Side Channel Analysis Chester Rebeiro IIT Madras CR Modern - PowerPoint PPT Presentation

Side Channel Analysis Chester Rebeiro IIT Madras CR

Modern ciphers designed with very strong assumptions • Kerckhoff’s Principle – The system is completely known to the attacker. This includes e ncryption & decryption algorithms, plaintext – only the key is secret • Why do we make this assumption? – Algorithms can be leaked (secrets never remain secret) – or reverse engineered Mallory’s task is therefore very difficult…. CR 2

Security as strong as its weakest link • Mallory just needs to find the weakest link in the system ….there is still hope!!! K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ “Attack at Dawn!!” decryption encryption (ciphertext) message “Attack at Dawn!!” CR 3

Side Channels CR 4

Side Channel Analysis (the weak links) K E K D untrusted communication link Alice Bob E D “Attack at Dawn!!” #%AR3Xf34($ decryption encryption (ciphertext) message message “Attack at Dawn!!” Side Channels Mallory Eg. Power consumption / radiation Gets information about the keys by monitoring of device, execution time, etc. Side channels of the device CR 5

Side Channel Analysis Mallory measures some Physical parameter of the device Like radiation, power consumption or timing 00111 Alice E encryption message message “Attack at Dawn!!” Radiation from Device Secret information 0 0 1 1 1 1 CR 6

Types of Side Channel Attacks CR source : Elisabeth Oswald, Univ. of Bristol 7

Timing Attacks CR 8

Execution Time What can you tell from the execution time of this function? Finding N/D • Execution time depends on values of a and b – Fastest when b=0 – Varies depending a / b • Thus information can be inferred from execution time. – Can we get secret information from the timing? CR 9

Measuring Time Accurately • RDTSC : Read Time Stamp Counter – 128 bit register that s reset at boot up and increments at every clock cycle Usage Usage Flush Pipeline T1 = rdtsc() Flush Pipeline /// invoke function to be timed T2 = rdtsc() Flush pipeline CR 10

Flush Pipeline and Read TSC timestamp() http://arbidprobramming.blogspot.in/2010/05/measuring-timing-accurately-on-intel.html CR 11

DIV: Measuring Execution Time quency. Freque 340 350 360 370 380 390 400 410 420 430 440 450 460 470 480 490 Clock cycles • For randomly chosen values of a/b • Note the distribution CR 12

Timing Attacks on RSA Timing Attacks on RSA (breaking real-world implementations) Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and other systems http://courses.csail.mit.edu/6.857/2006/handouts/TimingAttacks.pdf Remote Timing Attacks are Practical https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf CR 13

Exponentiation with Square and Multiply i c exp c mod = y x n 5 1 y • say, x=45=(101101) 2 y 2 4 0 y 4+1 =y 5 3 1 y 10+1 =y 11 2 1 1 1 0 0 Y 22 Y 22 y 44+1 =y 45 0 1 CR 14

The Attack setup c mod = y x n Message (x) System System time time Cipher (y) Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and other systems CR http://courses.csail.mit.edu/6.857/2006/handouts/TimingAttacks.pdf 15

Kocher’s Attack to find the b th bit Assumption : Attacker knows bits c , c c L − − + l 1 l 2 b 1 Aim : To discover bit c b S 1 . choose a random x ≡ c S 2 . trigger an encryption to get y x mod n and execution time t = (0) Guess 0 S3. form c ( c , c , c , 0 , 0 ) L − − + l 1 l 2 b 1 ( 0 ) ≡ ≡ c c ( ( 0 0 ) ) trigger trigger an an encryption encryption to to get get y y x x mod mod n n and and execution execution time time t t = (1) S4. form c ( c , c , c , 1 , 0 ) L Guess 1 − − + l 1 l 2 b 1 ( 1 ) ≡ c ( 1 ) trigger an encryption to get y x mod n and execution time t S 5 . compute difference in execution time ( 0 ) = − ( 1 ) = − d t t d t t 0 1 S 6 . Repeat from S 1 several times ( 0 ) ( 0 ) ( 1 ) ( 1 ) S 7 . Compute distributi ons of D from all d and D from all d ( 0 ) < ( 1 ) = S 8 . If var (D ) var (D ) return ' c 0 ' b = else return ' c 1 ' b CR 16

Adding Distributions • Consider two random variables G 1 and G 2 with mean and variance (m 1 , v 1 ) and (m 2 ,v 2 ) • G 1 + G 2 is a distribution with mean and variance (m +m , v +v ) variance (m 1 +m 2 , v 1 +v 2 ) • G 1 - G 2 is a distribution with mean and variance (m 1 – m 2 , v 1 +v 2 ) CR 17

