introdution to physical cryptanalysis
play

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI - PowerPoint PPT Presentation

Sep 17, 2023 •93 likes •817 views

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information Security Agency) Saturday, December 20 th , 2014 Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections|

  1. Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information Security Agency) Saturday, December 20 th , 2014

  2. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 1/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  3. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 2/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  4. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Context Since the 90’s, increasing use of secure embedded devices ◮ 8G smartcard ICs sold in 2012 (SIM cards, credit cards ✿ ✿ ✿ ) Strong cryptography from a mathematical point of view used to manage sensitive data ◮ AES, RSA, ECC, SHA-3 ✿ ✿ ✿ 3/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  5. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Secure Embedded devices Functionalities: ◮ secure boot ◮ secure storage & execution of code in confidentiality & integrity ◮ secure storage of sensitive data in confidentiality & integrity ◮ secure implementation of crypto operations Small set of commands ✮ reduce the Attack Surface 4/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  6. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Examples of Secure Embedded Devices Smartcards (credit cards, USIM, e-passports ✿ ✿ ✿ ) Trusted Platform Modules (TPM) Smartphone secure elements Hard disk drives with HW encryption Set-Top Boxes Hardware Security Modules (HSM) Wireless sensors network ✿ ✿ ✿ 5/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  7. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 6/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  8. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Classical Cryptography Black-Box Model assumed in classical cryptography: ◮ key(s) stored in the device ◮ cryptographic operations computed inside the device black-box model PLAINTEXT CIPHERTEXT blablablablablabla tO^à@:/!uYe#&²é" blibliblibliblibliblibl ccGt*µ$Bg;./rSdrtg bloblobloblobloblo ([jKé~-|kLm%*ø$tf blublublublublublu vB:!§eR'{qZé~rt6- blyblyblyblyblybly phçö^$"NhR([qSrT The attacker has only access to pairs of plaintexts / ciphertexts. 7/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  9. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Secure Cipher - Unsecure Implementation (1/2) ❬ Kocher ❪ ✭ 1996 ✮ ✮ exploitation of physical leakages ◮ cryptosystems integrated in CMOS technology ◮ physical leakages correlated with computed data gray-box model (spy the computation) PLAINTEXT CIPHERTEXT blablablablablabla tO^à@:/!uYe#&²é" blibliblibliblibliblibl CRYPTOSYSTEM ccGt*µ$Bg;./rSdrtg bloblobloblobloblo ([jKé~-|kLm%*ø$tf blublublublublublu vB:!§eR'{qZé~rt6- blyblyblyblyblybly phçö^$"NhR([qSrT time power electromagnetic radiations vibrations light ... The attacker has also access to physical leakages New class of attacks ✮ Side-Channel Attacks (SCA) 8/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  10. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Embedded Systems| Security Models| Secure Cipher - Unsecure Implementation (2/2) ❬ Boneh et al. ❪ ✭ 1997 ✮ ✮ exploitation of faulty encryptions ◮ the attacker can generate faulty encryptions gray-box model (perturbate the computation) PLAINTEXT BAD CIPHERTEXT blablablablablabla tO^à@:/!uYe#&²é" blibliblibliblibliblibl CRYPTOSYSTEM ccGt*µ$toto/rSdrtg bloblobloblobloblo ([jKé~-|kLm%*ø$tf blublublublublublu vB:!§eR'{UZé~rt6- blyblyblyblyblybly phç%^$"NhR([qSrT power glitch light eletromagnetic field ... the attacker has access to correct & faulty ciphertexts New class of attacks ✮ Fault Attacks (FA) 9/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  11. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 10/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  12. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channel Cryptanalysis SCA consist in measuring a physical leakage of a device when it handles sensitive information ◮ e.g. cryptographic keys Handled info. are correlated with the physical leakage ◮ e.g. a register leaking as the Hamming Weight of its value The attacker can then apply statistical methods to extract the secret from the measurements ◮ Simple Side-Channel Attacks (SSCA) ◮ Differential Side-Channel Attacks (DSCA) ◮ Template Attacks (TA) ◮ Collision-based Side-Channel Attacks ◮ ✿ ✿ ✿ 11/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  13. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Agenda Introduction 1 a. Embedded Systems b. Security Models Side Channel Attacks (SCA) 2 a. Side Channels b. Cryptanalysis Techniques c. SCA on Commercial Products Fault Attacks (FA) 3 a. Fault Injection Means b. Cryptanalysis Techniques c. Real World Attacks Combined Attacks 4 a. Use Case b. Principle 5 Protections a. SCA Protections b. FA Protections c. Certification 12/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  14. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Physical Leakages exploited by SCA Timing Attacks (CRYPTO 96) - [Kocher] exploit the computational time of cryptographic operations Power Analysis (CRYPTO 99) - [Kocher et al.] exploit the power consumption of the IC ElectroMagnetic Analysis (CHES 01) - [Gandolfi et al.] exploit the electro-magnetic radiations of the IC Acoustic Cryptanalysis (2004) - [Shamir] exploit the sound emitted by the IC Light Emission Analysis (CHES 10) - [Di Battista et al.] exploit the light emission of the IC 13/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  15. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Measuring the Power Consumption of an IC (1/2) Different means: ◮ shunt resistor ◮ current probe ◮ differential probe Optional: Low Noise Amplifier ✦ amplify the signal Cost: low 14/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  16. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Measuring the Power Consumption of an IC (2/2) The IC can filter the current switching The IC can be mounted on complex boards !!! ◮ Where is the power supply pin ? ◮ There is sometimes several power supply pins ✿ ✿ ✿ 15/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

  17. Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections| Side Channels| Cryptanalysis Techniques| SCA on Commercial Products| Measuring the EM Radiations of an IC (1/3) When an IC is computing, current flows through the different metal layers to supply the gates. Maxwell equations ✮ current flowing through each metal rails creates an ElectroMagnetic field 16/70 Victor LOMNE - ANSSI / Physical Cryptanalysis

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Iran Post Sanctions: How Much Oil will Hit the Market? New York 28 September 2015 INTRODUTION

Iran Post Sanctions: How Much Oil will Hit the Market? New York 28 September 2015 INTRODUTION

Iran Post Sanctions: How Much Oil will Hit the Market? New York 28 September 2015 INTRODUTION Iran and the P5+1 have agreed on a framework to put an end to the dispute over Irans nuclear program; Once the so-called Joint

457 views • 16 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University School of Science kaisa.nyberg@aalto.fi June 11, 2013 Introduction Piling-Up Lemma Multidimensional Linear Cryptanalysis SSA Link

962 views • 48 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

410 views • 38 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides

More recommend