overview of countermeasures
play

Overview of Countermeasures against Implementation Attacks Marcel - PowerPoint PPT Presentation

Sep 27, 2022 •135 likes •549 views

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

  1. Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

  2. Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  3. Motivation Sensitive applications require certification – Pay TV, Banking,... – e.g. CC EAL5+ – Semi-formal evidence for security – Standard portfolio of attacks • SCA • Fault analysis, probing • … Cost security tradeoff 3 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  4. General Mechanisms Constant Detection Instantaneous Timing Leakage Limit measurements m 1 Faults m 2 c = E k (m) ... Probing ... m n Low SNR Independence Shielding Dependence 4 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  5. Side-Channel Countermeasures Data independent timing Hiding Masking Regular key updates Dependent leakage 5 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  6. Data Independent Timing Data dependent branches – Reduction, Compiler • Use regular algorithms • Use assembly code Architectural features – e.g. ARM7 multiplier • time(0xFFFF*Op2) > time(0xFF*Op2) – Cache [ [ – Code alignment • Prefetch / Branch 6 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  7. Instantaneous Leakage - Preliminaries Leakage trace – Vector of t leakage samples Sensitive variable v – Depends on key and input  Observe noisy function of v – For some i, – E.g. L = Hamming weight – Normal distributed noise Univariate, First-order, Hamming weight – Templates and Correlation are asymptotically equivalent 7 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  8. Hiding in General In each clock cycle, consume either – (close to) random power  increase n – (close to) constant power  L(v) ~ const. Hiding only decreases the SNR Hiding dimensions – Time – Amplitude 8 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  9. Hiding in Time with Shuffling (1) Time – Insertion of dummy operations – Shuffling time S 1 S 3 S 3 D S 2 S 3 S 4 S 4 S 1 D S 2 S 4 S 1 D D S 2 observations S 1 S 3 D S 2 S 3 S 4 D D S 2 S 4 S 4 D S 3 D S 1 D D S 2 D S 4 S 1 S 2 S 3 S 4 S 3 D S 4 S 1 D D S 2 D S 1 S 2 S 3 S 4 9 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  10. Hiding in Time with Shuffling (2) Effect of time randomization with k positions – Sample from with probability 1/k Plain attack – Correlation ~ k – k 2 traces Integration over all k positions – Noise increases linearly – Correlation ~ k -1/2 10 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  11. Hiding in Amplitude Peripheral activity – ADCs – Co-processors Memory addresses – of dummy registers – of key dependent registers Random precharge of bus – Pure HD leakage? 11 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  12. Hiding in Hardware Time – Dummy instructions – Shuffling – Random jitters Amplitude – Filters • Switching capacitors • Constant drain circuits – Noise generation engines – Parallelization – Pipelining / Unrolling – Dynamic reconfiguration (FPGAs) 12 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  13. Hiding at Cell Level Dual-rail precharge logic styles Trans. l 0  0 0 a Single 0  1 1 q Rail b 1  0 1 1  1 0  Talk by Ingrid Verbauwhede Trans. l 10  00 1 a Dual ¬a q 01  00 1 b Rail ¬q 00  10 ¬b 1 00  01 1 13 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  14. Conclusions for Hiding Decrease the SNR – Increase noise – Decrease signal Only minor changes to the algorithms Noise is essential for masking! EM measurements can overcome many hiding countermeasures – Shuffling / dummy operations are strong but – Which resources are used? – Exact same behavior of circuit? 14 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  15. Masking Randomized redundant representation – nth-order masking – All n-1 intermediate variables are independent of v – Adversary needs to • identify n leakage samples • and combine their information Challenge – Usually achieving is not straightforward 15 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  16. Masking Few Bits (1) Assume little structure (e.g. block cipher) – Boolean masking • Alternatively – Multiplicative masking (zero-value problem) • – Affine Masking • 16 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  17. Masking Few Bits (2) Marginal PDFs are independent  joint PDF WH(v)=0 WH(v) = 4 W H (v 2 ) W H (v 2 ) W H (v 1 ) W H (v 1 ) Effect – k shares, sufficient noise – Number of traces relates to – Combination results in additional loss 17 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  18. Masking Few Bits (3) Combined Only masking Only shuffling 18 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  19. Masking in Software (1) First-order masking  Lookup tables Higher order masking – Secure table computation for 2nd order masking – Test all subsets! Check Hamming distance – Buses, registers,... 19 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  20. Masking in Software (2) Rivain and Prouff – CHES10 – Provable secure masking for AES with arbitrary order – Based on Private Circuits Genelle, Prouff, and M. Quisquarter – CHES11 – Combination of additive and multiplicative masking Cycle counts for a masked AES Masking order AES cycles – Pay for security directly w/o masking 2 000 in execution time 1 25 000 2 69 000 3 180 000 20 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  21. Masking in Hardware (1) v m S(v) m„ Masked S-box m„ m Unclear what synthesizer does – Unintentional unmasking – Unintentional combination function Data dependent phenomena – Glitches – Early propagation – Cross-talk 21 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  22. Masking in Hardware (2) Nikova et al. – Threshold implementation – Independent processing of subset of shares z 1 f 1 f 4 v 1 y 1 f 2 f 5 z 2 v 2 y 2 f 3 f 6 z 3 v 3 y 3 If shares processed in parallel – Univariate leakage – But still higher order attack  Talk by Svetla Nikova 22 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  23. Flawed Masking Can only provide a constant factor Do you measure right or left of the line, how bad is your flaw? Taken from http://perso.uclouvain.be/fstandae/PUBLIS/107_slides.pdf Test: Does your second-order attack work better than your first-order one? 23 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  24. Masked Logic Styles Remove requirement for balanced routing – Average power consumption is constant (in theory) – E.g. MDPL NAND gate a m b m m ¬a m ¬b m ¬m q ¬q a m 0 0 0 1 1 1 1 0 SR b m q MAJ 0 1 0 1 0 1 1 0 m 1 0 0 0 1 1 1 0 1 1 0 0 0 1 0 1 ¬a m SR 0 0 1 1 1 0 1 0 ¬b m ¬q MAJ 0 1 1 1 0 0 0 1 ¬m 1 0 1 0 1 0 0 1 1 1 1 0 0 0 0 1 24 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  25. Exploiting Algebraic Structures Scalar blinding Message blinding Embeddings 25 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  26. Using Inherent Redundancy ECC point projection – Originally to avoid inversions – Free randomization 26 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

