channel and fault attacks Jasper van Woudenberg @jzvw January 10, - PowerPoint PPT Presentation

Practicing the art and science of side channel and fault attacks Jasper van Woudenberg @jzvw January 10, 2019 1

Our vision certificate recommendations countermeasures 2

Where we are today Science Art Bit of both certificate 2 weeks – 2 months (single algorithm) Signal processing Leakage id/model recommendations DPA, TVLA DFA, FI success% countermeasures Tuning FI setup 3

Power side channel analysis and fault injection 4

Where we are today Science Art Bit of both certificate Signal processing Leakage id/model recommendations DPA, TVLA DFA, FI success% countermeasures Tuning FI setup 5

6

Power Analysis Signal Leakage processing modeling 7

Signal processing Raw trace Processed trace 8

Misalignment 9

Points of interest selection Data leakage Noise Samples showing statis istic ical al dependenc ndency between intermediate (key-related) data and power consumption. 10

EM leakage location finding Some delivers truth but too costly Pics origin: “EM - scanning” by Albert Spruyt Key rank (5M) Ghost peak dist.(8M) Intermediates corr. (3M) Some cheaper but misleading Spectral intensity (1) Input corr. (1M) Output corr. (1M) 11

Open research questions • How to find good EM spots without doing T-testing on each spot • How to automate the combined problem of filtering, alignment, etc? 12

Fault injection 13

FI output 14

Open research questions • What exactly happens to a circuit when faulted, to inform countermeasures • More software scalable FI attacks, a la CLKscrew 15

Where we are today Science Art Bit of both certificate Signal processing Leakage id/model recommendations DPA, TVLA DFA, FI success% countermeasures Tuning FI setup 16

TVLA (T-testing) Sboxes, R5 MixColumns, R5 t: µ B : µ A : 17

Open research questions • How exploitable are T-spikes in practice? 18

DPA key recovery AES key bytes 0-15 Key Byte Rank Number of traces 19

Open research questions • So far, it’s hard to beat CPA in terms of time efficiency. New attacks are interesting if they significantly reduce attack time from acquisition to key extraction, apply to all targets, and are unsupervised (and complete start to finish in the order of weeks) 20

Glitch length vs. glitch voltage (XMEGA) Length (ns) Voltage (V) 21

Open research questions • We rarely perform Differential Fault Analysis. If we can exploit JTAG or Boot, we get more. How to harden those? 22

Where we are today Science Art Bit of both certificate Signal processing Leakage id/model recommendations DPA, TVLA DFA, FI success% countermeasures Tuning FI setup 23

Certify • Goal is to have objective pass/fail criteria • Common Criteria / EMVco / GP TEE: • Expertise, equipment used, time elapsed, samples used, information available, open samples (#traces not directly relevant, nor FI success %!) • • As objective as we know how to make it 24

Open research questions • What is an objective measure that represents device security? 25

Improve • We can deduce some information: Timing of leakage / fault • • Amount of leakage / fault success rate • Type of leakage • Turning this into countermeasures is nontrivial • Whack-a-mole happens 26

Open research questions • How to automatically create countermeasures based on test results? • Results on FPGA/non-secure microcontroller do not translate to secure microcontrollers or SoCs. More results on the latter categories are needed. 27

Current research: Deep learning for SCA 28

Before Signal Leakage processing modeling 29

After Leakage info Metrics 30

Breaking AES with First-Order Masking Target published in 2013 (http://www.dpacontest.org/v4/)  40k traces available  AES-256 (Atmel ATMega-163 smart card)   Countermeasure: Rotating S-box Masking (RSM) 31

How does DPA contest V4 masking work? • Masking is expensive in performance and memory • Rotating mask helps by pre-computing masked S-boxes 32

Breaking AES with First-Order Masking Neural Network: Input Layer > ConvLayer > 50 > 50 > 50 > Output Layer Training/validation/test sets: 36000/2000/2000 traces Leakage Model: HW of S-Box Out (Round 1) → 9 classes Results for key byte 0: The processing of 8 traces is sufficient to recover the key 1/9 33

Open research questions • We rarely perform 2 nd order attacks, because sample combing is infeasible due to noise and limited time. How to find those samples efficiently? 34

Our visualization method Output Conv. Feature Map Dense Layers Pooling Conv. Pooling Input Data HW = 5 Feature Combination Feature Extraction + + Classification Dimensionality Reduction 35

Results (unprotected target) Raw trace CPA succeeds T-test (first round key byte) CPA fails Our visualization method 36

DL conclusions so far • DL can exploit and identify leakage • DL does SCA art + science and scales • Hardware crypto still presents challenges • DL still requires humans in tuning a network 37

Active research areas • Machine learning for SCA • FI outside of lab conditions / larger distance • Design time analysis • SCA on simulator • FI on simulator 38

Wrapping up 39

Conclusion • Automation is needed for the scale of the issues • Many interesting research questions lay on this path • We are looking to collaborate on such topics certificate recommendations countermeasures 40

Riscur cure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Riscur cure North America ica 550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscur cure Chin ina Challenge your security Room 2030-31, No. 989, Changle Road, Shanghai 200031 China Phone: +86 21 5117 5435 inforcn@riscure.com jasper@riscure.com @jzvw 41