We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byDayana Weadon
Modified about 1 year ago
© UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater firstname.lastname@example.org (visiting scientist at MIT) (research director CNRS, France) Université catholique de Louvain Louvain-la-Neuve, Belgium UCL Crypto Group http://uclcrypto.org
© UCL Crypto group October 2004 - I0 2 bquestionsquestions security? existence of secure objects? low cost security? state-of-the art? security? existence of secure objects? low cost security? state-of-the art?
© UCL Crypto group October 2004 - I0 3 Goal of security for I-0 Accidental access by neighbors Malicious access by others Cloning? Security from internet-1?: many solutions: ssh, tls, https, ipsec, … Many crypto algorithms are not designed for low power or for small implementations (compression?) Similar situation: smart card (contact or contactless) versus card reader
© UCL Crypto group October 2004 - I0 4 Cost of security? Implementation (not the losses) Comms Silicon area Programs (protocols) Detectors (intrusion) and firewalls Physical security (tamperresistance) Update: the third version syndrome
© UCL Crypto group October 2004 - I0 5 Internet-0 Low cost object Slow and close communication « serial » communication …
© UCL Crypto group October 2004 - I0 6 Cost of security? Smart cards Implementation (not the risk) Comms 9600b-100kb-…- Silicon area 3mm 2- O.1… Programs (protocols) 2kBytes- Detectors (intrusion) and firewalls % Physical security (tamperresistance) !!!??? Update: Java applets
© UCL Crypto group October 2004 - I0 7 Security is a dynamic process Best at the beginning of the system life, if static Initialisation (keys, names, …): here we need some physical security (context) Uses: new applications and contexts Update, new attacks (algo, hardware, …) End of life
© UCL Crypto group – October 2004 – I0 Short Story of Smart Cards René Barjavel (1966) « La nuit des temps » (Gondas) several inventors in USA (IBM - 1968), Japan, Germany, France Roland Moreno (F) pushed the right version (1974) Michel Ugon and Louis Guillou were the technical inventors (~ 1977) SPOM: single chip (security): 1981: first crypto algo and protocol (secret key): tests in France first DES: 1985 (TRASEC, Belgium,TB100 -> Proton) first RSA: CORSAIR(Philips): 1989 (coprocessor) first RISC 32 bits: 1997 (CASCADE-> GemExpresso) first JAVA smart card: 1997 (Schlumberger-software)...
© UCL Crypto group October 2004 - I0 9 Ring by Moreno (1974) and first smart card (1980)
© UCL Crypto group October 2004 - I0 10 The chip (a complete computer) CPU security logic and sensors ROM: OS - including self-test procedures RAM (mainly static) (E)EPROM and/or flash memory –cryptographic keys –PIN –biometric profiles –applications serial I/O internal bus(ses) accelerators for cryptoalgorithms DES, RSA... (coprocessors)
© UCL Crypto group October 2004 - I0 11 The chip (IC) ROM EEPROM flash memory EEPROM flash memory CPU I/O coprocessor DES – RSA -ECC coprocessor DES – RSA -ECC security logic security logic RAM sensors firewall Reset Ground Volt Clock
© UCL Crypto group October 2004 - I0 12 A complete computer with crypto
© UCL Crypto group October 2004 - I0 13 Standards for (secure) chips ISO-7816 GSM 11.* EMV FIPS 140-1,-2 … Do you need it?
© UCL Crypto group October 2004 - I0 14 Lesson learned from smart cards Design for: – access for payTV, – phone coins, – banking cards, – common property: easy to trace or small loss. Security is « easy »: avoiding intrusion But used for many applications with high targets (SWIFT, …) Problems of side-channels (1996)
© UCL Crypto group October 2004 - I0 15 identification possession knowledge (biological)characteristics PIN - password passport smart card I-0 device passport smart card I-0 device biometrybiometry IEEE spectrum Feb. 94 IEEE spectrum Feb. 94 proof? proof? proof?
