Lecture6 –Crypto Implementation on Embedded Platforms

Download Report

Transcript Lecture6 –Crypto Implementation on Embedded Platforms

Lecture7 –More on Attacks
Rice ELEC 528/ COMP 538
Farinaz Koushanfar
Spring 2009
Outline
• More on side-channel attacks
• Fault injection attacks
• Generic attacks on cryptosystems
Slides are mostly courtesy of Michael Tunstall
[email protected]
Simple power analysis (SPA) example
SPA example (cont’d)
SPA example (cont’d)
• Unprotected modular exponentiation – square
and multiply algorithm
Possible counter measure –
randomizing RSA exponentiation
Statistical power analysis
• Two categories
– Differential power analysis (DPA)
– Correlation power analysis (CPA)
• Based on the relationship b/w power
consumption & hamming weight of the data
Modeling the power consumption
• Hamming weight model
– Typically measured on a bus, Y=aH(X)+b
– Y: power consumption; X: data value; H:
Hamming weight
• The Hamming distance model
– Y=aH(PX)+b
– Accounting for the previous value on the bus
(P)
Differential power analysis (DPA)
• DPA can be performed in any algo that
has operation =S(K),
–  is known and K is the segment key
The waveforms are caotured by a scope and
Sent to a computer for analysis
What is available after acquisition?
DPA (cont’d)
The bit will classify the wave wi
– Hypothesis 1: bit is zero
– Hypothesis 2: bit is one
– A differential trace will be calculated for each bit!
DPA (cont’d)
DPA (cont’d)
DPA -- testing
DPA -- testing
DPA – the wrong guess
DPA (cont’d)
• The DPA waveform with the highest peak
will validate the hypothesis
DPA curve example
DPA (cont’d)
Attacking a secret key algorithm
Typical DPA Target
Example -- DPA
Example – hypothesis testing
DPA (Cont’d)
DPA on DES algorithm
DPA on other algorithms
Correlation power analysis (CPA)
• The equation for generating differential
waveforms replaced with correlations
• Rather than attacking one bit, the attacker
tries prediction of the Hamming weight of a
word (H)
• The correlation is computed by:
Statistical PA -- countermeasures
Anti-DPA countermeasures
Anti-DPA
• Internal clock phase shift
DPA summary
Electromagnetic power analysis
EMA – probe design
EMA signal
Spatial positioning
Spatial positioning
Example: SEMA on RSA
EMA (cont’d)
Counter measures
Fault injection attacks
Fault attacks
Fault injection techniques
• Transient (provisional) and permanent
(destructive) faults
– Variations to supply voltage
– Variations in the external clock
– Temperature
– White light
– Laser light
– X-rays and ion beams
– Electromagnetic flux
Need some (maybe expensive
equipment) – eg, laser
Fault injection steps
Provisional faults
• Single event upsets
– Temporary flips in a cell’s logical state to a
complementary state
• Multiple event faults
– Several simultaneous SEUs
• Dose rate faults
– The individual effects are negligible, but cumulative
effect causes fault
• Provisional faults are used more in fault injection
Permanent faults
• Single-event burnout faults
– Caused by a parasitic thyristor being formed in the MOS power
transistors
• Single-event snap back faults
– Caused by self-sustained current by parasitic bipolar transistors
in MOS
• Single-event latch-up faults
– Creates a self sustained current in parasitics
• Total dose rate faults
– Progressive degradation of the electronic circuit
Fault impacts (model)
• Resetting data
• Data randomization – could be misleading, no control
over!
• Modifying op-code – implementation dependent
Fault attacks – counter measures
Fault attacks – counter measures
Attacks on systems using smart
cards
Trusted path
• Normal key validation on a PC
Trusted path
• PIN code validation – can you come up with attacks?
Are smart cards good or bad?
Let’s go thru a few common
scenarios
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
A few common scenarios…
Example – fault attack on DES
15-th round DPA
15-th round DPA
15-th round DES