Introduction to Implementation Attacks - COSIC - KU Leuven
Transcript of Introduction to Implementation Attacks - COSIC - KU Leuven
22/06/2011
September 21, 2006 1
6/22/2011 1
Introduction to implementation attacks
Lejla Batina
RU Nijmegen
and KU Leuven
Acknowledgements:
B. Gierlichs, I. Verbauwhede (KU Leuven)
E.Poll (RU Nijmegen) and Riscure, Delft
2
Side-channel Analysis
E.g. pizza deliveries as a side-channel
3
Side-channel Analysis• Monday evening • Tuesday evening
6/22/2011 4
Outline
• Introduction: implementations of security vs secure implementations
• Basic concepts of implementation attacks• Side-channel attacks• Active attacks• Conclusions
6/22/2011 5
IntrIoduction
6/22/2011 6
Embedded cryptographic devices
http://www.coolestgadgets.com/
http://www.rsa.com/
Embedded security:resource limitation and physical accessibility
22/06/2011
September 21, 2006 2
(In)security for Embedded Systems
“Remote keyless entry system for cars and buildings is
hacked”, March 31, 2008KeeLoq: eavesdropping from up to 100 m
2 mesages are enough
www.crypto.rub.de/keeloqEven SPA is possible, July 19, 2009
“Hackers crack open mobile network”, Dec. 31, 2010Mobile calls and texts made on any GSM network can be
eavesdropped upon using four cheap phones and open source
software.
PlayStation 3 'hacked' by iPhone cracker
http://www.bbc.co.uk/news/technology
More (In)security for Embedded Systems
“Devices That Tell On You: The Nike+iPod Sport Kit”T. Saponas, J. Lester, C. Hartung, T. Kohno
http://www.cs.washington.edu/research/systems/privacy.html
-Tracks up to 60 feet = 20 meter
-No privacy measures included
[www.apple.com: nike+ipod]
Embedded Security
Old Model (simplified view):-Attack on channel between communicating parties-Encryption and cryptographic operations in black boxes-Protection by strong mathematic algorithms and protocols-Computationally secure
Embedded Security
New Model (also simplified view):-Attack on channel and endpoints-Encryption and cryptographic operations in gray boxes-Protection by strong mathematic algorithms and protocols-Protection by secure implementation
Need secure implementations not only algorithms
I. Verbauwhede, P. Schaumont
Embedded Security
We NEED BOTH• Efficient Implementation
– Within power, area, timing budgets
– Public key: 1024 bits RSA on 8 bit µC and 100 µW
– Public key on a passive RFID tag
• Secure (trustworthy) implementation– Resistant to attacks
– Active attacks: probing, (power) glitches, JTAG scan chain, cold-boot, …
– Passive attacks: timing, power consumption, electromagnetic radiation, sound…
Why a hard engineering problem?
• More difficult to guarantee that something will not happen (attacks) than that something will happen.
• Engineers are trained to make something happen.
22/06/2011
September 21, 2006 3
> 10 years after the DPA paper (Kocher et al.)
• Many successful attacks published on various platforms and real products e.g. KeeLoq, MIFARE Classic, …
• Countermeasures
• Models, theory, leakage resilient crypto
• The CHES workshop, European projects, DPA contest, Open SCA toolbox, …
22-6-2011 13 6/22/2011 14
Basic Concepts of
Implementation Attacks
Principle is nothing new...
“Breaking into a Safe is hard, because one has to solve a single, very hard problem...”
“Things are different if it is possible to solve many small problems instead...”
“Divide et impera!”
Concept: Black box model
Standardized algortihms are secure
CryptographicdevicePlain text Cipher text
Types of Leakage
• Physical attacks ≠ Cryptanalysis
(gray box, physics) (black box, maths)
• Does not tackle the algorithm's math. security
• Timing, Power, EM, Light, Sound, Temperature, RFA Faults,...
