New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs
description
Transcript of New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs
![Page 1: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/1.jpg)
New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs
Chair for Embedded SecurityRuhr University BochumDavid OswaldTimo KasperChristof Paarwww.crypto.rub.de
01.07.2009
![Page 2: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/2.jpg)
Motivation
![Page 3: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/3.jpg)
RFID Smartcards
• Applications: Payment, Access control, ...• Proprietary ciphers: Often insecure• New Generation: 3DES / AES• Mathematically secure
Side Channel Analysis?
01.07.20093
Source: Wikimedia Commons
![Page 4: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/4.jpg)
RFID Side Channel Measurement:Authentication Protocol
01.07.20094
??
Reader: Send protocol value
Smartcard: Encrypt this value with
3DES
Output: Success/Failure
Measure EM
![Page 5: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/5.jpg)
Measurement Setup
![Page 6: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/6.jpg)
Measurement Setup
01.07.20096
![Page 7: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/7.jpg)
Measurement Setup• ISO14443-compatible• Freely Programmable• Low Cost (< 40 €)
01.07.20097
![Page 8: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/8.jpg)
Measurement Setup
• 1 GS/s, 128 MB Memory• ± 100 mV• USB 2.0 Interface
01.07.20098
![Page 9: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/9.jpg)
Measurement Setup
01.07.20099
Aim: Reduce Carrier Wave Influence
vs.
![Page 10: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/10.jpg)
Carrier Dampening
01.07.200910
Aim: Reduce Carrier Wave Influence
vs.
![Page 11: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/11.jpg)
Carrier Dampening
Side-Channel Model (idealised):
=
01.07.200911
![Page 12: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/12.jpg)
Carrier Dampening
Side-Channel Model (idealised):
=
01.07.200912
![Page 13: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/13.jpg)
Carrier Dampening
01.07.200913
![Page 14: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/14.jpg)
Side Channel Analysis
Step 1: Raw measurements
![Page 15: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/15.jpg)
Trace (without analogue filter)
01.07.200915
![Page 16: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/16.jpg)
Trace (without analogue filter)
01.07.200916
![Page 17: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/17.jpg)
Trace (without analogue filter)
01.07.200917
??
![Page 18: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/18.jpg)
Step 2: Analogue filter
![Page 19: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/19.jpg)
Trace (with analogue filter)
01.07.200919
![Page 20: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/20.jpg)
Trace (with analogue filter)
01.07.200920
![Page 21: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/21.jpg)
Trace (with analogue filter)
01.07.200921
??
![Page 22: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/22.jpg)
Step 3: Digital Demodulation
![Page 23: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/23.jpg)
Digital Demodulation
Rectifier Digital Filter
Digital Demodulator
01.07.200923
![Page 24: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/24.jpg)
Digital Demodulation
01.07.200924
![Page 25: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/25.jpg)
Digital Demodulation
01.07.200925
?!?!
![Page 26: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/26.jpg)
Step 4: Alignment
![Page 27: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/27.jpg)
Alignment
Pick Reference Pattern
01.07.200927
![Page 28: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/28.jpg)
Alignment
Pick Reference Pattern
01.07.200928
![Page 29: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/29.jpg)
Alignment
01.07.200929
![Page 30: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/30.jpg)
Alignment
01.07.200930
Varies for identical Plaintext
![Page 31: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/31.jpg)
Step 5: Location of 3DES
![Page 32: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/32.jpg)
Data Bus
Locate Plain- & Ciphertext Transfer
01.07.200932
![Page 33: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/33.jpg)
Data Bus DPA: Plaintext
01.07.200933
8 BitHamming Weight
![Page 34: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/34.jpg)
Data Bus DPA: Ciphertext
01.07.200934
8 BitHamming Weight
![Page 35: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/35.jpg)
Trace Overview
01.07.200935
Plaintext Ciphertext3DES... Other processing
![Page 36: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/36.jpg)
Assumptions
01.07.200936
?!?!
?! ?!CC 3DES3DES
![Page 37: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/37.jpg)
Step 6: Attack
![Page 38: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/38.jpg)
3DES Engine DPA
• 3DES located • Power Model:
Hamming distance R0 R1, 4 Bit (S-Box output)
01.07.200938
?! ?!CC 3DES3DES
![Page 39: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/39.jpg)
3DES-Engine DPA
But:Only for S-Box 1 & 3
01.07.200939
![Page 40: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/40.jpg)
3DES Engine DPA: Peak Extraction
01.07.200940
![Page 41: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/41.jpg)
3DES Engine DPA: Peak Extraction
01.07.200941
![Page 42: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/42.jpg)
3DES Engine DPA: Binwise
01.07.200942
![Page 43: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/43.jpg)
3DES Engine DPA: Binwise
01.07.200943
Apply DPA binwise
![Page 44: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/44.jpg)
3DES Engine DPA: Binwise Correlation
Correct Key for 4 of 8 S-Boxes
01.07.200944
![Page 45: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/45.jpg)
Conclusion
![Page 46: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/46.jpg)
Results
• Real World Device • Black Box Analysis• Low Cost• Key Recovery
01.07.200946
![Page 47: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/47.jpg)
Summary
• Measurement Setup built • Profiling done • Data Bus revealed • Correct Subkey for 4/8 S-Boxes found
01.07.200947
![Page 48: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/48.jpg)
Future Work
• Improve– More traces– Equipment
• Extend– Other RFID smartcards
• Remote Attacks
01.07.200948
![Page 49: New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813b21550346895da3da4c/html5/thumbnails/49.jpg)
Thank you for your attention! Questions?
Chair for Embedded SecurityTimo KasperDavid OswaldChristof Paar www.crypto.rub.de