Presentation is loading. Please wait.

Presentation is loading. Please wait.

AES Side Channel Attacks

Published byTalia Babb Modified over 10 years ago

Similar presentations

Presentation on theme: "AES Side Channel Attacks"— Presentation transcript:

1 AES Side Channel Attacks
Biru Cui Sam Skalicky

2 Outline AES algorithm Side channel attacks
Side channel attack against AES Cache-collision timing attack against AES Countermeasures

3 AES Algorithm Key Expansion Initial Round Rounds
Add Round Key – bitwise xor Rounds Sub Bytes - Sbox Shift Rows – rows shifted cyclically Mix Columns – mixing operation on the columns AddRoundKey Final Round (no Mix Columns) Sub Bytes Shift Rows Add Round Key

4 Rijndel Starting Data

5 Rijndel AES Steps

6 Rijndel Sub Bytes

7 Rijndel Shift Rows

8 Rijndel Mix Columns

9 Rijndel Add Round Key

10 AES Algorithm AES Lookup Table Optimizations
Transposed State by Bertoni Speedup in decryption CAM based by Li Combined Sbox& inv Sbox into single table FPGA implementations Pre-computed GF ops in LUTs

11 Attacks on AES Brute force Related Key Side Channel

12 Side Channel Attacks Attacks through some implementation deficiency
Timing of computations Power Analysis Fault Injection Electromagnetic Radiation Acoustic Cryptanalysis Cache

13 Cache-collision timing attack against AES
Hit Miss Time

14 Process Operation Cache observation CFS - Scheduler Victim Process
Spy Process scenario underlying such attacks is a follows: Consider two concurrently running processes (a spy process S and a security sensitive victim process V ) using the same cache. After letting V run for some small amount of time and potentially letting it change the state of the cache, S observes the timings of its own memory accesses, which depend on the state of the cache. These measurements allow S to infer information about the memory locations previously accessed by V . Cache

15 AES Cache Side Channel Attack
Key recovery after observing ~100 encryptions Implementation in Linux against OpenSSL 0.9.8n Program does not require special privileges on the host machine Linux kernel task scheduler compromised Observe every memory access (CFG) Completely Fair Scheduler

16 AES Cache Attack Features
No heuristic info about plain/cyphertexts Works against compressed tables 2 phase operation: Observation ~100 encryptions ~2-3 seconds Analysis ~3 minutes

17 Process Operation Cache observation CFS - Scheduler Victim Process
Spy Process scenario underlying such attacks is a follows: Consider two concurrently running processes (a spy process S and a security sensitive victim process V ) using the same cache. After letting V run for some small amount of time and potentially letting it change the state of the cache, S observes the timings of its own memory accesses, which depend on the state of the cache. These measurements allow S to infer information about the memory locations previously accessed by V . Cache

18 Cache-collision timing attack against AES
AES: operations on each byte

19 Cache-collision timing attack against AES
System information Pentium III 1.0 GHz L1 cache 32K (split data/instr.) L2 cache 256K “T” lookup table size 256x256=64k Implication If the table is fully loaded in the cache, then there is no cache miss. This is important for why we can do first round and final round attack.

20 Cache-collision timing attack against AES
AES: the computation of every round

21 Actual Results, Pentium III
What are you going to say about this slide?

22 Cache-collision timing attack against AES
Table Key xor Plaintext [6]

23 Cache-collision timing attack against AES
Table Key xor Plaintext If a plaintext byte is known, as well as a first-round table lookup, a key byte is learned [6]

24 Cache-collision timing attack against AES
First Round Attack Spy process flush the cache The lookup table is not in the cache. In other words, the cache collision is only due to same lookup table access index.

25 Cache-collision timing attack against AES
First Round Attack

26 Cache-collision timing attack against AES
First Round Attack If cache hits ( access time less than average access time) Counts the average encryption time for all and pair. If there is a low average time occurs for a pair and , there is high probability that .

27 Cache-collision timing attack against AES
Final Round Attack The final round lookup table is different from previous lookup table , so there is no in the cache. And if there is a collision, it’s due to same lookup table index.

28 Cache-collision timing attack against AES
Final Round Attack No MixColumns operations

29 Cache-collision timing attack against AES
Final Round Attack

30 Cache-collision timing attack against AES
Final Round Attack If cache hits ( access time less than average access time) Counts the average encryption time for all and pair. If there is a low average time occurs for a pair and , there is high probability that .

31 Cache-collision timing attack against AES
Result Attack Encryptions needed Sample type Bernstein Plaintext/timing Tesunoo First/Final round attack

32 Countermeasures AES can be performed without using lookup tables
Give OS ability to partition cache between processes Put AES table into ROM, add special instructions Separate AES hardware on chip (new Intel CPUs)

33 References [1] Rijndel flash movie:
[2] G. Bertoni, et al.,"Efficient Software Implementation of AES on 32-Bit Platforms” [3] H. Li, "A New CAM Based S/S−1-Box Look-up Table in AES” [4] M. McLoone et al. "Rijndael FPGA Implementations Utilising Look-Up Tables” [5] D. Gullasch et al. "Cache Games – Bringing Access-Based Cache Attacks on AES to Practice“ [6] J. Bonneau et al. “Cache-Collision Timing Attacks Against AES” [7] Dag Arne Osvik et al. “Cache Attacks and Countermeasures: the Case of AES”

34 Backup slides

35 Original Mix Columns Equations

36 Revised Mix Columns Equations
here the operator * denotes a set of 4 ordinary multiplications in the field GF(28), per- formed in parallel on the 4 bytes of each 32-bits word. The generator polynomial used for representing the field GF(28) is the standard one of AES.

37 FPGA LUT Implementation

Download ppt "AES Side Channel Attacks"

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Virtual Memory 1 Computer Organization II ©2005-2013 McQuain Virtual Memory Use main memory as a cache for secondary (disk) storage – Managed jointly.

Virtual Memory 1 Computer Organization II © McQuain Virtual Memory Use main memory as a cache for secondary (disk) storage – Managed jointly.
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Cryptography and Network Security

Cryptography and Network Security
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Full AES key extraction in 65 milliseconds using cache attacks

Full AES key extraction in 65 milliseconds using cache attacks
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Similar presentations

Ads by Google