  27. Conclusions for Masking Take care of – Unintentional unmasking – Glitches – Lower order leakages For small mask widths – PDFs can be estimated – But exponential increase in data complexity For large mask widths (PKC) – Inexpensive and very effective – But complex operations  Additive masking of multiplicative masking,… 27 Design and Security of Cryptographic Functions, Algorithms and Devices Marcel Medwed, Albena, May 2013

Recommend

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group Marcel.medwed@uclouvain.be Design and Security of Cryptographic Algorithms and Devices 1 Albena, May 2011 Outline 1. Motivation & general

787 views • 40 slides
Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

May 10, 2013 Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on Countermeasures for Earthquakes and Tsunamis Based on The Lessons Learned from The 2011 Off The Pacific Coast of Tohoku Earthquake

436 views • 29 slides
On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

National Policy Workshop Webinar Series On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2: Community Perceptions and behavioral aspects for plastic management and promotion of countermeasures to

473 views • 19 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY CONNECTED WORLD SHANE MACDOUGALL TACTICAL INTELLIGENCE INC. About Me InfoSec since 1989

1k views • 79 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
Full Year Results to 31 October 2012 Counter-IED Countermeasures Munitions Pyrotechnics Peter

Full Year Results to 31 October 2012 Counter-IED Countermeasures Munitions Pyrotechnics Peter

Full Year Results to 31 October 2012 Counter-IED Countermeasures Munitions Pyrotechnics Peter Hickson Chairman Counter-IED Countermeasures Munitions Pyrotechnics Chemring Group PLC FY 2012 Results Introduction A disappointing

694 views • 34 slides
C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

1.03k views • 77 slides
A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas & Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

425 views • 29 slides
Challenges in the Development of Medical Countermeasures Tracy MacGill, Ph.D. Sr. MCM Scientist

Challenges in the Development of Medical Countermeasures Tracy MacGill, Ph.D. Sr. MCM Scientist

Challenges in the Development of Medical Countermeasures Tracy MacGill, Ph.D. Sr. MCM Scientist FDA/OC/OCS/OCET Biology of Anthrax November 18, 2016 Disclaimer The views expressed in this presentation are those of the presenter and do not

535 views • 23 slides
Controlled Rest on the Flight Deck Presented by: Brad Favors Chairman, Fatigue Countermeasures

Controlled Rest on the Flight Deck Presented by: Brad Favors Chairman, Fatigue Countermeasures

Controlled Rest on the Flight Deck Presented by: Brad Favors Chairman, Fatigue Countermeasures Working Group Dr. Alexandra Holmes Research Director, Clockwork Research About the Fatigue Countermeasures Working Group The Fatigue

120 views • 9 slides
Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil D. Gligor ECE Department and CyLab, Carnegie Mellon University Nov 4, 2014 Route Diversity is Critical to Resiliency of Internet Connectivity

388 views • 22 slides
Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures Dahmun Goudarzi, Matthieu Rivain, Srinivas Vivek, and Damien Vergnaud Background 2 Secure Software S-box Implementations Higher-Order

636 views • 25 slides
A Categorization of Violations based on the Key-Factors and Plausible Countermeasures in Human

A Categorization of Violations based on the Key-Factors and Plausible Countermeasures in Human

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 A Categorization of Violations based on the Key-Factors and Plausible Countermeasures in Human Error Investigations of Nuclear Events Lee Yong-Hee I&C and

291 views • 4 slides
Electronic Countermeasures Presented by: Antenna Systems and Solutions Co. 931 Albion Avenue

Electronic Countermeasures Presented by: Antenna Systems and Solutions Co. 931 Albion Avenue

Electronic Countermeasures Presented by: Antenna Systems and Solutions Co. 931 Albion Avenue Schaumburg, Illinois 60193 Phone: 847-584-1000 Fax: 847-584-9951 www.antennasystems.com Agenda Definition Methodology Frequency Bands

680 views • 28 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora

Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures Eleonora Cagli 1 , 3 ecile Dumas 1 C Emmanuel Prouff 2 , 3 1

1.28k views • 100 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel Power Resistance for Encryption Algo- rithms using Dynamic Partial Reconfiguration or SPREAD As a countermeasure to DPA, CPA and other types of

689 views • 10 slides

More recommend