© UCL Crypto group October 2004 - I0 16 (Physical) naming process By an authority (TTP) Self-nomination (using some random process) Distributed // election of a leader in a group
© UCL Crypto group October 2004 - I0 ; transform or add redondancy : cryptography SENDER (Alice) SENDER (Alice) RECEIVER (Bob) Trust! RECEIVER (Bob) Trust! message 10010100111
© UCL Crypto group October 2004 - I0 authentication PROVER VERIFIER password computer warden carlamp user person driverswitch identity spy (on line) fake prover (copy or fake identity) fake verifier
© UCL Crypto group October 2004 - I0 Authentication today PROVER VERIFIER contract commitment surprise answer
© UCL Crypto group October 2004 - I0 proof: –specific protocol: theory invented in 1984, called “zero-knowledge” new proof (fresh): –verifier must be convinced it is not a replay tamper-resistant object: –“smart card” –secure and powerful microprocessor –important subject of research Solutions
© UCL Crypto group – October 2004 – I0 AliceBob Query: (d-bit string) Response: (t-bit string) q ← g etRandomCorner(); send (q); r ← receive(); if (abs(r-f(q))
"name": "© UCL Crypto group – October 2004 – I0 AliceBob Query: (d-bit string) Response: (t-bit string) q ← g etRandomCorner(); send (q); r ← receive(); if (abs(r-f(q))
© UCL Crypto group October 2004 - I0 22
© UCL Crypto group October 2004 - I0 23 Generic model of card for passive attacks ChipChip CLK GRD VCC RST I/O 2. SPA-DPA 1. timing 3. probing 4. measures of radiations 4. measures of radiations
© UCL Crypto group October 2004 - I0 24 Side Story of Side Channel Analysis 1986: PIN code of smart card broken by timing attack … 1992: TNO discovers a relation between smart card power consumption and program code 1992: Philips did the same … 1994: TNO develops software to visualise program structure 1995: BellCore invents the “MicroWave Attack”, and Differential Fault Analysis (DFA) 1995: Paul Kocher invents timing attack 1997: Paul Kocher invents Differential Power Analysis (DPA) 1998: TNO implements DPA 1998: Gemplus invents Voltage Manipulation (VM) 1999: TNO implements VM for Single Fault Injection (SFI) 2000: Q.-Samyde implements Electromagnetic Analysis (EMA) TNO ©
© UCL Crypto group October 2004 - I0 25 Security: Baran (1964, Rand)
© UCL Crypto group October 2004 - I0 26 Analysis of a simple model (Vernam) EXOR secret key k i output c i input m i mi ki ci 0 0 0 0 1 1 1 0 1 1 1 0 mi ki ci 0 0 0 0 1 1 1 0 1 1 1 0 if for some reason the two zeroes are not the same (SPA...) this perfect system is completely broken.
© UCL Crypto group October 2004 - I0 27 Timing attacksChipChip CLK GRD VCC RST I/O 1. timing the measure of the timing and the (some) knowledge of the implementation of the used cryptographic algorithm together a lot of well chosen inputs-outputs with some statistical treatment give the secret key in use (works well for RSA-like algorithms) countermeasure: I/O not related to the key at all (constant run-time for instance).
© UCL Crypto group October 2004 - I0 28 Fault attacks (Bellcore) Key=1010110...
© UCL Crypto group October 2004 - I0 29 Implementation problems (Joye, Lenstra, Q.) - optimisation: minimisation of the number of multiplications and square Error or attack? Bug Pentium … - Chinese Remainder Theorem mod p mod q exp m m combine error! p and q are in danger! p and q are in danger!
© UCL Crypto group October 2004 - I0 30 ElectroMagnetic Analysis Similar processing as PA, sensing and leakage are different. Use a different probe (that not interferes with the chip): –Hand-made (Gemplus) –RF receiver (IBM) –Flat inductor and MEMS (UCL) 3 mm 0.5 mm
© UCL Crypto group October 2004 - I0 31 Spatial positioning Horizontal cartography (XY plane) –to pinpoint instruction related areas –better if automated CPU EEPROM ROM RAM CRYPTO Probe 4.5 mm 5.5 mm Gemplus ©
© UCL Crypto group October 2004 - I0 32 Side Channel Conclusion Direct and serious threat to the security of crypto systems Applicable to all algorithms (mostly) a non-destructive class of attacks Can be developed in order of weeks, repeated in order of hours Can be prevented or discouraged by (combinations of) countermeasures
© UCL Crypto group October 2004 - I0 33 Faults insertion - Eddy Currents (ESmart 2002) Aim: Cryptanalysis of an algorithm using fault(s) -Local heating -Optical attack (Ches 2002) -Glitch attack clock -Local ionisation (Rads 2003) - UV light applied to a certain location - X-rays
© UCL Crypto group October 2004 - I0 34 Security? Free slot at a cyclotron
© UCL Crypto group October 2004 - I0 35 Countermeasures Scramble the memory structure Dedicated sensors Opaque passivation layer or top-layer shielding Self-timed circuit & Dual-rail logic CRC Software countermeasures
© UCL Crypto group October 2004 - I0 36 Countermeasures Software –Check each bit before to set/reset it –Test integrity of all ( Data, Crypto, … ) Hardware : –Scramble the memory structure –Implement CRC (Well chosen) –Build new architecture for error detection/corrections –Asynchronous processors (www.g3card.org)www.g3card.org –Dedicated sensors and avoid static sensors If there is a CRC check, there’s a transistor to give a right or wrong value… It could then be possible to lock the value (FPGA,…). UCL ©
© UCL Crypto group October 2004 - I0 37 Countermeasures A lot: New hardware design, new technology, … Randomize carefully! No difference between square and multiply (add and doubling): subtle solutions, Verify the result before outputs, … Very mathematical, very cryptographic, Another story (see recent thesis of Mathieu Ciet – UCL, June 2003 about ECC, aso).
