Practical Aspects of Modern Cryptography
56
Practical Aspects of Modern Cryptography Josh Benaloh Brian LaMacchia Winter 2011
description
Practical Aspects of Modern Cryptography. Josh Benaloh Brian LaMacchia. Winter 2011. Side-Channel Attacks. - PowerPoint PPT Presentation
Transcript of Practical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography
Practical Aspects of Modern CryptographyJosh BenalohBrian LaMacchiaWinter 20111Side-Channel AttacksBreaking a cryptosystem is a frontal attack, but there may be easier access though a side or back door especially on embedded cryptographic devices such as SmartCards and RFIDs.January 27, 2011Practical Aspects of Modern Cryptography2Side-Channel AttacksSome attack vectors January 27, 2011Practical Aspects of Modern Cryptography3Side-Channel AttacksSome attack vectors Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography4Side-Channel AttacksSome attack vectors Fault AttacksTiming AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography5Side-Channel AttacksSome attack vectors Fault AttacksTiming AttacksCache AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography6Side-Channel AttacksSome attack vectors Fault AttacksTiming AttacksCache AttacksPower AnalysisJanuary 27, 2011Practical Aspects of Modern Cryptography7Side-Channel AttacksSome attack vectors Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsJanuary 27, 2011Practical Aspects of Modern Cryptography8Side-Channel AttacksSome attack vectors Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsAcoustic EmissionsJanuary 27, 2011Practical Aspects of Modern Cryptography9Side-Channel AttacksSome attack vectors Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsAcoustic EmissionsInformation DisclosureJanuary 27, 2011Practical Aspects of Modern Cryptography10Side-Channel AttacksSome attack vectors Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsAcoustic EmissionsInformation Disclosure others?January 27, 2011Practical Aspects of Modern Cryptography11Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography12Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography13Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography14Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography15Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography16Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography17Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography18Timing AttacksHow long does it take to perform a decryption?
January 27, 2011Practical Aspects of Modern Cryptography19Timing AttacksHow long does it take to perform a decryption?
The answer may be data-dependent.
January 27, 2011Practical Aspects of Modern Cryptography20Timing AttacksHow long does it take to perform a decryption?
The answer may be data-dependent.
For instanceJanuary 27, 2011Practical Aspects of Modern Cryptography21Timing AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography22Timing AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography23Timing AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography24Cache AttacksIf you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed.January 27, 2011Practical Aspects of Modern Cryptography25Cache AttacksIf you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed.Decryption times may vary in a key-dependent manner based upon which lines have been flushed.January 27, 2011Practical Aspects of Modern Cryptography26Power AnalysisPower usage of a device may vary in a key-dependent manner.
January 27, 2011Practical Aspects of Modern Cryptography27Power AnalysisPower usage of a device may vary in a key-dependent manner.
Careful measurement and analysis of power consumption can be used to determine the key.January 27, 2011Practical Aspects of Modern Cryptography28Electromagnetic EmissionsOne can record electromagnetic emissions of a device often at a distance.January 27, 2011Practical Aspects of Modern Cryptography29Electromagnetic EmissionsOne can record electromagnetic emissions of a device often at a distance.
Careful analysis of the emissions may reveal a secret key.January 27, 2011Practical Aspects of Modern Cryptography30Acoustic EmissionsModular exponentiation is using done with repeated squaring and conditional side multiplications.January 27, 2011Practical Aspects of Modern Cryptography31Acoustic EmissionsModular exponentiation is using done with repeated squaring and conditional side multiplications.
It can actually be possible to hear whether or not these conditional multiplications are performed.January 27, 2011Practical Aspects of Modern Cryptography32Information Disclosures(N.B. Bleichenbacher Attack)
January 27, 2011Practical Aspects of Modern Cryptography33Information Disclosures(N.B. Bleichenbacher Attack)
A protocol may respond differently to properly and improperly formed data.
January 27, 2011Practical Aspects of Modern Cryptography34Information Disclosures(N.B. Bleichenbacher Attack)
A protocol may respond differently to properly and improperly formed data.
Careful manipulation of data may elicit responses which disclose information about a desired key or decryption value.January 27, 2011Practical Aspects of Modern Cryptography35Certificate RevocationJanuary 27, 2011Practical Aspects of Modern Cryptography36Certificate RevocationEvery reasonable certification should include an expiration.
January 27, 2011Practical Aspects of Modern Cryptography37Certificate RevocationEvery reasonable certification should include an expiration.
