It’s Not My Fault Bart Preneel FDTC’12 – 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org • pre-1915: manual encryption or simple devices It’s Not My Fault • 1915: rotor machines: (electro-)mechanical - On Fault Attacks on Symmetric Cryptography Bart Preneel COSIC, KU Leuven, Belgium • 1960: electronic encryption Bart.Preneel(at)esat.kuleuven.be http://homes.esat.kuleuven.be/~preneel • 1975: integrated hardware • 1990: software FDTC – 9 September 2012 2 1 2 Cryptography: everywhere Implementations in embedded systems everything is always connected everywhere Confidentiality Confidentiality Integrity Integrity Integrity Protocol: Wireless authentication protocol Identification Identification Identification design SIM SIM SIM SIM Cipher Design, Algorithm: Embedded fingerprint matching Biometrics algorithms, crypto algorithms Java Java JCA JCA Architecture: Co-design, HW/SW, SOC JVM KVM CPU CPU Crypto Micro-Architecture: co-processor design MEM MEM Vcc Vcc continuum between software D D Circuit: Circuit techniques to combat side Q Q CLK CLK channel analysis attacks and hardware ASIC (microcode) – FPGA – Technology aware solutions? fully programmable processor Slide credit: Prof. Ingrid Verbauwhede 3 4 Hagelin C38 The sorcerer’s apprentice guide to fault attacks One of the first examples of faults being injected into a chip was accidental. It was noticed that radioactive particles produced by elements naturally present in packaging material [24] caused faults in chips. Specifically, Uranium- 235, Uranium-238 and Thorium-230 residues present in the packaging decay to Lead-206 while releasing particles. These particles create a charge in sensitive chip areas causing bits to flip. [24] T. May and M.Woods. “A New Physical Mechanism for Soft Errors in Dynamic Memories”, in the Proceedings of the 16th International Reliability Physics Symposium , April, 1978. 5 6 6 1
It’s Not My Fault Bart Preneel FDTC’12 – 9 September 2011 Problem: what is this? The answer • Cryptogram [=14 January 1961 11.00 h] • Plaintext [=14 January 1961 11.00 h] • <AHQNE XVAZW IQFFR JENFV OUXBD • DOFGD VISWA WVISW JOSEP HWXXW LQWDB BXFRZ NJVYB QVGOZ KFYQV TERTI OWMIS SIONW BOMBO KOWVO GEDBE HGMPS GAZJK RDJQC VJTEB IRWTE LEXWC EWSUJ ETWAM BABEL XNZZH MEVGS ANLLB DQCGF PWCVR GEWXX WJULE SWXXW BISEC TWTRE UOMWW LOGSO ZWVVV LDQNI YTZAA SECVX XWRWV WMWPR INTEX WXXWP OIJDR UEAAV RWYXH PAWSV CHTYN RIMOW RIENW ENVOY EWRUS URWWX HSUIY PKFPZ OSEAW SUZMY QDYEL XWPOU VEZWR EGLER WXXWS ECUND FUVOA WLSSD ZVKPU ZSHKK PALWB OWREP RENDR EWDUR GENCE WPLAN SHXRR MLQOK AHQNE 11205 141100> WBRAZ ZAWWC 7 8 7 8 A strange cryptogram The answer (in readable form) • Plaintext [=14 January 1961 11.00 h] • Cryptogram [=2 February 1961 22.00 h] • TRESECV. R V M PRINTEX. PRIMO • <btwve ghqmg dviww zmdha xbvmx RIEN ENVOYE RUSUR. POUVEZ saftm nuqjs isvgn pjlcx infik REGLER. SECUNDO REPRENDRE jjibp bxyoh xmwpw amgbn iywgh DURGENCE PLAN BRAZZA VIS A lslnr btwve 11075 022200 > VIS JOSEP H. TERTIO MISSION BOMBOKO VOIR TELEX CE SUJET • <Note pour Smal. Votre message AMBABELGE. JULES. printex sans no du trois février 1961 indéchiffrable. Prière répéter>. Resume urgently plan Brazzaville w.r.t. P. Lumumba 9 9 10 A strange cryptogram Outline • Plaintext [=2 February 1961 22.00 h] • context and history • <btwve PRESE NCEWM ANKOV VSKYW • symmetric crypto trends AWEVI LLEWX XWBIS ECTWV OYAGE – maturity WPARA ITWTO UTWAW FAITW INUTI – lightweight crypto LEWVU > – physical attacks: side channel/fault • encrypted session key should be: UEWVE • fault attacks on AES (only 5,965,050 combinations) • challenges for research • session key should be PFHCF rather than PHHCF 11 12 2