Assumption • During the square and multiply execution, • The time taken to perform a square or a multiply is independent of all other square and multiply operations and multiply operations CR 18

Execution Time of Square and Multiply • Is a Normal Distribution : T with (m, v) • Each iteration by itself is a distribution c = (101101) 2 Execution Time Execution Time 0 1 1 0 1 Time = + T 3 T 5 T MUL SQ = + v 3 v 5 v MUL SQ CR 19

4 cases • Bit c b in secret is 1 – Attacker guessed 1 (correctly) – Attacker guessed 0 (wrong) • Bit c in secret is 0 • Bit c b in secret is 0 – Attacker guessed 0 (correctly) – Attacker guessed 1 (wrong) what we will see is that when the attacker guess is wrong, then the variance is higher CR 20

Case 1.1, when bit c b is 1 and attacker guess is correct difference 0 1 1 0 1 Full T(m,v) Time Execution Partial Execution guessed correct as 1 here − = + * v v 1 v 1 v MUL SQ Variance Reduces CR 21

Case 1.2, When c b bit is 1 And attacker guess is wrong difference 0 1 1 0 1 Full T(m,v) Time Execution T*(m*,v*) Partial Execution Guessed wrong as 0 here − = + > + * v v 2 v 3 v ( v v ) Variance Increases MUL SQ MUL SQ CR 22

Case 2.1, when c b is 0 And attacker guess is correct difference 0 1 0 0 1 Full Time Execution Partial Execution guessed correct as 0 here − = + * v v 1 v 1 v MUL SQ Variance Less CR 23

Case 2.2, When c b is 0 When guess is wrong difference 0 1 0 0 1 Full Time Execution Partial Execution guessed wrong as 1 here − = + * v v 2 v 3 v MUL SQ Variance increases CR 24

The Iterative Attack • We start with the MSB and target one bit at a time till we reach the LSB What happens if there is an error in a bit? CR 25

Naïve Countermeasures don’t always work All operations constant time Easier said than done! Practically infeasible Practically infeasible Highly dependent on system architecture CR 26

Naïve Countermeasures don’t always work Adding noise to timing measurements – Such as, by random delays These reduce the Signal-to-noise ratio. Can be circumvented by taking making more number of measurements If the SNR reduces by a factor of n, then number of measurements increase by a factor of n 2 CR 27

Prevention by Blinding choose r randomly and keep it sec ret − ≡ c c c compute r mod n and r r mod n ≡ ≡ ⋅ ⋅ c c y y ' ' ( ( x x r r ) ) mod mod n n − ≡ ⋅ c y y ' r mod n The blind ‘r’ should be changed before each decryption. One way is to choose r and compute r 2 . For the next encryption compute r 2 and (r -1 ) 2 Why does it work? Since ‘r’ is secret, attackers have no useful knowledge about the input to the modular exponentiatior. CR 28

RSA Decryption in Practice (OpenSSL crypto-lib uses CRT)   ≡ a xis the message 1 x y mod p 1 1 〈=〉 ≡ a   x y mod n y is the ciphertext ≡ a   x y mod q   2 a is the secret key 2 2 n = pq where ≡ φ a a mod ( p ) 1 ≡ mod φ a a ( q ). Garner’s formula. 2 Derive x from x and x = ⋅ ⋅ − + ⋅ ⋅ − 1 1 x ( x p p mod q x q q mod p ) mod n 1 2 1 2 − − ⋅ 1 + ⋅ 1 = from EEA , p p mod q q q mod p 1 ≡ − 1 compute q ' q mod p ⋅ − = − ⋅ − 1 1 p p mod q 1 q q mod p = − = + − ⋅ − h q ' ( x x ) mod p 1 x x ( x x ) q q mod p 3 1 2 1 2 1 = + ⋅ x x h q 1 Crypto libraries like the OpenSSL implement multiplication using the Montgomery multiplication CR 29

Preventing Kocher’s Attack with the Montgomery Ladder • s=y c mod n c b =0 and c b =1 say, c=45=(101101) 2 Input: c, y take the same Output: y c mod n time i c i R0 R1 exp(x,y) { Modular 1 1 y y R0 = 1 R0 = 1 multiplications multiplications done with R1 = y Y 2 0 1 y Montgomery for i=0 to n-1 do Y 2 Y 3 multiplier 1 0 if xi = 0 then Y 5 Y 6 2 1 R1 = R0 * R1 mod N R0 = R0 * R0 mod N 3 1 Y 11 Y 12 else Y 22 Y 23 4 0 R0 = R0 * R1 mod N Y 45 Y 46 5 1 R1 = R1 * R1 mod N return R0 } CR