Side-Channel Analysis (SCA) – A comparative approach on smart cards, embedded systems, and high security solutions Rohde & Schwarz SIT GmbH Stuttgart/Germany Dr. Torsten Schütze Workshop on Applied Cryptography Lightweight Cryptography and Side-Channel Analysis Nanyang Technological University, Singapore December 3, 2010
History of SCA – The smart card world I P. Kocher: Timing analysis on implementations of DH, RSA, DSS, and other systems, 1995/96. (1) D. Boneh, R. DeMilo, R. Lipton: On the importance of checking cryptographic protocols for faults, 1996/97. (2) A. Lenstra: Memo on RSA signature generation in the presence of faults, 1996/97. (3) E. Biham, A. Shamir: Differential fault analysis of secret key cryptosystems, 1997. (4) P. Kocher, J. Jaffe, B. Jun: Differential power analysis, 1997/98. (5) W. Schindler: A timing attack against RSA-CRT, 2000. (6) J.J.Quisquater, D. Samyde: Electromagnetic anaylsis, 2001. (7) D. Boneh, D. Brumley: Remote timing attacks are practical, 2003. (8) S. Chari, C. Jutla, P. Rohatgi: Template attacks, 2003. (9) E. Brier, C. Clavier, F. Olivier: Correlation power analysis with a leakage model, 2004. (10) W. Schindler, K. Lemke, C. Paar: A stochastic model for differential side-channel cryptanalysis, 2005. (11) F.-X. Standaert et al.: Template attacks in principal subspaces, 2006. (12) B. Gierlichs et al.: Mutual Information Analysis, 2008. (13) J. DiBatista et al.: When failure analysis meets side-channel analysis, 2010 (14) D.J. Bernstein: Cache-timing attacks on AES, 2004/05, D.A. Osvik et al. Cache attacks and (15) countermeasures, 2006. O. Aciiçmez et al. On the power of simple branch prediction analysis, 2006. (16) 1 6 8 15 16 1995 2000 2005 2010 2 3 9 11 12 13 14 4 5 7 10 2010-12-03 | SCA – A comparative approach | 2
History of SCA – The smart card world II Side-channel attacks hit the smart card industry quite unanticipated � Today, we have a myriad of advanced analysis methods available � Implementation of efficient hard- and software countermeasures is accepted � standard Currently, interesting things at the analysis front happen with advanced � stochastic methods and fault attacks Advanced Stochastic Electromagnetic Methods Analysis Fault Analysis Micro-Architectural Combined Timing Analysis Analysis Power Analysis Attacks 1995 2000 2005 2010 2010-12-03 | SCA – A comparative approach | 3
History of SCA – The embedded / automotive world I Remote Keyless Entry (RKE) since mid of 1990s, Keyless Go since 1999 (1) Immobilizers mandatory in Germany since 1998, in Canada since 2007 (2) Start of tuning protection (=recognition of ECU software modifications) with proprietary methods ~1998 (3) Proprietary authentication methods, end of 1990s (4) l Break of proprietary methods Cryptographic tuning protection for some OEMs (RSA PKCS#1 v1.5 signatures with e=3) ~2002 (5) l Man-in-the-Middle attack by exchanging public keys � OTP memory 2003: Secure odometers, State-of-the-Art authentication by some OEMs (6) 2005: Researcher break proprietary 40-bit encryption on Texas Instruments transponders (7) Since 01/2006: Road tolling in Germany, On-Board-Units use certified smart cards, system itself not (8) certified/open yet Since 05/2006: Digital Tachograph mandatory in Europe (9) = first security certified automotive system 2007 implementation attacks against cryptographic tuning protection in field: Bleichenbacher‘s 2006 attack (10) 2008: Devastating attack on KeeLoq RKE system using side channel attacks (11) 2010: Experimental security analysis of a modern automobile � disillusion (12) Invited talk CHES 2010 – H. Shacham: Cars and voting machines – embedded systems in the field (13) � “ They got the simplest cryptographic things wrong!” 1 2 6 8 9 1995 2000 2005 2010 4 3 5 7 10 11 12 13 2010-12-03 | SCA – A comparative approach | 4
History of SCA – The embedded / automotive world II Until ~2000, cryptography was not considered very much in the automotive � domain Currently, automotive is moving from Security by Obscurity to adhering � Kerckhoffs‘ law University research is starting to consider attacks on automotive security � solutions Ambitious security challenges ahead with Car2X security � MANET, privacy � Vulnerability and countermeasures for automotive implementations with � respect to SCA currently unknown � Side-Channel Analysis for Automotive Security (SCAAS), see later “In about ten years, no automotive supplier or manufacturer can afford to build SCA-vulnerable products.” A. Bogdanov, author of 1st KeeLoq attack paper, 2008. 1995 2000 2005 2010 2010-12-03 | SCA – A comparative approach | 5
