Summary • Introduction & Cryptographic Background Hardware Support for Physical Security • Side Channel Attacks Arnaud Tisserand • Fault Injection Attacks CNRS, Lab-STICC laboratory CRiSIS 2017, Dinard, France • Protections Examples • Conclusion and References Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 2/57 Applications with Security Needs Security Aspects security system security cryptology steganography data cryptography networks operating systems cryptanalysis programs physical devices theoretical Applications : smart cards, computers, Internet, telecommunications, set-top boxes, data storage, RFID tags, WSN, smart grids. . . Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 3/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 4/57
Software vs Hardware Support Cryptographic Features I SW instructions managment + control Objectives : Cryptographic primitives : @ hierarchy • Confidentiality • Encryption memory @ • Integrity • Digital signature SECURITY? D reg. • Authenticity • Hash function LSU FU 1 FU 2 FU 3 file • Non-repudiation • Random numbers generation • . . . • . . . large large EXCELLENT slow small Implementation issues in hardware : FLEXIBILITY SPEED AREA ENERGY DEVEL. COST • Performances: speed, delay, throughput, latency limited fast small small HUGE • Cost: device (memory, size, weight), low power/energy consumption, design CTRL • Security: protection against physical attacks reg. reg. reg. reg. op. op. op. op. HW memory Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 5/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 6/57 Symmetric / Private-Key Cryptography Asymmetric / Public-Key Cryptography E D E D E k ( M ) E k ( M ) D k ( E k ( M )) = M M A B M D k ′ ( E k ( M )) = M A B k E k k E k ′ k • A : Alice, B : Bob • M : plain text/message • E : encryption/ciphering algorithm, D : decryption/deciphering • k : B’s public key (known to everyone including E) algorithm • E k ( M ): ciphered text • k : secret key to be shared by A and B • E k ( M ): encrypted text • k ′ : B’s private key (must be kept secret) • D k ( E k ( M )): decrypted text • D k ′ ( E k ( M )): deciphered text • E : eavesdropper/spy Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 7/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 8/57
RSA Asymmetric Cryptosystem (1/2) RSA Asymmetric Cryptosystem (2/2) Published in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman [11] Private key (Bob): d Public key (all): ( n , e ) Key generation (Bob side) Encryption (Alice side): • Choose two large prime integers p and q • convert the message M to an integer m (1 < m < n and gcd( m , n ) = 1) • Compute the modulus n = pq • compute the cipher text c = m e mod n • Compute ϕ ( n ) = ( p − 1)( q − 1) Decryption (Bob side): • Choose an integer e such that 1 < e < ϕ ( n ) and gcd( e , ϕ ( n )) = 1 • compute m = c d mod n • Compute d = e − 1 mod ϕ ( n ) • convert the integer m to the message M • Private key (kept secret by Bob): d and also p , q , ϕ ( n ) Theoretical security : integer factorization, i.e. computing ( p , q ) knowing n , is not possible when n is large enough • Public key (published): ( n , e ) Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 9/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 10/57 Modular Exponentiation Square and Multiply Algorithm Computation of operations such as : a b mod n input : a , b , n where b = ( b t − 1 b t − 2 . . . b 1 b 0 ) 2 a b = a × a × a × a × . . . × a × a × a output : a b mod n � �� � a appears b times r = 1 for i from 0 to t − 1 do Order of magnitude of exponents: 2 size of exponent � 2 1024 . . . 2 2048 . . . 2 4096 i f b i = 1 then r = r · a mod n endif Fast exponentiation principle: a = a 2 mod n endfor a b = b ( a 2 ) when b is even return r 2 b − 1 a × ( a 2 ) = when b is odd 2 This is the right to left version (there exists a left to right one) Least significant bit of the exponent: bit = 0 � even and bit = 1 � odd Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 11/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 12/57
Elliptic Curve Cryptography in 1 Slide... Attacks E : y 2 = x 3 + 4 x + 20 over GF(1009) timing analysis power analysis protocol level encryption points: P , Q = ( x , y ) or ( x , y , z ) or . . . EMR analysis signature coordinates: x , y , z ∈ GF ( · ) etc GF ( p ), GF (2 m ), t : 200–600 bits observation k = ( k t − 1 k t − 2 . . . k 1 k 0 ) 2 ∈ N attack Scalar multiplication operation [ k ] P for i from 0 to t − 1 do perturbation curve level if k i = 1 then Q = ADD ( P , Q ) theoretical P = DBL ( P ) fault injection invasive P + P Point addition/doubling operations ADD ( P , Q ) DBL ( P ) sequence of finite field operations DBL : v 1 = z 2 1 , v 2 = x 1 − v 1 , . . . ADD : w 1 = z 2 1 , w 2 = z 1 × w 1 , . . . advanced algorithms probing reverse engineering field level GF ( p ) or GF (2 m ) operations optimized programming x ± y x × y . . . operation modulo large prime ( GF ( p )) or irreducible polynomial ( GF (2 m )) EMR = Electromagnetic radiation Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 13/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 14/57 Side Channel Attacks (SCAs) (1/2) Side Channel Attacks (SCAs) (2/2) Attack : attempt to find, without any knowledge about the secret: • the message (or parts of the message) E D • informations on the message E k ( M ) • the secret (or parts of the secret) D k ( E k ( M )) = M M A B “Old style” side channel attacks : k k measure + attack k , M ??? E clic good value General principle: measure external parameter(s) on running device in clac bad value order to deduce internal informations Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 15/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 16/57
What Should be Measured? Power Consumption Analysis Answer : everything that can “enter” and/or “get out” in/from the device General principle: • power consumption 1. measure the current i ( t ) in the cryptosystem • electromagnetic radiation 2. use those measurements to “deduce” secret informations • temperature • sound crypto. secret key = 962571. . . • computation time • number of cache misses • number and type of error messages i ( t ) • ... R V DD The measured parameters may provide informations on: • global behavior (temperature, power, sound...) traces • local behavior (EMR, # cache misses...) Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 17/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 18/57 Simple Power Analysis (SPA) Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 1111111111111111 0000000000000001 Important : a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question : what can be done when differences are too small? Answer : use statistics over several traces Source: [5] Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 19/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 20/57
Differential Power Analysis (DPA) Template Attack cryptosystem cryptosystem implementation internal state implementation internal state power model measures select bit b to attack measures measures select variable v to attack power( H b =1 ) b = 1 power( v = 0) v = 0 comparison power( H b =0 ) b = 0 power( v = 1) comparison v = 1 power( v = 2) v = 2 correct hypothesis training step correct hypothesis Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 21/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 22/57 Electromagnetic Radiation Analysis Side Channel Attack on ECC General principle : use a probe to measure the EMR protocol level DBL DBL DBL ADD DBL ADD DBL DBL encryption signature V DD etc 0 0 0 1 1 0 [ k ] P circuit curve level Scalar multiplication operation ADD ( P , Q ) DBL ( P ) for i from 0 to t − 1 do GND if k i = 1 then Q = ADD ( P , Q ) P = DBL ( P ) EMR measurement : • simple power analysis (& variants) field level • global EMR with a large probe . . . x ± y x × y • differential power analysis (& variants) • local EMR with a micro-probe • horizontal/vertical/templates/. . . attacks Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 23/57 Arnaud Tisserand. CNRS – Lab-STICC. Hardware Support for Physical Security 24/57
Recommend
More recommend
