks – Ac)ve a2acks: probing, (power) glitches,
JTAG scan chain, cold-‐boot, … – Passive a2acks: power consump)on,
electromagne)c emana)on, sound, temperature, etc.
15
Side-‐channel informa)on: Experiment
• Put 28 EUR in one pot, and 10 EUR in the other
• Mul)ply the content of the blue pot by 10 and the red pot by 7
• Add the results in both pots • Tell me if the sum is odd or even
• Is the answer sufficient to reveal the ini)al content of each pot?
[D. Naccache, A. Shamir]
Experiment (cont‘d) • Normally not
– 28 x 7 + 10 x 10 = 296 (even) – 10 x 7 + 28 x 10 = 350 (even)
• However, compu)ng the first case takes more )me
[D. Naccache, A. Shamir]
Side-‐channel security before • Tempest – known since early 1960s that computers
generate EM radia)on that leaks info about the data being processed – First evidence came out in 1943: an engineer using a Bell
Telephone 131-‐B2 no)ced that a digital oscilloscope spiked for every encrypted le2er
– Declassified in 2008 • In 1965, MI5 put a microphone near the rotor-‐cipher
machine used by the Egyp)an Embassy, the click-‐sound the machine produced was analyzed to deduce the core posi)on of the machines rotors
• First academic publica)ons by Paul Kocher: 1996 ()ming, Koc96) and 1999 (power, KJJ99)
18
Side-‐channel security today
• As a research area took off in the 90’s • First academic publica)ons by Paul Kocher: 1996 ()ming) and 1999 (power), [Koc96, KJJ99]
• Many successful a2acks published on various playorms and real products e.g. KeeLoq [EK+08], CryptoMemory [BG+12], (numerous) contactless cards
• A good business model for security evalua)on labs e.g. Riscure and Brightsight
19
Concepts of side-‐channel leakage
• Side-‐channel leakage is based on (non-‐inten)onal) physical informa)on
• Can enable new kind of a2ack • OYen, op)miza)ons enable leakages
o Cache: faster memory access o Fixed computa)on pa2erns (rounds) o Square vs mul)ply (for RSA)
20
Basic idea
“Breaking into a safe is hard, because one has to solve a single, very hard problem...”
… b r e a k i n g d o w n a problem into two or more sub-problems that are simple enough to be solved directly
21
Concept: Black box model
Standardized algor)hms are secure
Cryptographic device Plain text Cipher text
23
Side-‐Channel Leakage
• Physical a2acks ≠ Cryptanalysis (gray box, physics) (black box, math) • Does not tackle the algorithm's mathema)cal security
• Timing, Power, EM, Light, Sound, Temperature,… • Observe physical quan))es in the device's vicinity and use
addi)onal informa)on during cryptanalysis • Uninten)onal signals to reconstruct data
Input Output
Leakage
Sources of side-‐channel informa)on • Timing (Kocher 1996), Power (KJJ 1999), EM (UCL & Gemplus
2001, QS01, GMO01) • Temperature (BK+09, Naccache et al.)
– informa)on about the device's malfunc)on leaked-‐out via its temperature
• Light (Markus Kuhn) – Reading CRT-‐displays at a distance – Observing high-‐frequency varia)ons of the light emi2ed
• Sound (Acous)c cryptanalysis Shamir and Tromer) – Dis)nguishing an idle from a busy CPU – Dis)nguish various pa2erns of CPU opera)ons and memory access (RSA
signatures)
• Photonic emissions (SN+13, TU Berlin)
25
Leakage is explorable
• Due to the (dependency of leakages on) sequences of instruc)ons executed
• Due to the data (even sensi)ve!) being processed • Due to other physical effects • …
• And remember:
26
A2ack categories
• Side-‐channel a2acks – use some physical (analog) characteris)c and assume access to it
• Faults – use abnormal condi)ons causing malfunc)ons in the system
• Micro-‐probing – accessing the chip surface directly in order to observe, learn and manipulate the device
• Reverse engineering
27
Taxonomy of Implementa)on A2acks
• Ac)ve versus passive – Ac)ve
• The key is recovered by exploi)ng some abnormal behavior e.g. power glitches or laser pulses
• Inser)on of signals – Passive
• The device operates within its specifica)on • Reading hidden signals
28
Taxonomy of Implementa)on A2acks
• Invasive versus non-‐invasive – Invasive aka expensive: the strongest type e.g. bus
probing – Semi-‐invasive: the device is de-‐packaged but no contact
to the chip e.g. op)cal a2acks that read out memory cells (or faults/glitches by voltage, power supply, clock, EM, etc.)
– Non-‐invasive aka low-‐cost: power/EM measurements – Non-‐invasive: data remanence in memories – cooling
down is increasing the reten)on )me • Side-‐channel a2acks: passive and non-‐invasive
29
Analysis capabili)es
• “Simple” a2acks: one or a few measurements -‐ visual inspec)on
• Differen)al a2acks: mul)ple measurements – Use of sta)s)cs, signal processing, etc.
