overview of countermeasures against implementation attacks
play

Overview of Countermeasures against Implementation Attacks Marcel - PowerPoint PPT Presentation

Oct 11, 2022 •372 likes •787 views

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group Marcel.medwed@uclouvain.be Design and Security of Cryptographic Algorithms and Devices 1 Albena, May 2011 Outline 1. Motivation & general

  1. Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group Marcel.medwed@uclouvain.be Design and Security of Cryptographic Algorithms and Devices 1 Albena, May 2011

  2. Outline 1. Motivation & general mechanisms 2. Side-channel countermeasures 3. Fault countermeasures 4. Conclusions Design and Security of Cryptographic Algorithms and Devices 2 Albena, May 2011

  3. Motivation • Sensitive applications require certification – Pay TV, Banking,... – Standard portfolio of attacks • SCA • Fault analysis, probing • … • Cost security tradeoff Design and Security of Cryptographic Algorithms and Devices 3 Albena, May 2011

  4. General Mechanisms Constant Detection Instantaneous Timing Leakage Limit measurements m 1 Faults m 2 c = E k (m) ... Probing ... m n Low SNR Independence Shielding Design and Security of Cryptographic Algorithms and Devices 4 Albena, May 2011

  5. Side-Channel Countermeasures 1. Data independent timing 2. Hiding 3. Masking 4. Regular key updates Design and Security of Cryptographic Algorithms and Devices 5 Albena, May 2011

  6. Data Independent Timing • Data dependent [ [ branches – Reduction, Compiler  Use regular algorithms  Use assembly code • Architectural features – e.g. ARM7 multiplier • time(0xFFFF*Op2) > time(0xFF*Op2) Design and Security of Cryptographic Algorithms and Devices 6 Albena, May 2011

  7. Instantaneous Leakage • Leakage trace – Vector of t leakage samples • Sensitive variable v – Depends on key and input  • Observe noisy function of v – For some i, – E.g. L = Hamming weight Design and Security of Cryptographic Algorithms and Devices 7 Albena, May 2011

  8. Hiding • In each clock cycle, consume either – (close to) random power  increase n  L(v) ~ const. – (close to) constant power • Hiding only decreases the SNR • Hiding dimensions – Time – Amplitude Design and Security of Cryptographic Algorithms and Devices 8 Albena, May 2011

  9. Hiding in Software I • Time – Insertion of dummy operations – Shuffling time S 1 S 3 S 3 D S 2 S 3 S 4 S 4 S 1 D S 2 S 4 S 1 D D S 2 observations S 1 S 3 D S 2 S 3 S 4 D D S 2 S 4 S 4 D S 3 D S 1 D D S 2 D S 4 S 1 S 2 S 3 S 4 S 3 D S 4 S 1 D D S 2 D S 1 S 2 S 3 S 4 Design and Security of Cryptographic Algorithms and Devices 9 Albena, May 2011

  10. Hiding in Software II – Effect of time randomization with n positions • Sample from with probability 1/n – Integration over all n positions • Noise increases linearly • Correlation ~ n -1/2 Design and Security of Cryptographic Algorithms and Devices 10 Albena, May 2011

  11. Hiding in Software III • Amplitude – Peripheral activity • ADCs • Co-processors – Memory addresses • of dummy registers • of key dependent registers – Random precharge of bus • • Pure HD leakage? Design and Security of Cryptographic Algorithms and Devices 11 Albena, May 2011

  12. Hiding in Hardware I • Time – Dummy instructions – Shuffling – Random jitters – Change clock frequency – Multiple clock domains Design and Security of Cryptographic Algorithms and Devices 12 Albena, May 2011

  13. Hiding in Hardware II • Amplitude – Filters • Switching capacitors • Constant drain circuits – Noise generation engines – Parallelization – Pipelining / Unrolling – Dynamic reconfiguration (FPGAs) Design and Security of Cryptographic Algorithms and Devices 13 Albena, May 2011

