22/06/2011

September 21, 2006 1

6/22/2011 1

Introduction to implementation attacks

Lejla Batina

RU Nijmegen

and KU Leuven

Acknowledgements:

B. Gierlichs, I. Verbauwhede (KU Leuven)

E.Poll (RU Nijmegen) and Riscure, Delft

2

Side-channel Analysis

E.g. pizza deliveries as a side-channel

3

Side-channel Analysis• Monday evening • Tuesday evening

6/22/2011 4

Outline

• Introduction: implementations of security vs secure implementations

• Basic concepts of implementation attacks• Side-channel attacks• Active attacks• Conclusions

6/22/2011 5

IntrIoduction

6/22/2011 6

Embedded cryptographic devices

http://www.coolestgadgets.com/

http://www.rsa.com/

Embedded security:resource limitation and physical accessibility

22/06/2011

September 21, 2006 2

(In)security for Embedded Systems

“Remote keyless entry system for cars and buildings is

hacked”, March 31, 2008KeeLoq: eavesdropping from up to 100 m

2 mesages are enough

www.crypto.rub.de/keeloqEven SPA is possible, July 19, 2009

“Hackers crack open mobile network”, Dec. 31, 2010Mobile calls and texts made on any GSM network can be

eavesdropped upon using four cheap phones and open source

software.

PlayStation 3 'hacked' by iPhone cracker

http://www.bbc.co.uk/news/technology

More (In)security for Embedded Systems

“Devices That Tell On You: The Nike+iPod Sport Kit”T. Saponas, J. Lester, C. Hartung, T. Kohno

http://www.cs.washington.edu/research/systems/privacy.html

-Tracks up to 60 feet = 20 meter

-No privacy measures included

[www.apple.com: nike+ipod]

Embedded Security

Old Model (simplified view):-Attack on channel between communicating parties-Encryption and cryptographic operations in black boxes-Protection by strong mathematic algorithms and protocols-Computationally secure

Embedded Security

New Model (also simplified view):-Attack on channel and endpoints-Encryption and cryptographic operations in gray boxes-Protection by strong mathematic algorithms and protocols-Protection by secure implementation

Need secure implementations not only algorithms

I. Verbauwhede, P. Schaumont

Embedded Security

We NEED BOTH• Efficient Implementation

– Within power, area, timing budgets

– Public key: 1024 bits RSA on 8 bit µC and 100 µW

– Public key on a passive RFID tag

• Secure (trustworthy) implementation– Resistant to attacks

– Active attacks: probing, (power) glitches, JTAG scan chain, cold-boot, …

– Passive attacks: timing, power consumption, electromagnetic radiation, sound…

Why a hard engineering problem?

• More difficult to guarantee that something will not happen (attacks) than that something will happen.

• Engineers are trained to make something happen.

22/06/2011

September 21, 2006 3

> 10 years after the DPA paper (Kocher et al.)

• Many successful attacks published on various platforms and real products e.g. KeeLoq, MIFARE Classic, …

• Countermeasures

• Models, theory, leakage resilient crypto

• The CHES workshop, European projects, DPA contest, Open SCA toolbox, …

22-6-2011 13 6/22/2011 14

Basic Concepts of

Implementation Attacks

Principle is nothing new...

“Breaking into a Safe is hard, because one has to solve a single, very hard problem...”

“Things are different if it is possible to solve many small problems instead...”

“Divide et impera!”

Concept: Black box model

Standardized algortihms are secure

CryptographicdevicePlain text Cipher text

Types of Leakage

• Physical attacks ≠ Cryptanalysis

(gray box, physics) (black box, maths)

• Does not tackle the algorithm's math. security

• Timing, Power, EM, Light, Sound, Temperature, RFA Faults,...

