Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / - PowerPoint PPT Presentation

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International COSIC Course Leuven, Belgium, 18 June 2015 Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel, Helena Handschuh Side-Channel Attacks - COSIC Course 18 June 2015

Outline • PART I: Introduction to implementation attacks o Embedded cryptographic devices o Security models o Classification of implementation attacks • PART II: Introduction to Power Analysis attacks o Power measurements, leakage models o Simple Power Analysis (SPA) o Differential Power Analysis (DPA) o Countermeasures Side-Channel Attacks - COSIC Course 2

Physical attacks, embedded cryptographic devices, security models, classification of attacks Part I: INTRODUCTION TO IMPLEMENTATION ATTACKS Side-Channel Attacks - COSIC Course 3

Traditional model (simplified view) o Attack on channel between communicating parties o Encryption and cryptographic operations in black boxes o Protection by strong mathematic algorithms and protocols o Computationally secure Side-Channel Attacks - COSIC Course 4

Embedded Cryptographic Devices • A cryptographic device is an electronic device that implements a cryptographic algorithm and stores a cryptographic key. It is capable of performing cryptographic operations using that key. IDENTIFICATION PAYMENT COMMUNICATION MULTIMEDIA ... • Embedded : it is exposed to adversaries in a hostile environment; full physical access, no time constraints o Remark: the adversary might be a legitimate user! Side-Channel Attacks - COSIC Course 5

How is Embedded Security affected? • New Model (also simplified view): o Attack on channel and endpoints o Encryption and cryptographic operations in gray boxes o Protection by strong mathematic algorithms and protocols o Protection by secure implementation • Need secure implementations not only algorithms Side-Channel Attacks - COSIC Course 6

Keep in mind A system is as secure as its weakest link Side-Channel Attacks - COSIC Course 7

A system is as secure as its weakest link unknown source: seen on schneier.com Side-Channel Attacks - COSIC Course 8

A system is as secure as its weakest link source: Paul Kocher Side-Channel Attacks - COSIC Course 9

A system is as secure as its weakest link • The adversary will go for the weakest entry point o Disable or go around security mechanisms o Guess / spy on passwords • What is the name of Paris Hilton‘s dog? o Bribe the security guard • Social engineering – Kevin Mitnick • If you use crypto, he will try to go around it o System designer: thinks of the "right" way to use the system o Adversary: does not play by the rules o Designer has to think like the adversary, anticipate attacks, protect against them o There is no way to protect against all attacks • Do you know all atacks? Side-Channel Attacks - COSIC Course 10

Taxonomy of physical attacks • Two orthogonal criteria Non-Invasive o Active : perturbate and conclude o Passive : observe and infer Active Passive o Invasive : open package, contact chip o Semi-Invasive : open package, no contact o Non-Invasive : no modifications Invasive (a) Side-channels: passive and (typically) non-invasive (b) Circuit modification: active and invasive (c) Fault injection: active, different degrees of invasion Side-Channel Attacks - COSIC Course 11

Side-channel Leakage Physical attacks ≠ Cryptanalysis ( gray box, physics) (black box, maths ) • Does not tackle the algorithm's math Input Output Leakage • Observe physical quantities in the device's vincinity and use additional information during cryptanalysis Side-Channel Attacks - COSIC Course 12

Some side-channels (not exhaustive) • Passive: o Timing execution time • Overall or “local” execution time time o Power, Electromagnetic (EM) radiation • Predominant CMOS technology • Dynamic power consumption • Electric current induces an EM field o More exotic but shown to be practical • Sound, temperature, … • Invasive: Photonic emissions Side-Channel Attacks - COSIC Course 13

Principle is nothing new… “Breaking into a safe is hard, because one has to solve a single, very hard problem…” “Divide et impera !” “Things are different if it is possible to solve many small problems instead...” Side-Channel Attacks - COSIC Course 14

A side-channel timing attack (I) • 4-digit PIN verification o 10000 possible combinations o On average 5000 attempts necessary o Typically only 3 attempts allowed (counter) o Probability of correct guess: 3/10000 FUNCTION check (USER_PIN, CORRECT_PIN) MAIN FUNCTION FOR i=1 TO PIN_LENGTH … IF USER_PIN[i] != CORRECT_PIN[i] IF check(…) == -1 RETURN -1 COUNTER++ ENDFOR ELSE RETURN 0 COUNTER = 0 … Side-Channel Attacks - COSIC Course 15