  14. Hiding at Cell Level • Dual-rail precharge logic styles Trans. l 0  0 0 a Single 0  1 1 q Rail b 1  0 1 1  1 0 Trans. l 10  00 1 a Dual ¬a q 01  00 1 b ¬q Rail 00  10 ¬b 1 00  01 1 Design and Security of Cryptographic Algorithms and Devices 14 Albena, May 2011

  15. Conclusions for Hiding • Decrease the SNR – Increase noise – Decrease signal • Only minor changes to the algorithms • Check local SNRs • Noise is essential for masking! Design and Security of Cryptographic Algorithms and Devices 15 Albena, May 2011

  16. Masking • Randomized redundant representation – • n th -order masking – All n-1 intermediate variables are independent of v – Adversary needs to • identify n leakage samples • and combine their information • Challenge – Usually achieving is not straightforward Design and Security of Cryptographic Algorithms and Devices 16 Albena, May 2011

  17. Masking Few Bits I • Assume little structure (e.g. block cipher) – Boolean masking • • Alternatively – Multiplicative masking (zero-value problem) • – Affine Masking • Design and Security of Cryptographic Algorithms and Devices 17 Albena, May 2011

  18. Masking Few Bits II • Marginal PDFs are independent  joint PDF W H (v)=0 W H (v) = 4 W H (v 2 ) W H (v 2 ) W H (v 1 ) W H (v 1 ) • Effect – k shares, sufficient noise – Number of traces relates to – Combination results in additional loss Design and Security of Cryptographic Algorithms and Devices 18 Albena, May 2011

  19. Masking Few Bits III Combined Only masking Only shuffling Design and Security of Cryptographic Algorithms and Devices 19 Albena, May 2011

  20. Masking in Software I • First-order masking  Lookup tables • Higher order masking – Secure table computation for 2 nd order masking – Test all subsets! • Check Hamming distance – Buses, registers,... Design and Security of Cryptographic Algorithms and Devices 20 Albena, May 2011

  21. Masking in Software II • Rivain and Prouff – CHES10 – Provable secure masking for AES with arbitrary order – Based on Private Circuits • Cycle counts for a masked AES – Pay for security directly Masking order AES cycles in execution time w/o masking 2 000 1 10 000 2 271 000 3 470 000 Design and Security of Cryptographic Algorithms and Devices 21 Albena, May 2011

  22. Masking in Hardware I v m S(v) m‘ Masked S-box m m‘ • Unclear what synthesizer does – Unintentional unmasking – Unintentional combination function • Data dependent glitches Design and Security of Cryptographic Algorithms and Devices 22 Albena, May 2011

  23. Masking in Hardware II • Nikova et al. – Threshold implementation – Independent processing of subset of shares f 1 f 4 v 1 y 1 z 1 f 2 f 5 v 2 y 2 z 2 f 3 f 6 v 3 y 3 z 3 • If shares processed in parallel – Univariate leakage – But still higher order attack Design and Security of Cryptographic Algorithms and Devices 23 Albena, May 2011

  24. Masked Logic Styles • Remove requirement for balanced routing – Average power consumption is constant (in theory) – E.g. MDPL NAND gate a m b m m ¬a m ¬b m ¬m q ¬q a m 0 0 0 1 1 1 1 0 SR b m q MAJ 0 1 0 1 0 1 1 0 m 1 0 0 0 1 1 1 0 1 1 0 0 0 1 0 1 ¬a m SR 0 0 1 1 1 0 1 0 ¬b m ¬q MAJ ¬m 0 1 1 1 0 0 0 1 1 0 1 0 1 0 0 1 1 1 1 0 0 0 0 1 Design and Security of Cryptographic Algorithms and Devices 24 Albena, May 2011

  25. Exploiting Algebraic Structures • Scalar blinding • Message blinding • Embeddings Design and Security of Cryptographic Algorithms and Devices 25 Albena, May 2011