History of SCA – The high security world ??? World War I: German army eavesdrop field phone lines observing ground current (1) 1943/1951: Bell Labs and CIA find electromagnetic side channel in rotor key generator (2) � correlator machines (compute correlation coefficient in hardware) 1956 suez crisis: MI5 uses acoustic side channel, i.e., clicking of rotors in Haegelin ciphering (3) machine 1950s: electromagnetic echoes of teleprinter in output of ciphering machine (4) 1962: Japan captures electromagnetic emanations of American cipher machines (5) TEMPEST = codename for problem with compromising radiation 1945 1950 1955 1960 2 3 4 5 Red / black separation: separation of systems that handle classified / plaintext information (RED) � from those that handle non-classified / encrypted information (BLACK) Radiation policies � l 1953 US Armed Forces Security Agency (pre-NSA): first TEMPEST policy l 1958 first joint policy in US l 1959 + UK and Canada � combined policy Today: BSI zoning model (0-3), NATO SDIP-27 Level A-C, actual emission limits are classified � Only some of the earliest TEMPEST information has been declassified, most of the actual limits, � testing procedures and countermeasures remain secret. First target of TEMPEST: plaintext correlation / absolute radiation limits. Later: key correlations � 2010-12-03 | SCA – A comparative approach | 6
A comparative analysis – Processors and devices Smart cards Automotive / Embedded High security solutions From 8-bit (SLE66) through 16- From 4-bit (key fobs) to 32-bit General Purpose Processors + bit dual-core (SLE78) to 32-bit RISC (Engine Control Units) ASICs + smart cards + FPGAs high-end (SLE88) processors processors with DSPs; upcoming: 32-bit Multi-Core ??? Block diagram Infineon SLE78 Block diagram Infineon TC1797 Operational conditions -25 ˚ C to +70 ˚ C, -40 ˚ C to +125/155 ˚ C Ruggedized: MIL-STD-810, protected some controllers with extended spec (normal/attached to engine) + against electromagnetic pulses (M2M): -40 ˚ C to +105 ˚ C mechanical shocks + vibration Problem with standard security ICs Problem with standard security ICs 2010-12-03 | SCA – A comparative approach | 7
A comparative analysis – Interfaces Smart cards Automotive / Embedded High security solutions Contact-based Contactless LIN, CAN, Flexray, MOST,… External: crypto interface Asynchronous Serial Channels = fill device using serial DS-101 / ISO 7816-3, ISO 14443, Synchronous Serial Channels DS-102 protocol T=0, T=1; 13.56 MHz JTAG, etc. = military protocol to load serial radio halfduplex frequency cryptographic keys into crypto protocols devices, uses U-229 audio connector plug New cards: Internal: many interfaces to smart USB, Single Wire Protocol cards, FPGAs, ASICs R&S MMC3000 multimode encryption device (voice, data) Interfaces for contact-based smart card Interfaces from Infineon TC1797 in Diesel Engine Management Relatively uniform, widely Wide range of high R&S GP3000 interoperable over APDUs performance interfaces Fillgun (data load device) 2010-12-03 | SCA – A comparative approach | 8
A comparative analysis – Security features Smart cards Automotive / Embedded High security solutions l Dual CPUs for fault detection l Currently, almost no built-in l Everything from smart cards l Full CPU, memory, bus and security + l One Time Programmable l Anti-tamper shielding cache encryption/masking l Error detection codes l Red/black separation memory + watchdogs l Dual-rail pre-charge logic, some l No secure non-volatile memory l Optical links to avoid l Cryptographic security in vendors asynchronous logic, electromagnetic cross-talk l Filtering to reduce signal to masked logic software l TDES/AES hardware noise ratio l Power compensation coprocessors Upcoming: l Crypto@2304T asymmetric l Processors with cryptographic techniques coprocessor (RSA, ECC) coprocessors (mostly symmetric l Pseudo RNG and True RNG, – AES, TRNG) 1960s (!!) TEMPEST documents: l = ideas for Secure Hardware AIS-31 and FIPS140 compliant Shielding (a) l Watchdogs for program flow Extensions Filtering (b) l Sensors: voltage, frequency, Masking (c) l Secure NVM and general non- temperature, light l Active shield functional security not in focus MIL-HDBK-232A: Red/black (cost reasons), functionality isolation depends fundamentally counts (and is easy) � crypto on proper Grounding, accelerators Bonding, and Shielding 2010-12-03 | SCA – A comparative approach | 9
Recommend
More recommend