It is sometimes necessary to revoke a certificate before it expires.January 27, 2011Practical Aspects of Modern Cryptography38Certificate RevocationReasons for revocation January 27, 2011Practical Aspects of Modern Cryptography39Certificate RevocationReasons for revocation Key CompromiseJanuary 27, 2011Practical Aspects of Modern Cryptography40Certificate RevocationReasons for revocation Key CompromiseFalse IssuanceJanuary 27, 2011Practical Aspects of Modern Cryptography41Certificate RevocationReasons for revocation Key CompromiseFalse IssuanceRole ModificationJanuary 27, 2011Practical Aspects of Modern Cryptography42Certificate RevocationTwo primary mechanisms
January 27, 2011Practical Aspects of Modern Cryptography43Certificate RevocationTwo primary mechanisms
Certificate Revocation Lists (CRLs)
January 27, 2011Practical Aspects of Modern Cryptography44Certificate RevocationTwo primary mechanisms
Certificate Revocation Lists (CRLs)
Online Certificate Status Protocol (OCSP)
January 27, 2011Practical Aspects of Modern Cryptography45Certificate Revocation ListsA CA revokes a certificate by placing the its identifying serial number on its Certificate Revocation List (CRL)Every CA issues CRLs to cancel out issued certsA CRL is like anti-matter when it comes into contact with a certificate it lists it cancels out the certificateThink 1970s-style credit-card blacklistRelying parties are expected to check the most recent CRLs before they rely on a certificateThe cert is valid unless you hear something telling you otherwiseJanuary 27, 2011Practical Aspects of Modern Cryptography4646The Problem with CRLsBlacklists have numerous problemsThey can grow very large because certs cannot be removed until they expire.They are not issued frequently enough to be effective against a serious attack.Their size can make them expensive to distribute (especially on low-bandwidth channels).They are vulnerable to simple DOS attacks. (What do you do if you cant get the current CRL?)January 27, 2011Practical Aspects of Modern Cryptography4747More Problems with CRLsJanuary 27, 2011Practical Aspects of Modern Cryptography4848Yet More Problems with CRLsRevoking a cert used by a CA to issue other certs is even harder since this may invalidate an entire set of certs.
Self-signed certificates are often used as a syntactic convenience. Is it meaningful for a cert to revoke itself?January 27, 2011Practical Aspects of Modern Cryptography4949Even More Problems with CRLsCRLs cant be revoked.If a cert has been mistakenly revoked, the revocation cant be reversed.
CRLs cant be updated.Theres no mechanism to issue a new CRL to relying parties early even if theres an urgent need to issue new revocations.January 27, 2011Practical Aspects of Modern Cryptography5050Short-Lived CertificatesIf you need to go to a CA to get a fresh CRL, why not just go to a CA to get a fresh cert?January 27, 2011Practical Aspects of Modern Cryptography51CRLs vs. OCSP ResponsesAggregation vs. FreshnessCRLs combine revocation information for many certs into one long-lived objectOCSP Responses designed for real-time responses to queries about the status of a single certificateBoth CRLs & OCSP Responses are generated by the issuing CA or its designate. (Generally this is not the relying party.)
January 27, 2011Practical Aspects of Modern Cryptography5252Online Status CheckingOCSP: Online Certificate Status ProtocolA way to ask is this certificate good right now?Get back a signed response from the OCSP server saying, Yes, cert C is good at time tResponse is like a freshness certificateOCSP response is like a selective CRLClient indicates the certs for which he wants status informationOCSP responder dynamically creates a lightweight CRL-like response for those certsJanuary 27, 2011Practical Aspects of Modern Cryptography5353January 27, 2011Practical Aspects of Modern Cryptography54OCSP in ActionEnd-entityCARelyingPartyCertCertRequestOCSP RequestOCSPForCertOCSP ResponseTransaction ResponseCert+Transaction54Final thoughts on RevocationFrom a financial standpoint, its the revocation data that is valuable, not the issued certificate itself.For high-valued financial transactions, seller wants to know your cert is good right now.This is similar to credit cards, where the merchant wants the card authorized right now at the point-of-sale.Card authorizations transfer risk from merchant to bank thus theyre worth $$$.January 27, 2011Practical Aspects of Modern Cryptography5555Design Charrette How would you design a transit fare card system?January 27, 2011Practical Aspects of Modern Cryptography56Fare Card System ElementsAn RFID card for each riderReaders on each vehicle and/or transit station (Internet connected?)Card purchase/payment machinesA web portal for riders to manage and/or enrich their cardsJanuary 27, 2011Practical Aspects of Modern Cryptography57