  26. Using Inherent Redundancy • ECC point projection – Originally to avoid inversions – Free randomization Design and Security of Cryptographic Algorithms and Devices 26 Albena, May 2011

  27. Conclusions for Masking • Take care of – Unintentional unmasking – Glitches – Lower order leakages • For small mask widths – PDFs can be estimated – But exponential increase in data complexity • For large mask widths (PKC) – Inexpensive and very effective Design and Security of Cryptographic Algorithms and Devices 27 Albena, May 2011

  28. Key / Message Transformations • Sequential key update – E.g. with hash function • Indexed key update – Use invertible function • Parallel key update – Easy to protect key update function • Leakage resilient cryptography • Message transformation – Also apply to ciphertext Design and Security of Cryptographic Algorithms and Devices 28 Albena, May 2011

  29. Evaluating Countermeasures • Correlation attacks might overestimate the security • Compute mutual information between leakage and sensitive variable • Attacks might become too sophisticated – lower bound moves far away from real security Design and Security of Cryptographic Algorithms and Devices 29 Albena, May 2011

  30. Invasive-Attack Countermeasures • Fault injection prevention • Error detection C = f(A,B) D = f(A,B) ADD If (C != D) then XOR AND errorHandling(); CMP EndIf; www.coders4fun.com Design and Security of Cryptographic Algorithms and Devices 30 Albena, May 2011

  31. Protecting All Points-of-Attack • Crypto – Data integrity • OS level – Self-check – Redundant state machines • Hardware level – Prevent physical access – Increase cost for physical access – Filter fault sources Design and Security of Cryptographic Algorithms and Devices 31 Albena, May 2011

  32. Active-Attack Prevention • Shields • Sensors (e.g. light) • Filter power line • On-chip generation of clock signal • Limit number of operations • Burry sensitive parts Design and Security of Cryptographic Algorithms and Devices 32 Albena, May 2011

Recommend

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

T-79.194 Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner presentation by Maarit Hietalahti Helsinki University of Technology Laboratory for Theoretical Computer Science

298 views • 14 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
Attacks & Countermeasures of Ultrasonic Cross-Device Tracking Federico ico Maggi Vasil

Attacks & Countermeasures of Ultrasonic Cross-Device Tracking Federico ico Maggi Vasil

Talking Behind Your Back Attacks & Countermeasures of Ultrasonic Cross-Device Tracking Federico ico Maggi Vasil ilio ios Mavroud udis is Assistant Professor POLIMI Doctoral Researcher UCL Visiting Researcher UCSB Who we are The

811 views • 67 slides
Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world crypto and privacy ibenik, Croatia Secure Crypto Research over the past decades has produced several secure crypto algorithms: AES-256 block

1.04k views • 85 slides
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley Telecom ParisTech CNRS LTCI / COMELEC / SEN FDTC 2014 Eleventh

460 views • 43 slides
Single-Lane Roundabouts Implementation and Justification Federal Highway Administration Proven

Single-Lane Roundabouts Implementation and Justification Federal Highway Administration Proven

Single-Lane Roundabouts Implementation and Justification Federal Highway Administration Proven Safety Countermeasures FHWA published guidance memorandum in 2012 Promoted implementation of effective safety countermeasures Roundabouts

410 views • 13 slides
A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr sylvain.guilley@enst.fr pablo.rauzy.name perso.enst.fr/~guilley Telecom ParisTech LTCI / COMELEC / SEN August 24, 2013

711 views • 47 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
RSA: More about attacks Need to take care with the implementation, e.g.: - Do not take p or q

RSA: More about attacks Need to take care with the implementation, e.g.: - Do not take p or q

RSA: More about attacks Need to take care with the implementation, e.g.: - Do not take p or q very small. - Difference of p and q should not be very small. More subtle, e.g.: Thm: If 3d < n and q<p<2q, then d can be found in

206 views • 8 slides

More recommend