A side-channel timing attack (II) • Execution time of check(…) leaks information o Test random PIN, measure time N o Change first PIN digit, measure time N’ o If N == N’ both digit guesses are wrong o If N > N’ the first digit guess was correct o If N < N’ the new digit guess is correct • Average 5 (worst case 10) attempts per digit • Average 20 (worst case 40) attempts per PIN • … but recall that only 3 attempts are allowed Side-Channel Attacks - COSIC Course 16

Relevance for embedded crypto devices • Some cryptographic primitives gain their mathematical strength by repeating a “weak” function many times o Classical model: adversary only sees final and secure output o Ease of implementation • Other primitives are more complex, but their implementations follow a similar idea • Side- channels leak information about the “weak” intermediate results o Localized leakage inside the implementation Side-Channel Attacks - COSIC Course 17

Invasive attacks • Passive: micro-probing o Probe the bus with a very thin needle o Read out data from bus or individual cells directly o Several needles concurrently source: Helena Handschuh • Active: circuit modification "0" OUT o Connect or disconnect security mechanism • Disconnect security sensors • RNG stuck at a fixed value • Reconstruct blown fuses RNG o Cut or paste tracks with laser or focused ion beam o Add probe pads on buried layers [www.fa-mal.com] Side-Channel Attacks - COSIC Course 18

Fault injection attacks (I) • Non-(semi)invasive: apply combination of strange environmental conditions o Vcc o Glitch o Clock o Temperature o UV o Light o X-Rays o ... error input • And bypass security mechanisms or infer secrets slide source: Helena Handschuh Side-Channel Attacks - COSIC Course 19

Back to the PIN example • Assume the function check(…) runs in constant time MAIN FUNCTION … IF check(…) == -1 COUNTER++ ELSE COUNTER = 0 … • Attacker can target the main function with the aim of obtaining unlimited attempts o Disconnect power supply before increasing counter o “Skip” instructions using glitches o … Side-Channel Attacks - COSIC Course 20

Fault injection attacks (II) • Invasive: exploit faulty behavior provoked by physical stress applied to the device o Laser fault injection allows to target a relatively small surface area of the target device o Laser pulse frequency ~ 50Hz o Fully automated scan of chip surface o Once you have a weak spot: perturbate and exploit source: www.new-wave.com Side-Channel Attacks - COSIC Course 21

Differential Fault Analysis • Ask for a cryptographic computation twice o With any input and no fault (reference) o With the same input and fault injection • Infer information about the key from the output differential • Sometimes a single fault injection is enough! Side-Channel Attacks - COSIC Course 22

Power measurements, Simple Power Analysis (SPA), Differential Power Analysis (DPA) Part II: INTRODUCTION TO POWER ANALYSIS Side-Channel Attacks - COSIC Course 23

Measuring power consumption • Not average power over time, not peak power • Instantaneous power over time o Trace or curve, many samples Time • Typical (automated) measurement setup CENTRAL PC SCOPE POWER SUPPLY / FUNCTION GENERATOR CRYPTOGRAPHIC DEVICES Side-Channel Attacks - COSIC Course 24

Measuring power consumption (II) • Logic: constant supply voltage, supply current varies • Predominant technology: CMOS o Low static power consumption o Relatively high dynamic power consumption o Power consumption depends on input • CMOS inverter: Input Output Current 0-1 0  0 1  1 Low transition 0  1 1  0 Discharge 1  0 0  1 Charge 1  1 0  0 Low Side-Channel Attacks - COSIC Course 25

Power Analysis (I) • What can we see looking at a curve? • Information in: o Repetitive patterns: typically coarse, structure of algorithm and implementation (e.g. loops) o Time: what happens when, program flow o Amplitude: what happens at a given moment in time, data flow • The same operation, executed with different operand values, consumes more or less power • Examples: trace inspection Side-Channel Attacks - COSIC Course 26

Power Analysis (II) Quantized voltage Time • Unprotected software implementation of AES-128 on 8-bit µC o Ten rounds, last round shorter, without MixColumns Side-Channel Attacks - COSIC Course 27

Power Analysis (III) Quantized voltage Time • Unprotected software implementation of AES-128 on 8-bit µC o Two rounds, four AES building blocks look different Side-Channel Attacks - COSIC Course 28