persistent fault analysis on block ciphers
play

Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , - PowerPoint PPT Presentation

Feb 23, 2024 •161 likes •505 views

Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam Bhasin, Wei He, Ruyi Ding, Samiya Qureshi and Kui Ren Zhejiang University CHES2018, Amsterdam, The Netherlands, 09/12/2018 OUTLINE 1 Introduction

  1. Persistent Fault Analysis on Block Ciphers Fan (Terry) Zhang , Xiaoxuan Lou, Xinjie Zhao, Shivam Bhasin, Wei He, Ruyi Ding, Samiya Qureshi and Kui Ren Zhejiang University CHES2018, Amsterdam, The Netherlands, 09/12/2018

  2. OUTLINE 1 Introduction 2 Persistent Fault Attack 3 Persistent Fault Analysis on AES‐128 4 PFA on Countermeasures against Fault Analysis 5 Case Study – Rowhammer‐based PFA on T‐box 6 Conclusion and Future Work

  3. 1. Introduction 1.1 What are fault attacks  Active attacks against cryptographic implementations  FA (Fault Attack) first proposed by Boneh et al in 1996  Two stages: Fault injection and Fault analysis adopted from Josep Balasch in IACR Summer School 2015

  4. 1. Introduction 1.2 Fault injection (online)  Categories • Non‐invasive • Semi‐invasive • Invasive  Techniques • Clock Glitch • Voltage Spike • EM Pulse • Optical Laser  Very popular form of non‐invasive attacks adopted from Josep Balasch in IACR Summer School 2015

  5. 1. Introduction 1.3 Fault model  Granularity: how many bits are affected (aka fault width)  Modification (aka fault type) • Stuck‐at, e.g. zero or one • Flip • Random  Control: on the fault location and on timing adopted from Josep Balasch in IACR Summer School 2015 • Precise • Loose • None  Duration of the fault • Transient • Permanent Persistent

  6. 1. Introduction 1.4 Countermeasures  Hardening hardware • Hide sensitive parts of the chip • Add filters and/or security sensors  Hardening computations • Information redundancy (Addition of parities, linear codes, Ring embeddings, Infective computations) • Hiding countermeasures • Branchless implementations • Parallel execution or inverse execution adopted from Josep Balasch in IACR Summer School 2015

  7. 1. Introduction 1.5 Disadvantages of previous works  Very tight time synchronization on the round calculation and the injection timing  Very complicated analysis due to the random value and the fault propagation  May not work if there are countermeasures against fault attacks

  8. OUTLINE 1 Introduction 2 Persistent Fault Attack 3 Persistent Fault Analysis on AES‐128 4 PFA on Countermeasures against Fault Analysis 5 Case Study – Rowhammer‐based PFA on T‐box 6 Conclusion and Future Work

  9. 2. Persistent Fault Attack 2.1 Fault model of PFA  The adversary can inject faults before the encryption of a block cipher • Typically, these faults alter a stored algorithm constant  The injected faults are persistent • The affected constant stays faulty unless refreshed • All iterations are computed with the faulty constant  The adversary is capable of collecting multiple ciphertext outputs • A watchdog counter on detected faults is considered out of scope

  10. 2. Persistent Fault Attack 2.2 Core idea of Persistent Fault Attack Three Stages

  11. 2. Persistent Fault Attack 2.3 Overview of Persistent Fault Analysis (PFA)  A statistical analysis on the last round, exploiting three types of fault leakages  v and v* are known

  12. 2. Persistent Fault Attack 2.3 Illustration of analysis result  Counts the number of appearances of possible values for the specific byte in ciphertexts

  13. 2. Persistent Fault Attack 2.5 Comparison with other fault analysis (1) The attack is not differential in nature and thus the (1) It needs higher control over the plaintext is not required. number of ciphertexts as compared to DFA (2) The adversary does not necessarily need live synchronization (3) The fault model remains relaxed (2) Persistent faults can be detected by (4) PFA can also be applied in multiple fault setting some built‐in health (5) PFA can bypass some redundancy based test mechanism. countermeasures

  14. OUTLINE 1 Introduction 2 Persistent Fault Attack 3 Persistent Fault Analysis on AES‐128 4 PFA on Countermeasures against Fault Analysis 5 Case Study – Rowhammer‐based PFA on T‐box 6 Conclusion and Future Work

  15. 3. PFA on AES‐128 3.1 AES implementations  S‐box Implementation  T‐box Implementation

  16. 3. PFA on AES‐128 3.2 PFA on vulnerable S‐box implementation

  17. 3. PFA on AES‐128 3.3 Practical result v.s. Theoretical estimation  φ t (n) is calculated by the equation, coupon collector’s problem.  φ(n) is calculated by the code  φ(n) is close to φ t (n) • φ t (n) ≤ 16 when n ≈ 1240 • φ(n) ≤ 16 when n ≈ 1360 • φ t (n) ≤ 1 when n ≥ 1405 • φ(n) ≤ 1 when n ≥ 2148  The full key attacks are conducted ξ=1000 times • 1678 ≤ N f ≤ 3504 • N f ≈2281 on average

  18. OUTLINE 1 Introduction 2 Persistent Fault Attack 3 Persistent Fault Analysis on AES‐128 4 PFA on Countermeasures against Fault Analysis 5 Case Study – Rowhammer‐based PFA on T‐box 6 Conclusion and Future Work

