fault based cryptanalysis on block ciphers
play

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE - PowerPoint PPT Presentation

Oct 07, 2023 •486 likes •1.19k views

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

  1. Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore

  2. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 1/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  3. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 2/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  4. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Context Since the 90’s, increasing use of secure embedded devices I 9G smartcard ICs sold in 2013 (SIM cards, credit cards ) Strong cryptography from a mathematical point of view used to manage sensitive data I 3 DES, AES, RSA, ECC, SHA-2-3 3/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  5. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Classical Cryptanalysis Black-Box Model assumed in classical cryptanalysis: I key(s) stored in the device I cryptographic operations computed inside the device               The attacker has only access to pairs of plaintexts / ciphertexts. 4/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  6. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Secure Cipher - Unsecure Implementation (1/2) Kocher 1996 exploitation of physical leakages I cryptosystems integrated in CMOS technology I physical leakages correlated with computed data                          The attacker has also access to physical leakages New class of attacks Side-Channel Attacks (SCA) 5/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  7. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Secure Cipher - Unsecure Implementation (2/2) Boneh 1997 exploitation of faulty encryptions I the attacker can generate faulty encryptions                          the attacker has access to correct & faulty ciphertexts New class of attacks Fault Attacks (FA) 6/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  8. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 7/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  9. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Fault based Cryptanalysis FA consist in perturbing the execution of the cryptographic operation in order to get faulty results leaking information on the secret Hypotheses are made on: I the targeted intermediate value I the effect of the injection on the intermediate value The attacker can then apply algorithmic methods to extract the secret from the obtained (correct and/or faulty) results 8/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  10. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Fault Zoology (1/2) Different ways to generate a fault: I electrical glitch on pins (VCC, CLK, I/O, ) I electrical glitch on the die (FBBI) I light injection I ElectroMagnetic (EM) field injection The duration of the fault can be: I transient I permanent 9/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  11. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Physical Cryptanalysis| Fault-based Cryptanalysis| Fault Zoology (2/2) Different effects: I modification of operation flow I modification of operands Different goals: I Bypassing a security mechanism e.g. PIN verification, file access right control, secure bootchain, I Generating faulty encryptions/signatures fault-based cryptanalysis I Combined Attacks JavaCard based, FA + SCA 10/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  12. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Global Faults| Local Faults| Other Tools| Agenda Introduction 1 a. Physical Cryptanalysis b. Fault-based Cryptanalysis Fault Injection Means 2 a. Global Faults b. Local Faults c. Other Tools Cryptanalysis methods 3 a. Fault Model b. Safe Error Attack c. DFA d. Statistical Fault Attack Countermeasures 4 a. Analog Level b. Digital Level c. Application to Crypto 5 Conclusion 11/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  13. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Global Faults| Local Faults| Other Tools| Electrical glitch on Power Supply (1/3) Principle: under/over-power a device during a very short time Over-powering cause unexpected electrical phenomenoms inside the IC e.g. local shortcuts, Under-powering slows down the processing of the IC e.g. bad memory read/write, Low/medium-cost attack ex. of equipment: custom electronic board, pulse generator, 12/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

  14. Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures| Conclusion| Global Faults| Local Faults| Other Tools| Electrical glitch on Power Supply (2/3) Adversary can control: I Amplitude of the glitch I Duration of the glitch I Shape of the glitch Generally no control of the fault precision: I On a microcontroller running code, modification of the current executed opcode and/or operand(s) I On a hardware coprocessor, modification of (some of) the current processed words (e.g. registers) 13/69 Victor LOMNE - ANSSI / Fault-based Cryptanalysis on Block Ciphers

Recommend

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics Intro Attack on iterated ciphers Differential cryptanalysis

1.27k views • 77 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Introduction Equations Solvers Advanced Techniques Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases Martin R. Albrecht Team SALSA, UPMC, Paris 6, . . . June 2nd, 2011 @ ECrypt 2 PhD Summer school,

1.09k views • 46 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam

Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam

Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam Bhasin, Wei He, Ruyi Ding, Samiya Qureshi and Kui Ren Zhejiang University CHES2018, Amsterdam, The Netherlands, 09/12/2018 OUTLINE 1 Introduction

505 views • 33 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National University of Defense Technology 1 Acknowledgement This talk is based on the joint works with: Tomer Ashur, Adrin Ranea & Glenn De Witte from

552 views • 31 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides

More recommend