© UCL Crypto group October 2004 - I0 38
© UCL Crypto group October 2004 - I0 39 Other directions Quantum cryptography: nanocrypto More physics less cryptography: new research Identify the object (variations, added or not) Use the object in protocols?
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice.
Smart card security Nora Dabbous Security Technologies Department.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Smart Card Technology & Features
Smart Card security analysis Smart Card security analysis Marc Witteman, TNO.
By Brian Sutherland and Chou Peter Hoang. A smart card also known as an integrated circuit Card as any credit card or id size card with embedded circuits.
EMBEDDED SYSTEM SECURITY YIFAN HAOXIAOSHU LIUZHIHONG LUO.
Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.
Everything you always wanted to know about Smart Cards... Marc Witteman November 2001.
Project supported by YESS 2009 Young Engineering Scientist Symposium « Identity Management » Cryptography for the Security of Embedded Systems Ambient.
Introduction Architecture Hardware Software Application Security Logical Attack Physical Attack Side channel Attack.
FIT3105 Smart card based authentication and identity management Lecture 4.
Computer and Network Security Mini Lecture by Milica Barjaktarovic.
Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.
Smart Cards by Mahadev Karadigudda. * Introduction * How smart cards assist in enhancing security * Security vulnerabilities * Conclusion.
G53SEC 1 Hardware Security The (slightly) more tactile side of security.
Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer.
Smart Card 李開振, 許家碩 Department of Computer Science National Chiao Tung University.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Trusted Symbol of the Digital Economy 1 Bill Holmes – VP Marketing ID Platform - Smart Cards.
Ernst Haselsteiner, Klemens Breitfuss RFIDSec 06 July 13th, 2006 Security in Near Field Communication Strengths and Weaknesses.
1 Smartcards & RFID Erik Poll Digital Security Radboud University Nijmegen.
Circuit CAD Tools as a Security Threat University of Michigan † and Rice University ‡ June 9, 2008 Jarrod A. Roy †, Farinaz Koushanfar ‡ and Igor L. Markov.
PIN-on-Card New contact-less smart card with integrated PIN pad for secure user verification at unparalleled cost effectiveness.
Paper Presentation On e-Wallet – THE FUTURE OF CARDS.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Alexandra Constantin James Cook Anindya De Computer Science, UC Berkeley.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
POWER ANALYSIS ATTACK H.M.GAMAARACHCHI (E/10/102) P.B.H.B.B.GANEGODA (E/10/104) Group MembersSupervisors DR. ROSHAN RAGEL DARSHANA JAYASINGHE (PHD STUDENT/UNSW)
Chapter 8. Cryptography is the science of keeping information secure in terms of confidentiality and integrity. Cryptography is also referred to as.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
Physics 413 Chapter 1 Computer Architecture What is a Digital Computer ? A computer is essentially a fast electronic calculating machine. What is a program.
1 3. Smart Identification 3.1 Smart Cards What Is a Smart Card? Smart cards evolved from plastic identification and magnetic stripe cards through.
Nurbek Saparkhojayev and Dale R. Thompson, Ph.D., P.E. Computer Science and Computer Engineering Dept. University of Arkansas Matching Electronic Fingerprints.
Java Card Technology Ch02: Smart card Basics Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Computer Science &
Mobile Appliance Security: Concerns and Challenges Mahesh Mamidipaka ICS 259: Seminar in Design Science 1. Securing Mobile Appliances: New Challenges for.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.
National Security, Forensics and Mobile Communications V Gratzer, D Naccache, D Znaty Acknowledgment: several of the techniques and tools described here.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
What is a Smart Card? Standard credit card-sized with microchip embedded on it Two types –Memory-only chips –Microprocessor chips.
Security Issues CS 560. Security in the software development process The security goal: To make sure that agents (people or external systems) who interact.
George L. Heron Technology Officer, SafeNet, Inc..
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
© 2017 SlidePlayer.com Inc. All rights reserved.