Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G
Embedded Security Group Outline Classical side ‐ channel attac cks What is a side ‐ channel bas sed collision attack? Implementation platforms and problems A newly introduced side ‐ ch A newly introduced side ch hannel based correlation hannel based correlation collision attack Some hints when impleme Some hints when impleme enting enting WAC 2010 | Singapore | 3. December 2010 Amir Moradi 2
Embedded Security Group Classical Side ‐ Channel At ttacks Collecting the side ‐ channe l leakage – Using an oscilloscope fo or power analysis attacks • and an electromagnetic probe for electromagnetic analysis attacks – Using a timer for timing g attacks WAC 2010 | Singapore | 3. December 2010 Amir Moradi 3
Embedded Security Group Classical Side ‐ Channel At ttacks Define the hypothetical po D fi h h h i l ower model d l – In differential power an nalysis – In correlation power an nalysis Define the distinguisher – In mutual information a analysis Examine the relation betwe een the (hypothetical) model ( yp ) and the real measurement ts using statistical tools – difference of means – correlation coefficient – entropy entropy WAC 2010 | Singapore | 3. December 2010 Amir Moradi 4
Embedded Security Group What is a Side ‐ Channel B Based Collision Attack? avoids any model to predic ct the power consumption – Independent of the lea kage type Examines the similarity of t the measurements for different processed values p – when a collision is foun nd, a relation between parts of the secret is revealed of the secret is revealed d WAC 2010 | Singapore | 3. December 2010 Amir Moradi 5
Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 1] Implementation platform: a micro ‐ controller Target algorithm: the AES e encryption Strategy of the attack: look king at the similar power consumption traces for diff p ferent Sbox outputs p Sbox(P 1 +K 1 ) = Sbox(P 2 +K 2 ) = b ( ) b ( ) => P 1 +K 1 =P 2 +K 2 => K 1 +K 2 = C WAC 2010 | Singapore | 3. December 2010 Amir Moradi 6
Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 1] Presence of countermeasu ures – Masking: wait till a coll ision may occur on both masks and Sbox output ts, depends strongly on the masking order – Shuffling: extending the e search area to consider all clock cycles, may lead t y , y to false positive results p – Masking and Shuffling: efficiency of the attack is drastically reduced! drastically reduced! WAC 2010 | Singapore | 3. December 2010 Amir Moradi 7
Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 2] Implementation platform: an FPGA/ASIC Target algorithm: the AES e encryption Strategy of the attack: cann not be decided without knowing the architecture g WAC 2010 | Singapore | 3. December 2010 Amir Moradi 8
Embedded Security Group An Overview of the Arch hitecture WAC 2010 | Singapore | 3. December 2010 Amir Moradi 9
Embedded Security Group How do the power trace es look like? 8 ‐ bit architecture 32 ‐ bit architecture 32 bit architecture WAC 2010 | Singapore | 3. December 2010 Amir Moradi 10
Embedded Security Group Side ‐ Channel Based Coll ision Attack [example 2] Implementation platform: an I l i l f n FPGA/ASIC FPGA/ASIC Target algorithm: the AES en cryption Strategy of the attack: St t f th tt k – 8 ‐ bit architecture: rough hly the same as μ C case – 32 ‐ bit architecture: not e 32 bi hi easy because of the low b f h l probability of collision The attack does not work eff The attack does not work eff ficiently ficiently – Switching noise is added in comparison to the μ C – Power consumption dep P ti d ends also on the last d l th l t processed values Worse situation in the prese Worse situation in the prese nce of countermeasures nce of countermeasures WAC 2010 | Singapore | 3. December 2010 Amir Moradi 11
Embedded Security Group What can we do? [Usually a DPA/CPA using HD/ /HW model works + MIA] Before developing an attac ck – First, averaging based o on plaintext bytes (32 ‐ bit arch.) • 256 mean traces for eac h plaintext byte p y • Variance over mean trac ces (each plaintext byte separately) WAC 2010 | Singapore | 3. December 2010 Amir Moradi 12