  19. 4. PFA on Countermeasures against FA 4.1 Dual Modular Redundancy (DMR)  Time redundancy v.s. Space redundancy  Two modules: Module 1 and Modules 2 • Redundant Encryption based DMR (REDMR) • Inversive Decryption based DMR (IDDMR)  PFA is naturally against REDMR

  20. 4. PFA on Countermeasures against FA 4.2 Three types based on the reaction  NCO: No ciphertext output  ZVO: Zero value output  RCO: Random ciphertext output  REDMR • If both the modules use shared memory, i.e. , common lookup tables • All three countermeasures will fail  IDDMR • A stronger countermeasure (two different lookup tables)

  21. 4. PFA on Countermeasures against FA 4.3 PFA on S‐box (I1) with NCO/ZVO  p , the probability that one plaintext can bypass IDDMR  Only p*N ciphertexts can be used in attacks  The adversary requires N/p ≈ 1.8706*N encryptions (equivalent to REDMR)  ξ=1000  3042 ≤ N f ≤ 7141  N f ≈4234 on average  If n ≥ 7200, the success rate is 100%

  22. 4. PFA on Countermeasures against FA 4.4 PFA on S‐box (I1) with RCO  No impossible values, however, the slight probability difference can still be detected

  23. 4. PFA on Countermeasures against FA 4.5 PFA on AES‐128 with RCO using thresholds τ 1 =  Two thresholds to differentiate the abnormal cases τ 2 =  Apply PFA on S‐box (I1) and T‐box (I2) implementation

  24. OUTLINE 1 Introduction 2 Persistent Fault Attack 3 Persistent Fault Analysis on AES‐128 4 PFA on Countermeasures against Fault Analysis 5 Case Study – Rowhammer‐based PFA on T‐box 6 Conclusion and Future Work

  25. 5. Case Study: Rowhammer‐based PFA 5.1 Background of Rowhammer techniques and shared libraries  Shared library  Rowhamer vulnerability • Multiple processes shared one lib • Appeared in 2014 • Dynamic load • Frequent DRAM access leads to disturbance errors • Read only at ring3 (user mode) • Hardware intrinsic, difficult to prevent • Libgcrypt, OpenSSL, Crypto++, etc • Can be triggered from software (js, network) • Can gain the privileges of ring0 without authorizations

  26. 5. Case Study: Rowhammer‐based PFA 5.3 Setup of our Rowhammer experiments  Libgcrypt v1.6.3  Lenovo ThinkPad x230 laptop • Compiled as shared library • Intel(R) Core(TM) i5‐3320M at 2.60GHz • GCC 4.6.3, No optimization • two Samsung DDR3 modules, 2GB at  T‐box implementation (I3) 1333MHz • Linux OS is Ubuntu 12.04 LTS, kernel • AES T‐table T0 starts at the offset 000d6710h • T 0 is followed by the corresponding element of T’ 0 version of 3.2.0‐79 generic

  27. 5. Case Study: Rowhammer‐based PFA 5.4 Results of Hammering  Successfully inject one bit to any of T’ 0 , T’ 1 , T’ 2 , T’ 3 • Occur 5,4,6,5 times to T’0, T’1, T’2, T’3, in 90.80, 57.75, 49.83, 59.6 minutes respectively  Ranging from 3 up to 230 minutes for the first 20 experiments • Facilitated with profiling  It takes about 461 and 1367 minutes • Without profiling

  28. 5. Case Study: Rowhammer‐based PFA 5.5 Results of Analysis  REDMR  One injection can recover four bytes. • 4000 ciphertexts are collected  At least four injections are required  8200 ciphertexts are required to recover the full key • 2050 ciphertexts per row

  29. OUTLINE 1 Introduction 2 Persistent Fault Attack 3 Persistent Fault Analysis on AES‐128 4 PFA on Countermeasures against Fault Analysis 5 Case Study – Rowhammer‐based PFA on T‐box 6 Conclusion and Future Work

  30. 6. Conclusion and Future Work 6.1 Conclusion  We propose persistent fault analysis • A novel attack on general block ciphers • Can defeat mainstream countermeasures against fault attacks • Can be used in different fault attacks with persistence • Different implementations • Different analysis strategies  We conduct several evaluations • The attack is practically conducted in a shared library setting to target AES‐128 in cryptographic library Libgcrypt

  31. 6. Conclusion and Future Work 6.2 Future work  More formal proofs on the theoretical estimation based on probabilities • Analog to Coupon Collector’s Problem  Revisit the case for key scheduling  Countermeasures design (Counter or health check)  And more

  32. Thank you very much! Q and A CHES2018, Amsterdam, The Netherlands, 09/12/2018

Recommend

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren

Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren

Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren Rinne, Thomas Eisenbarth, and Christof Paar Horst Grtz Institute for IT Security Ruhr-Universitt Bochum, Germany 11.06.2007 SPEED Workshop,

469 views • 18 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets Ricardo J. Rodr

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets Ricardo J. Rodr

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets Ricardo J. Rodr guez rj.rodriguez@unileon.es Research Institute of Applied Sciences in Cybersecurity University of Le on, Spain June 10, 2015 XXIII Jornadas de

750 views • 51 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August 20, 2016 PROOFS 2016 Sarani Bhattacharya

591 views • 42 slides

More recommend