"The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou...
-
Upload
brianna-cliff -
Category
Documents
-
view
214 -
download
1
Transcript of "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou...
![Page 1: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/1.jpg)
"The generation of random numbers is too important to be left to chance.”
1
-- Robert R. CoveyouOak Ridge National Laboratory
![Page 2: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/2.jpg)
n (modulus) = product of secret primes p and q
e (public key) = relatively prime to (p-1)(q-1)
d (private key) = e-1 mod ((p-1)(q-1)))
Encrypt c=me mod n
Decrypt m=cd mod n
Eve gets ciphertext message c from Alice, wants to read it
i.e., she wants to find m = cd
Choose random r < n, and use Alice’s public key e
x=re mod n
y=xc mod n
t=r-1 mod n
Note if x=re mod n, then r=xd mod n !
Eve tricks Alice into encrypting (signing) y with her d
Alice sends Eve u=yd mod n
Eve then calculates
tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m2
Chosen ciphertext attack against RSA -Schneier
![Page 3: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/3.jpg)
ECRYPT 2012 Key Length Advice
3See www.keylength.com/en/3
![Page 4: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/4.jpg)
Captured One-Time Pads
![Page 5: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/5.jpg)
Russian One-Time Pad captured by MI5
5
![Page 6: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/6.jpg)
Don’t reuse those one-time pads!If
C1=P1 K1C2=P2 K1C3=P3 K1
Then tryC1 C2 => P1 K1 P2 K1 => P1 P2C1 C3 => P1 K1 P3 K1 => P1 P3C2 C3 => P2 K1 P3 K1 => P2 P3and (P1 P2) (P1 P3) => (P2 P3)(P1 P2) (P2 P3) => (P1 P3) …
6
![Page 7: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/7.jpg)
7
+
+
+
From Rick Smith: http://cryptosmith.com/archives/70
Don’t reuse those one-time pads!
![Page 8: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/8.jpg)
Key? What Key?
• Alice encrypts: P K=>C• Bob knows the key and decrypts: C K=>P• They agree on a dummy plaintext D and if
they’re ever captured, they will give up the key K’=C D
• If the authorities decrypt C K’ => D
8
![Page 9: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/9.jpg)
Case study: Heartbleed SSL Bug
http://xkcd.com/1353/
struct { HeartbeatMessageType type; uint16 payload_length; uchar payload [HeartbeatMessage.payload_length]; uchar padding[padding_length]; } HeartbeatMessage;
9
![Page 10: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/10.jpg)
10
![Page 11: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/11.jpg)
Power Analysis
11
![Page 12: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/12.jpg)
Simple Power Analysis: `DES Parity Check
DES-CheckParity(byte Key[8])
for i = 8 down to 1
parity=0;
for j = 8 down to 1
if (bit j of Key[i] is set) // CONDITIONAL
parity = parity+1 // OPERATION
endif
endfor
if (parity is even) parity_error();
endfor
end DES-CheckParity
12
![Page 13: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/13.jpg)
SPA Attack on DES-Parity
13
![Page 14: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/14.jpg)
EM History
• Classified TEMPEST standards. Some parts declassified Jan '01, http://www.cryptome.org.
• Published work– EM Leakages from Peripherals, E.g., Monitors: Van Eck,
Anderson & Kuhn.– EM Leakage from smart-cards during Computation.
• J.-J. Quisquater & David Samyde, E-smart 2001,• Gemplus Team [GMO ’01], CHES ’01.
– SEMA/DEMA attacks.
• Best results require "decapsulation" of chip packaging and/or precise micro-antennas positioning on chip surface
![Page 15: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/15.jpg)
Rao et.al.’s Work`
• Deeper understanding of the EM leakages.– Similar to declassified TEMPEST literature.
• Key Insights/Results– Plenty of EM signals are available, provided
you know what to look for and where.• Superior signals and attacks possible without micro-
antennas or decapsulation. • Some attacks possible from a distance.
– EM side-channel(s) >> Power side-channel• EM can break DPA-resistant implementations.
![Page 16: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/16.jpg)
EM Emanations Background
• Origin/Types of EM Emanations– Direct emanations from intended currents.
• Maxwell’s equations, Ampere’s and Faraday’s laws.
– Unintentional emanations from coupling effects.• Depend on physical factors, e.g., circuit geometry.• Most couplings ignored by circuit designers. • Manifest as modulation of carriers (e.g. clock
harmonics) present/generated/introduced in device.– AM or Angle (FM/Phase) Modulation.
• Compromising signals available via demodulation.
• Propagation of EM– Radiation, Conduction, Combination of both.
• E.g., Faint EM signals riding on power line.
![Page 17: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/17.jpg)
EM Capturing Equipment
• Antennas (Far-field) and Near-field probes
• Current probes.• Analog processing: Filters/Amplifiers,
Tunable wideband receiver or equivalent $$
• Digital sampling hardware.
![Page 18: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/18.jpg)
ICOM wideband radio receiver with IF output
![Page 19: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/19.jpg)
MAKE YOUR OWN
![Page 20: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/20.jpg)
EM vs. Power
• Sometimes, EM is the only side-channel available.– Filtered power supplies, restricted access…– E.g. Crypto Tokens, SSL Accelerators,...
![Page 21: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/21.jpg)
Time (10ns)
Am
plitu
de
EM Signal from SSL Accelerator S at 15 feet
![Page 22: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/22.jpg)
EM vs. Power
• Is EM useful in the presence of power?• Yes, several EM carriers: Generated,
Ambient, Introduced…– Experimentally verified:
• Different carriers carry different information.• Some EM leakages substantially different from Power
leakages.
![Page 23: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/23.jpg)
Bad Instructions
• Instructions where some EM leakage >> Power leakage.
• Typically CPU intensive rather than bus intensive.
• All architectures have BAD Instructions.• Example: Bit-test on several 6805 based
systems leaks tested bit.
![Page 24: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/24.jpg)
EM Attack Example2 signals, different data, same exp & modulus
24
![Page 25: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/25.jpg)
OTESTED BIT = 0 IN BOTH TRACES
![Page 26: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/26.jpg)
OTESTED BIT DIFFERENT
![Page 27: "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.](https://reader036.fdocuments.us/reader036/viewer/2022062712/56649c765503460f9492ad40/html5/thumbnails/27.jpg)
Countermeasures
• Require sound vulnerability assessment.• Countermeasures include:
– Circuit redesign to reduce unintentional emanations.– Reducing S/N ratio
• EM Shielding• Noise introduction• Physically secure zones.
– Randomization based software countermeasures similar to DPA countermeasures.