Side-Channel Attacks on Smart Cards
-
Upload
hyacinth-robertson -
Category
Documents
-
view
26 -
download
0
description
Transcript of Side-Channel Attacks on Smart Cards
Side-Channel Attacks on Smart Cards
Timing AnalysisCryptosystems take different amount of time to process different inputs.
•Performance optimisations in software •Branching/condiational statements•Caching in RAM•Variable length instructions (multiply,divide)
Timing measurements taken with various input data can beused to deduce internal workings.
Input: M, N, d = (dn-1dn-2...d1d0)2
Output: S = Md mod N
S = 1for j = n-1...0 do
S = S2 mod N if (dj == 1) then
S = S*M mod N
return S
Timing AnalysisExample: Repeated Square and multiply of modular exponentiation
Timing AnalysisCounter-measure
Input: M, N, d = (dn-1dn-2...d1d0)2
Output: S = Md mod N
S = 1for j = n-1...0 do
S = S2 mod N T = S*M mod Nif (dj == 1) then
S = T
return S
Timing AnalysisCounter measures:
•Implementing constant timing for all operations•Add noise to the execution time. •Prevent an attacker from learning the inputs to a vulnerable operation.
Previous example:S = Md mod N (Can sign multiple M’s to deduce d)
M’ = Re. M mod N => S’ = M’ mod N (M’ is hidden from attacker)
R-1S’ = R-1RedMd = R-1RMd = Md mod N = S
Computational Fault Analysis
Induce faults on computation by:
•power supply•clock frequency and duty cycle, •working temparature•UV lights •microwaves•ion beam
Computational Fault Analysis•Fault induced in CRT used to speed up RSA signature
S = Md mod NSp = Mdp mod p and Sq = Mdq mod qdp = d mod (p-1), dq = d mod (q-1)S = upSp + uqSq mod N
2 signatures on same message, 1 good, 1 faulty can be used to factor N when exactly one of Sp or Sq
is faulty.
S’q = Mdq mod q. Signature S’ will be invalid. p = gcd(N,M- S’e )
Computational Fault Analysis
Coutermeasure: •Results could be verified before exposed. •Randomization by padding messages.
Power AnalysisSimple Power Analysis (SPA) Information about the operation is deduced directly from tracing the global consumption power of the chip
Eg. DES key rotation Eg. RSA exponentiation
Differential Power Analysis (DPA)Statistical analysis on power consumption over several executions of the same algorithm with different inputs
Idea: The average traces on power consumption reduces noiseand reveals otherwise obscured small biases.
Power Analysis
Counter-measures: Avoid conditional branch. Split operands into shares. Interleaving random compuations Hardware to smooth out power characteristics Leak tolerant design methodology
Electromagnetic Analysis
Simple Electromagnetic Analysis (SEMA)Differential Electormagnetic Analsysis (DEMA)
Counter-measure: Signal strength reduction Signal information reduction
Conclusion
Smart cards crypto is constrained by the physical limitation of the microprocessor.
Implementation needs to take into account of possible attacks.
Counter measures taken for attacks need to take into account the efficiency of the implementation in practice.