Embedded Security Group Designing an Attack Supposing knowing a key byte, we get mean traces for the corresponding Sbox input byte For another plaintext byte (unk known key), we get mean traces How are these mean traces rel ated to each other? WAC 2010 | Singapore | 3. December 2010 Amir Moradi 13
Embedded Security Group Designing an Attack The mean traces for the unk nown key bytes can be generated for each key byte hypothesis The correct key byte can be f found comparing the mean traces at each time instance – Correlation helps here! l h l h • Correlation of two sets of m mean traces based on key hypothesis (is almost 1 for right key (du (is almost 1 for right key (du ue to equal power consumption)) ue to equal power consumption)) WAC 2010 | Singapore | 3. December 2010 Amir Moradi 14
Embedded Security Group Extending the Attack If the first key byte (for the e first mean traces) is not known, what we recover is t the linear difference between two key bytes: k 1 +k 2 , beca k b b ause of addroundkey of AES f dd dk f AES k k – The same attack shown n on μ C but using all possible collisions! WAC 2010 | Singapore | 3. December 2010 Amir Moradi 15
Embedded Security Group Why does it work? There are four instances of f S ‐ box in the 32 ‐ bit arch. – The power consumption c characteristics of the same instance of the S ‐ box is us sed in mean traces – Power consumption of an n instance of the S ‐ box is compared to itself in diffe erent clock cycles What does happen for larg ger architecture? – The same netlist for the S S ‐ boxes, even the same placement and routing, b ut still process variations exists • Small differences on power r consumption characteristics of different instances of the S ‐ ‐ box – The same instances of the Th i t f th e S ‐ box should be compared S b h ld b d WAC 2010 | Singapore | 3. December 2010 Amir Moradi 16
Embedded Security Group The gain of the attack Relation between key byte s s, 2 8 candidates for the 128 ‐ bit – 8 ‐ bit arch. → 15 rela � ons key ns, 2 32 candidates for the 128 ‐ – 32 ‐ bit arch. → 12 rela � on bit key How to get the correct key ? – A pair of plain ‐ /ciphertext t – Continue the attack on th he second round of the AES for each key candidate WAC 2010 | Singapore | 3. December 2010 Amir Moradi 17
Embedded Security Group How about Shuffling? Shuffling is done on the orde er of Sbox runs Using combing [what’s comb g g [ bing?] g ] WAC 2010 | Singapore | 3. December 2010 Amir Moradi 18
Embedded Security Group How about Masking? Looking into the literatures smallest masked AES S ‐ box by Canright and Batina 1 st order leakage is obvious because of glitches WAC 2010 | Singapore | 3. December 2010 Amir Moradi 19
Embedded Security Group Results when masking is implemented WAC 2010 | Singapore | 3. December 2010 Amir Moradi 20
Embedded Security Group Masking combined with Shuffling? Using combing WAC 2010 | Singapore | 3. December 2010 Amir Moradi 21
Embedded Security Group First Hints The attack works when an instance of the Sbox is shared for a computation o of a round Try to avoid Sbox [hardwar re] sharing – going through round ‐ ba g g g ased implementation p • 128 ‐ bit architectures • even unrolled architectu ures WAC 2010 | Singapore | 3. December 2010 Amir Moradi 22
Embedded Security Group Results of on 128 ‐ bit arc ch. [unmasked] not achieved for all key byt t hi d f ll k b t tes – because of difference b between netlist of different instances of Sbox WAC 2010 | Singapore | 3. December 2010 Amir Moradi 23
Embedded Security Group How about unrolled imp plementations? two rounds per clock cycle th three rounds per clock cycl d l k l le WAC 2010 | Singapore | 3. December 2010 Amir Moradi 24
Embedded Security Group Second Hints The attack still works on so ome key bytes even on unrolled implementations To avoid such an attack it is s recommended to used different netlists for differe ent instances of the Sbox – the result will avoid sim milarity of the power consumption of differe p nt instances of the Sbox The world still is not enoug gh – at the end of the day, a – at the end of the day a a statistical tool, e.g., MIA, a statistical tool e g MIA will recover the secret! WAC 2010 | Singapore | 3. December 2010 Amir Moradi 25
Thanks! Any questions? Thanks to my colleagues: Oliver Mischke Thomas Eisenbarth Embedded Security Group, Ruhr University Bochum, Germ many
Recommend
More recommend