It’s Not My Fault Bart Preneel FDTC’12 – 9 September 2011 Block ciphers Stream ciphers: the eSTREAM Portfolio 64-bit block 96-bit block 128-bit block (http://www.ecrypt.eu.org/stream) 3-DES** (112-168) AES (128-192-256) SEA (96) IDEA (128) CAMELLIA PRINTcipher-96 (160) MISTY1 (128) Software Hardware RC6 GOST* (256) SERPENT KASUMI** (128-3G, 64-2G) HC-128 F-FCSR-H v2 CLEFIA HIGHT** (128) PRESENT (80-128) Rabbit Grain v1 TEA (128) 56 bits: < 1 hour with M$ 5 mCrypton (96-128) Salsa20/12 MICKEY v2 80 bits: 2 year with M$ 5 KATAN64 (80) 128 bits: 256 billion years with B$ 5 KTANTAN64* (80) Sosemanuk Trivium KLEIN* (64-96-128) DESXL (144) symmetric key lengths LED (64-128) PICCOLO (80-128) insecure ? secure Others: SNOW3G, MUGI 0 64 80 128 13 14 Hash functions: SHA-3 finalists MAC algorithms • block cipher based: – CBC-MAC (EMAC, CMAC) and PMAC • hash function based: HMAC • universal hash function based: GMAC a (GCM), UMAC x K 1 x 1 x 2 x t f 1 H 1 H 2 H t-1 … K 2 E K E f 2 K K E 15 16 Slide credit: Christophe De Cannière Status of symmetric cryptology: ☺ Trend: lightweight crypto • many mature and well understood designs available – consequence: new attacks published that need 2 123 chosen plaintexts, 2 233 memory and time 2 253 • weak algorithms are (slowly) disappearing – Keeloq – Crypto-1 – Hitag2 – A5/1 and A5/2 – E0 – … 17 18 3
It’s Not My Fault Bart Preneel FDTC’12 – 9 September 2011 Keeloq [Smit+/-’85] KATAN/KTANTAN [De Cannière-Dunkelman-Kneževi ć ’09] aka the M$10 cipher http://www.cs.technion.ac.il/~orrd/KATAN/ • block length: 32, 48, 64 • block length: 32 462-1054 gates • key length: 80 • key length: 64 • rounds: 254 • rounds: 528 19 20 Low cost hw: throughput versus area PRINTcipher [Bogdanov+08,Sugawara+08] (100 KHz clock, technology in multiples of 10 nm) [Knudsen-Leander-Poschmann-Robshaw’10] 600 • IC printing technology (different for each print) mCRYPTON-96/128 (13) T h ro u g h p u t (K b p s ) 500 • hardwired key • block length: 48, 96 400 402-967 gates CLEFIA (9) • key length: 80, 160 300 • rounds: 48, 96 PRESENT-128 (18) PICCOLO-128 • 3-bit S-boxes HIGHT (25) 200 • key-dependent bit-permutations TDEA (9) TEA (18) GOST (18) SEA (13) 100 AES (13) KATAN (18) AES (35) KTANTAN (18) MISTY1 (18) PRESENT-80 (18) 0 PRINTcipher-96 0 1000 2000 3000 4000 5000 6000 (18) LED-128 (18) Gate equivalents 21 22 SPONGENT: Lightweight Hash Function Low cost hw: throughput versus area (100 KHz clock, technology in multiples of 10 nm) 80 bits 160 SHA-1 (25) Narrow SPONGE construction 96 bits 140 T h ro u g h p u t (K b p s ) 112 bits 120 128 bits 100 256 bits 80 60 sQuark (0.18) Photon 40 sQuark (0.18) Spongent (13) Keccak-f[400] (13) Unkeyed PRESENT -type permutation π : 4-bit S-box and bit diffusion 20 Photon C-PRESENT (18) Spongent (13) • smallest footprint 0 • low power 0 1000 2000 3000 4000 5000 6000 7000 • conservative security Gate equivalents 23 24 4
It’s Not My Fault Bart Preneel FDTC’12 – 9 September 2011 Physical Attacks Fault attacks • active versus passive Non-Invasive – active: perturbate and conclude very powerful attack models – passive: observe and infer • invasive versus non-invasive • fix specific bits at 0/1 – invasive: open package and contact chip active passive • dynamically fix specific bits at 0/1 – semi-invasive: open package, no contact – non-invasive: no modification • change 1/more specific bits • side channel: passive and non-invasive • change 1/more specific bytes Invasive – timing, power, electromagnetic – very difficult to detect • changes state in a specific round – often inexpensive to set-up • change some value during the calculation – often: need lots of measurements � automating • circuit modification: active and invasive – expensive to detect invasion (chip might be without power) – very expensive equipment and expertise required 25 26 Differential Fault Analysis (DFA) Fault attacks (2) [Biham-Shamir’97] Differential cryptanalysis some attack models are so powerful that they allow for Plaintext P Plaintext P [Biham-Shamir’90] “trivial” attacks but with round 1 round 1 K 1 K 1 unknown input K left K right difference C 1 C 1 K 2 round 2 K 2 round 2 fewer rounds (1-2-3-4) C 2 C 2 K left K right 0000…0000 C’ r-2 C r-2 K r-1 round r-1 K r-1 round r-1 C r-1 C’ r-1 exhaustive search over K right : 2 k/2 K r round r K r round r exhaustive search over K left : 2 k/2 Ciphertext C Ciphertext C’ 28 27 28 DFA on AES-218 Outline # faults for simple byte attacks • context and history 60 [Dusart+’03]’ Round 9 • symmetric crypto trends 50 50 [Piret+’03] – maturity 40 [Mukhopadhyay’09] – lightweight crypto [Tunstall+’11] 30 – physical attacks: side channel/fault 20 • fault attacks on AES 10 Round 8 Round 8 2 • challenges for research 1 1 0 2000 2002 2004 2006 2008 2010 2012 29 30 5
Recommend
More recommend