1
play

1 FPGAs Attack Model Consider a device capable of implementing the - PDF document

Introduction Classic cryptography views the secure problems with mathematical abstractions The classic cryptanalysis has had a great


  1. Introduction � Classic cryptography views the secure problems with mathematical abstractions ������������������������� � The classic cryptanalysis has had a great ��������������������������������� success and promise � Analyzing and quantifying crypto algorithms’ resilience ����������������������������� against attacks � Recently, many of the security protocols have �������������������� ��������������������������� ����� ������� been attacked through physical attacks � Exploit weaknesses in the cryptographic system hardware implementation aimed to recover the secret parameters February 17, 2014 1 February 17, 2014 2 Side*Channel Emissions Side*Channel Emissions � Power Consumption ** Logic circuits typically consume � Side*Channel attacks aim at side*channel inputs differing amounts of power based on their input data. and outputs, bypassing the theoretical strength � Electro*Magnetic ** EM emissions, particularly via near*field of cryptographic algorithms inductive and capacitive coupling, can also modulate other signals on the die. � Five commonly exploited side*channel � Optical ** The optical properties of silicon can be modulated by emissions: altering the voltage or current in the silicon. � Power Consumption � Timing and Delay ** Timing attacks exploit data*dependent � Electro*Magnetic differences in calculation time in cryptographic algorithms. � Optical � Acoustic ** The acoustic emissions are the result of the piezoelectric properties of ceramic capacitors for power supply � Timing and Delay filtering and AC to DC conversion. � Acoustic February 17, 2014 3 February 17, 2014 4 Hardware Targets Smart Cards � Two common victims of hardware cryptanalysis are smart cards and FPGAs � Smart cards have a small processor (8bit in � Attacks on smart cards are applicable to any general general) with ROM, EEPROM and a small RAM purpose processor with a fixed bus � Eight wires connect the processor to the outside architecture. world � Power supply: no internal batteries � Clock: no internal clock � Attacks on FPGAs are also reported. FPGAs � Typically equipped with a shield that destroys represent application specific devices with parallel the chip if a tampering happens computing opportunities. February 17, 2014 5 February 17, 2014 6 1

  2. FPGAs Attack Model � Consider a device capable of implementing the � FPGAs allow parallel cryptographic function computing � The key is usually stored in the device and � Multiple programmable protected configuration bits � Modern cryptography is based on Kerckhoffs's assumption � all of the data required to operate a chip is entirely hidden in the key � Attacker only needs to extract the key February 17, 2014 7 February 17, 2014 8 Physical Attack Phases Principle of divide*and*conquer attack � Physical attacks are usually composed of two � The divide*and*conquer(D&C) attack attempt at recovering the key by parts phases: � The idea is that an observed characteristic can be � !���������������� : interact with the hardware system correlated with a partial key under attack and obtain the physical characteristics of � The partial key should be small enough to enable the device exhaustive search � �������������� : analyze the gathered information to � Once a partial key is validated, the process is recover the key repeated for finding the remaining keys � D&C attacks may be iterative or independent February 17, 2014 9 February 17, 2014 10 Attack Classification Power attacks � Invasive vs. noninvasive attacks � Active vs. passive attacks � Active attacks exploit side*channel inputs � Passive attacks exploit side*channel outputs � Simple vs. differential attacks � Simple side*channel attacks directly map the results from a small number of traces of the side*channel to the operation of DUA � Differential side*channel attacks exploit the correlation between the data values being processed and the side*channel leakage February 17, 2014 11 February 17, 2014 12 2

  3. Measuring Phase Power Analysis � The task is usually straightforward � Monitor the device’s power consumption to deduce information about data and operation � Easy for smart cards: the energy is provided by the terminal and the current can be read � Summary of DES – a block cipher � Relatively inexpensive (<$1000) equipment can � a product cipher digitally sample voltage differences at high rates � 16 rounds iterations (1GHz++) with less than 1% error substitutions (for confusion) � � Device’s power consumption depends on many permutations (for diffusion) � � Each round has a ��������� things, including its structure and data being Generated from the user*supplied key � processed February 17, 2014 13 February 17, 2014 14 DES Basic Structure PA on DES (cont’d) ����� • Input: 64 bits (a block) • Li/Ri– left/right half (32 bits) of the input ����������������� block for iteration i– subject to �� ��� substitution S and permutation P • K * user*supplied key � � • Ki * round key: � – 56 bits used +8 unused (unused for encryption but often used for error checking) �� �� � The upper trace – entire encryption, including the initial �� • Output: 64 bits (a block) phase, 16 DES rounds, and the initial permutation • Note: Ri becomes L(i+1) ��� ��� ��� � The lower trace – detailed view of the second and third • All basic op’s are simple logical ops rounds ����������������� – Left shift / XOR � The power trace can reveal the instruction sequence ������ February 17, 2014 16 February 17, 2014 15 SPA on Modular Mul or Exp SPA on Modular Mul or Exp (cont’d) � Modular exponentiation is often implemented by square � SPA can be used to break cryptographic implementations and multiply algorithm � Typically the square operation is implemented differently �����������" Involves modular multiplication – The leakage function compared with the multiply (for speed purposes) � depends on the multiplier design but strongly correlated to operand � Then, the power trace of the exponentiation can directly values and Hamming weights yields the corresponding value � All programs involving conditional branching based on � �#������������" Involves squaring operation and the key values are at risk! multiplication square and multiply � SPA Countermeasure: algorithm � Avoid procedures that use secret intermediates or keys for conditional branching operation February 17, 2014 17 February 17, 2014 18 3

  4. Differential power analysis (DPA) DPA � DPA can be performed on any algorithm that � SPA targets variable instruction flow Assumption: Either Plaintext or Cipher is known has the operation β =S( α⊕ K), � DPA targets data*dependence � α is known and K is the segment key � Different operands presents different power � Difference between smart cards and FPGAs � In smart cards, one operation running at a time → Simple power tracing is possible � � In FPGAs, typically parallel computations prevent visual SPA The waveforms are captured by a scope and inspection � DPA sent to a computer for analysis February 17, 2014 19 February 17, 2014 20 DPA (cont’d) What is available after acquisition? Assumption: Attacker knows the algorithm well The bit will classify the wave w i � Hypothesis 1: bit is zero � Hypothesis 2: bit is one � A differential trace will be calculated for each bit! February 17, 2014 21 February 17, 2014 22 DPA (cont’d) DPA (cont’d) February 17, 2014 23 February 17, 2014 24 4

  5. DPA ** testing DPA ** testing February 17, 2014 25 February 17, 2014 26 DPA – the wrong guess DPA (cont’d) � The DPA waveform with the highest peak will validate the hypothesis February 17, 2014 27 February 17, 2014 28 Example: DPA on DES Attacking a secret key algorithm Assumption: Attacker presumes detailed knowledge of the DES � Divide*and*conquer strategy, comparing powers for different inputs � Record large number of inputs and record the corresponding power � consumption Start with round 15 ** We have access to R 15 , that entered the last round � operation, since it is equal to L 16 Take this output bit (called M’ i ) at the last round and classify the curves � based on the bit 6 specific bits of R 15 will be XOR’d with 6 bits of the key, before entering the S*box � By guessing the 6*bit key value, we can predict the bit b, or an arbitrary output bit � of an arbitrary S*box output A closer look at HW Implementation Of DES $������� %�������� ����������������� �� February 17, 2014 30 5

Recommend


More recommend