Side Channel Analysis: Practice and a Bit of Theory

Side channel analysisPractice and a bit of theory

Ilya Kizhvatov

2

About myself

• Senior security analyst at Riscure, Delft

• PhD, University of Luxembourg

• Diploma in IT security, ФЗИ РГГУ, Moscow

3

Side channel analysis in 3 minutes

4http://insidenanabreadshead.com/

6

Simple power analysis

https://www.icmag.com/ic/showthread.php?t=217895

7

Countermeasure

Cost-effective: saves 150M euro yearly in NL

http://www.deweblogvanhelmond.nl

8

Differential power analysis

+ + +…

substation

households

–

∆ ≠ 0?

10

In the remaining 45 minutes:Side channel attacks

on embedded devices

• When and where are they applicable?

• How they work?

• What complicates them?

11

Embedded devices

A.78%B. 92%C. 98%

1. G. Borriello and R. Want. Embedded Computation meets the World Wide Web. Commun. ACM, May 2000

Absolute numbers for 2015: 15 billion connected devices2

7 billion people in the world1

How many out of all computing devices are embedded?

2. John Gantz. The Embedded Internet: Methodology and Findings. IDC, January 2009

12

Examples with secure context

code execution

keys

PayTV

Smart grid

Mobile paymenthttp://en.wikipedia.org/wiki/File:Mobile_payment_01.jpg

13

How to protect keys?

Pure software(whitebox crypto)

Go hardware

Recent overview: Dmitry Khovratovich @ 30C3

14

When SW exploitation is not enough

flash

DDR

CPU secure core (crypto)

secure storage(keys)

internal ROM

password protection / lock

JTAG, I2C, …

encryption

Ethernet, USB, UART

15

Secure boot

ROM loader code in flash

public keysignature

verify signature

Fault injection to skip. But when exactly?

20 Ways to Bypass Secure Boot: Job de Haas @ HITB KL 2013

16

Power analysis of secure boot

Boot with valid flash image

Boot with invalid flash image

time to glitch

17

Other examples

• Side Channel Analysis Reverse Engineering

• Interpretation of SW fuzzing effects

• JTAG password check (or PIN verification)

18

Key recovery with SCA

Part 1: Basics

19

A simple measurement setup

21

Zoom-in

22

Experiment: Look-up table

mov ZH, high(S<<1)mov ZL, R0lpm R0, Z

.ORG $800S:.db $63,$7c,$77,…

𝑆𝑎 𝑆 (𝑎)

23

Hamming weight leakage of S(a)

24

AES-128

𝑆𝑎 𝑆 (𝑎⨁𝑘)

𝑘

25

Step 1: Acquire power traces

𝑎1𝑎2

𝑎𝑁

random input bytes

…

1

2

3

…

26

Step 2: Predict leakage of guesses for

𝑎1𝑎2

𝑎𝑁

…

0 1 255

…

27

Step 3: Distinguish the right guess

𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

28


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

29


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

30


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

31


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

32


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

33


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

34


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

35


𝑎1

𝑎2

𝑎𝑁

0 1 255

1

2

3

……

correlation

37

Key recovery with SCA

Part 2: Complications

38

Choice of side channel

http://www.dailymail.co.uk/news/article-2606972

39http://www.dailymail.co.uk/news/article-2606972

40http://news.bbc.co.uk/2/hi/uk_news/england/leicestershire/8447110.stm

41

EM leakage: where to measure?

42


Spectral intensityaround 32 MHz

43


Spectral intensityaround 64 MHz

Distance betweenright and wrong

key guesses

44

How to trigger?

• If dedicated trigger pin: easy

• Else if there is a pattern:– align online (special FPGA solution for triggering

on a pattern)– or align offline (processing complexity)

• Else attack as is (more traces needed)

45

Misalignment: Spot a pattern

46

Effect of misalignment on DPA

well aligned traces misaligned traces

Leakage spread across k samples k2 times more traces

47

Which target variable?

• SW AES (ATmega)S-box output

• Simple HW AES (ATXmega, 8-bit datapath)S-boxi in XOR S-boxi+1 in

• Full-blown HW AES (128-bit datapath)staten-1 XOR staten (requires known inputs!)

48

Which leakage model?

• Hamming weight (distance) often works

• More precise model faster attack

• Tools for leakage modelling:– Template attacks (profiling)– Linear regression

49

Fitting a leakage model

{𝟏𝟔𝟒=𝜷𝒄𝒐𝒏𝒔𝒕+𝜷𝟎 ∙𝟎𝟏𝟓𝟎=𝜷𝒄𝒐𝒏𝒔𝒕+𝜷𝟎 ∙𝟏

…𝟏𝟖𝟎=𝜷𝒄𝒐𝒏𝒔𝒕+𝜷𝟎 ∙𝟏

measured leakage

target variable

predictions

Solution using OLS:

50

Effect of a precise leakage model

Hamming weight model Model fit usinglinear regression

51

How to brute force DPA output?

… … … …

x x x x x.0065

.0063

.0062

.0010

…

.0071

.0068

.0067

.009

.0069

.0068

.0067

.0010

.0068

.0067

.0066

.0011

.0072

.0069

.0066

.0013

.0070

.0068

.0065

.008

x…

𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15

52

How to brute force DPA output?

… … … …

x x x x x.0065

.0063

.0062

.0010

…

.0071

.0068

.0067

.009

.0069

.0068

.0067

.0010

.0068

.0067

.0066

.0011

.0072

.0069

.0066

.0013

.0070

.0068

.0065

.008

x…

• 5-6 candidates per byte full keys (1 day on a desktop PC)

• Solution: key enumeration (e.g. Veyrat-Charvillon et al. @ SAC2012)

• Challenge: memory consumption and therefore speed keys needs 70 GB of RAM and 9 days on a desktop PC

𝑘1 𝑘2 𝑘16𝑘3 𝑘4 𝑘15

53

Countermeasures

• desynchronize• shuffle with dummy crypto operations

• masking (split sensitive variables into many)

• limit the number of crypto operationssmartcards: 65K operations only

• frequent key update

Most patented by CRI

55

What makes an attack?

• Factors (according to JHAS*):– Time– Expertise– Equipment– Knowledge about the target– Number of device samples– Samples with known or chosen keys

• Identification ≠ exploitation* Joint Interpretation Library Hardware Attacks Subgroup

56

Complexity indicators

Identification Exploitation

General-purpose microcontroller < day < hour

(< thousand traces)

SoC without SCAcountermeasures < month < week

(millions of traces)

SoC with SCAcountermeasures

> month+ advanced SCA skills

+ high-end DSO> month

(billions of traces)

57

Special thanks to my colleagues at RiscureJob de Haas, Jing Pan, Eloi Sanfèlix, Albert Spruit

Contact: [email protected]

Side Channel Analysis: Practice and a Bit of Theory

Technology

Transcript of Side Channel Analysis: Practice and a Bit of Theory