Input Output

Leakage

22/06/2011

September 21, 2006 4

Taxonomy of Implementation Attacks

• Active versus passive – Active

• The key is recovered by exploiting some abnormal behavior e.g. power glitches or laser pulses

• Insertion of signals

– Passive• the device operates within its specification

• Reading hidden signals

• Invasive versus non-invasive– Invasive: the strongest type of attack e.g. bus probing

– Semi-invasive: the device is depackaged but no contact to the chip e.g. optical attacks that read out memory cells

– Non-invasive: power measurements

• Side-channel attacks: passive and non-invasive6/22/2011 20

Side-channel Attacks

Concept of leakage

• Side-channel leakage is not intended• Leaked information is not supposed to be known• Can enable new kind of attack

• Often, optimizations enable leakage� CMOS: low static but high dynamic power dissipation� Cache: faster memory access

Origin of leakage

• Due to overall execution time

• Due to the sequence of instructions executed

• Due to the data which is processed

• Due to some physical effects, which are often not very well understood

Power Analysis: capabilities

• “Simple” attacks: one or a few measurements – visual inspection to recognize routines, instructions etc., even key bits

• Differential attacks: multiple measurements– Use of statistics, information theory, signal processing, etc.

– CMOS has data-dependent dynamic power dissipation

Devices under attack

• Smart card

• FPGA, ASIC

• RFID, PDAs

• Phones, USBs, ...

ClockClock

Meas. VDDMeas. VDD

Meas. GNDMeas. GND

RS 232RS 232

ASICASIC TriggerTrigger

22/06/2011

September 21, 2006 5

Measurement setup

6/22/2011 25

Practical Issues

• Quality of measurements– Noise issues

• Algorithmic, sampling, external, intrinsic, quantization

• Averaging multiple observations helps

• Aligning the measurements– Due to time randomization, permuting execution or hw countermeasures

Simple Power Analysis

• Based on one or a few measurements

• Mostly discovery of data-(in)dependent but instruction-dependent properties e.g.

– Symmetric crypto:

• Number of rounds (resp. key length)

• Memory accesses (usually higher power consumption)

– Asymmetric crypto:

• The key (if badly implemented, e.g. RSA / ECC)

• Key length

• Implem. details: for example RSA w/wo CRT

SPA examples

6/22/2011 28

Finding a good place to attack

6/22/2011 29

EM – side-channel

• EM field is proportional to current

• Probe acts as a coil

• The near field distance is often more convenient

• However, EMA usually more difficult than PA – the issue of antenna positioning, etc.

6/22/2011 30

22/06/2011

September 21, 2006 6

DEMA - positioning

6/22/2011 31

DEMA – spectrum information

6/22/2011 32

Also possible for contactless smartcards

Riscure 6/22/2011 34

Active Attacks

Concepts

• In general, semi-invasive and invasive

• Can take really long time (Tarnovsky)

• Glitching - the aim of the manipulations is to introduce a fault

• Gaining access to the chip

• Reading the memories

6/22/2011 35

Goals

• Change software decision– Force approval of false PIN

– Reverse life cycle state

– Enforce access rights

• Insert computational fault– Null key

– Wrong crypto result (Differential Fault Analysis)

6/22/2011 36

22/06/2011

September 21, 2006 7

Types

• Semi-invasive attacks- Using UV light, laser- Fault injection

• Invasive attacks – probing– fibbing– optical reverse engineering– fault injection

6/22/2011 37 38

Tools for physical attacks• Microscope

– optical or scanning electron microscope (SEM)

• Probe station– to probe wires on the chip

• Focused Ion Beam (FIB)– uses ions instead of electrons

– not only for observing, but also making changes: • removing or adding wires, insulators,...

• Laser cutter– to cut holes through passivation layer, expose lower levels for probing,…, for much lower cost than FIB

6/22/2011 39

Typical problems

• Inaccurate timing of fault injection

• Card breaks down after fault injection test

• Slow SCA measurements and strongly misaligned traces

6/22/2011 40

Recent developments

• Theory

– Framework for side-channel analysis

– Leakage resilient crypto

– Algebraic side-channel attacks

– Combining side-channels

• Practice– Even more advances in attacks: algorithm specific (combined with cryptanalysis)

– Other techniques: advanced SP

Conclusions and open problems

• Physical access allows many attack paths

• Trade-off between assumptions and computational complexity

• Interest of industry

• Requires knowledge in many different areas

• How to protect embedded devices – see next talk

6/22/2011 42

22/06/2011

September 21, 2006 8

6/22/2011 43

Thanks