• Higher order a2acks: n-‐th order is using n different samples
• Combining two or more side-‐channels • Combining side-‐channel a2ack with theore)cal cryptanalysis
30
Devices under a2ack • Smart card • FPGA, ASIC • RFID, PDAs • Phones, USBs • Actual smartcard products
Clock
Meas. VDD
Meas. GND
RS 232 ASIC Trigger
31
Measurement setup -‐ details
• Cryptographic device under a2ack • Power measurement circuit or EM
probe • Power supply and clock generator • Control and analysis soYware • Oscilloscope • PC
Input Crypto
33
Prac)cal Issues
• Quality of measurements – Noise issues
• Sources: power supply, clock generator • Algorithmic, sampling, external, intrinsic, quan)za)on • Averaging mul)ple observa)ons helps
• Aligning the measurements – Due to )me randomiza)on, permu)ng execu)on or hardware countermeasures
35
Power Analysis
• Direct a2acks • Simple Power Analysis (1999) • Differen)al Power Analysis (1999) • Correla)on Power Analysis (2004) • Collision A2acks (2003)
• Two-‐stage a2acks • Template A2acks (2002) • Stochas)c Models (2005) • Linear Regression Analysis (LRA)
• Advanced a2acks: Mutual Informa)on Analysis -‐ MIA (2008), Diff. cluster analysis (2009), PCA (2011), ...
37
Simple Power Analysis (SPA)
• Based on one or a few measurements • Mostly discovery of data-‐(in)dependent but instruc)on-‐
dependent proper)es e.g. – Symmetric:
• Number of rounds (resp. key length) • Memory accesses (usually higher power consump)on)
– Asymmetric: • The key (if badly implemented, e.g. RSA / ECC) • Key length • Implementa)on details: for example RSA w/wo CRT
• Search for repe))ve pa2erns
conditional operation
39
Insecure RSA implementa)on
RSA modular exponentiation In: message m,key e(l bits) Output: me mod n
A = 1
for j = l – 1 to 0
A = A2 mod n /* square */ if (bit j of k) is 1 then A = A x m mod n /* multiply */
Return A
j < 0
Loop Init
bit j of k = 1?
A = A x m
j = j - 1
Return A A = A2
Side-Channel
42
ECC Example: Double and Add
Conditional operation: Side Channel
point doubling
point addition
How to prevent this type of leakage?
48
Intro to Sta)c CMOS
• Most popular circuit style! • A power analysis a2ack explores the fact that the instantaneous power cons. depends on the data and instruc)ons being processed
• Power consumed when an output signal switches is much higher
0-‐>0: sta)c (low) 0-‐>1: sta)c + dynamic (high) 1-‐>0: sta)c + dynamic (high) 1-‐>1: sta)c (low)
49
“We don’t understand electricity. We use it.”
-‐ Maya Angelou
Power Models • Hamming distance model
– Counts number of 0-‐>1 and 1-‐>0 transi)ons – Assuming same power consumed for both – Typically for register outputs in ASIC’s – HD(v0, v1)=HW(v0 xor v1) – Requires knowledge of preceding or succeeding v
• Hamming weight model – Typically for pre-‐charged busses
• Weighted Hamming weight/distance model • Signed Hamming distance (0-‐>1 neq 1-‐>0) • Dedicated models for combina)onal circuits
50
Conclusions and open problems
• Physical access allows many a2ack paths • Trade-‐offs between assump)ons and computa)onal complexity
• Requires knowledge in many different areas • Combining SCA with theore)cal cryptanalysis
52
SCA: Recent developments
• Theory – Framework for side-‐channel analysis – Leakage resilient crypto
• Prac)ce – Even more advances in a2acks: algorithm specific (combined with cryptanalysis)
– Machine learning methods – Similar techniques apply to traffic analysis – New countermeasures – New models (going sub-‐micron)
53
References and further reading (1/2) • [AK96] R. Anderson and M. Kuhn. “Tamper resistance – a cau)onary
note”. USENIX 1996, h2p://www.cl.cam.ac.uk/~rja14/tamper.html • [Koc96] P. Kocher. “Timing A2acks on Implementa)ons of Diffie-‐Hellman,
RSA, DSS, and Other Systems”. CRYPTO 1996 • [RS01] T. Romer and J.-‐P. Seifert. “Informa)on Leakage A2acks against
Smart Card Implementa)ons of the Ellip)c Curve Digital Signature Algorithm”. E=Smart 2001
• [SW12] Skorobogatov and Woods. “Breakthrough silicon scanning discovers backdoor in military chip” h2p://www.cl.cam.ac.uk/~sps32/ches2012-‐backdoor.pdf CHES 2012.
• [EK+08] T. Eisenbarth et al. “On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme”. CRYPTO 2008.
• [KK+09] M. Kasper et al. “Breaking KeeLoq in a Flash: On Extrac)ng Keys at Lightning Speed.” AFRICACRYPT 2009.
References and further reading (2/2) • [KS+10] T. Kasper et al. “All You Can Eat or Breaking a Real-‐World
Contactless Payment System.” Financial Cryptography 2010. • [BG+12] J. Balasch et al. “Power Analysis of Atmel CryptoMemory -‐
Recovering Keys from Secure EEPROMs.” CT-‐RSA 2012. • [KJJ99] P. Kocher, J. Jaffe, B. Jun. “Differen)al Power Analysis”. CRYPTO
1999. • [QS01] J. -‐J. Quisquater and D. Samyde. “ElectroMagne)c Analysis (EMA):
Measures and Counter-‐Measures for Smart Cards”mart 2001. • [GMO01] K. Gandolfi et al. “Electromagne)c Analysis: Concrete Results”.
CHES 2001. • [BK+09] J. Brouchier et al. “Temperature A2acks”. IEEE Security & Privacy
7(2): 79-‐82 (2009) • [SN+13] A. Schlösser et al. “Simple photonic emission analysis of AES. J.
Cryptogra-‐phic Engineering 3(1): 3-‐15 (2013)