Input Output
Leakage
22/06/2011
September 21, 2006 4
Taxonomy of Implementation Attacks
• Active versus passive – Active
• The key is recovered by exploiting some abnormal behavior e.g. power glitches or laser pulses
• Insertion of signals
– Passive• the device operates within its specification
• Reading hidden signals
• Invasive versus non-invasive– Invasive: the strongest type of attack e.g. bus probing
– Semi-invasive: the device is depackaged but no contact to the chip e.g. optical attacks that read out memory cells
– Non-invasive: power measurements
• Side-channel attacks: passive and non-invasive6/22/2011 20
Side-channel Attacks
Concept of leakage
• Side-channel leakage is not intended• Leaked information is not supposed to be known• Can enable new kind of attack
• Often, optimizations enable leakage� CMOS: low static but high dynamic power dissipation� Cache: faster memory access
Origin of leakage
• Due to overall execution time
• Due to the sequence of instructions executed
• Due to the data which is processed
• Due to some physical effects, which are often not very well understood
Power Analysis: capabilities
• “Simple” attacks: one or a few measurements – visual inspection to recognize routines, instructions etc., even key bits
• Differential attacks: multiple measurements– Use of statistics, information theory, signal processing, etc.
– CMOS has data-dependent dynamic power dissipation
Devices under attack
• Smart card
• FPGA, ASIC
• RFID, PDAs
• Phones, USBs, ...
ClockClock
Meas. VDDMeas. VDD
Meas. GNDMeas. GND
RS 232RS 232
ASICASIC TriggerTrigger
22/06/2011
September 21, 2006 5
Measurement setup
6/22/2011 25
Practical Issues
• Quality of measurements– Noise issues
• Algorithmic, sampling, external, intrinsic, quantization
• Averaging multiple observations helps
• Aligning the measurements– Due to time randomization, permuting execution or hw countermeasures
Simple Power Analysis
• Based on one or a few measurements
• Mostly discovery of data-(in)dependent but instruction-dependent properties e.g.
– Symmetric crypto:
• Number of rounds (resp. key length)
• Memory accesses (usually higher power consumption)
– Asymmetric crypto:
• The key (if badly implemented, e.g. RSA / ECC)
• Key length
• Implem. details: for example RSA w/wo CRT
SPA examples
6/22/2011 28
Finding a good place to attack
6/22/2011 29
EM – side-channel
• EM field is proportional to current
• Probe acts as a coil
• The near field distance is often more convenient
• However, EMA usually more difficult than PA – the issue of antenna positioning, etc.
6/22/2011 30
22/06/2011
September 21, 2006 6
DEMA - positioning
6/22/2011 31
DEMA – spectrum information
6/22/2011 32
Also possible for contactless smartcards
Riscure 6/22/2011 34
Active Attacks
Concepts
• In general, semi-invasive and invasive
• Can take really long time (Tarnovsky)
• Glitching - the aim of the manipulations is to introduce a fault
• Gaining access to the chip
• Reading the memories
6/22/2011 35
Goals
• Change software decision– Force approval of false PIN
– Reverse life cycle state
– Enforce access rights
• Insert computational fault– Null key
– Wrong crypto result (Differential Fault Analysis)
6/22/2011 36
22/06/2011
September 21, 2006 7
Types
• Semi-invasive attacks- Using UV light, laser- Fault injection
• Invasive attacks – probing– fibbing– optical reverse engineering– fault injection
6/22/2011 37 38
Tools for physical attacks• Microscope
– optical or scanning electron microscope (SEM)
• Probe station– to probe wires on the chip
• Focused Ion Beam (FIB)– uses ions instead of electrons
– not only for observing, but also making changes: • removing or adding wires, insulators,...
• Laser cutter– to cut holes through passivation layer, expose lower levels for probing,…, for much lower cost than FIB
6/22/2011 39
Typical problems
• Inaccurate timing of fault injection
• Card breaks down after fault injection test
• Slow SCA measurements and strongly misaligned traces
6/22/2011 40
Recent developments
• Theory
– Framework for side-channel analysis
– Leakage resilient crypto
– Algebraic side-channel attacks
– Combining side-channels
• Practice– Even more advances in attacks: algorithm specific (combined with cryptanalysis)
– Other techniques: advanced SP
Conclusions and open problems
• Physical access allows many attack paths
• Trade-off between assumptions and computational complexity
• Interest of industry
• Requires knowledge in many different areas
• How to protect embedded devices – see next talk
6/22/2011 42