Presentation is loading. Please wait.

Presentation is loading. Please wait.

© UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater (visiting scientist.

Similar presentations


Presentation on theme: "© UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater (visiting scientist."— Presentation transcript:

1 © UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater jjq@dice.ucl.ac.be (visiting scientist at MIT) (research director CNRS, France) Université catholique de Louvain Louvain-la-Neuve, Belgium UCL Crypto Group http://uclcrypto.org

2 © UCL Crypto group October 2004 - I0 2 bquestionsquestions security? existence of secure objects? low cost security? state-of-the art? security? existence of secure objects? low cost security? state-of-the art?

3 © UCL Crypto group October 2004 - I0 3 Goal of security for I-0 Accidental access by neighbors Malicious access by others Cloning? Security from internet-1?: many solutions: ssh, tls, https, ipsec, … Many crypto algorithms are not designed for low power or for small implementations (compression?) Similar situation: smart card (contact or contactless) versus card reader

4 © UCL Crypto group October 2004 - I0 4 Cost of security? Implementation (not the losses) Comms Silicon area Programs (protocols) Detectors (intrusion) and firewalls Physical security (tamperresistance) Update: the third version syndrome

5 © UCL Crypto group October 2004 - I0 5 Internet-0 Low cost object Slow and close communication « serial » communication …

6 © UCL Crypto group October 2004 - I0 6 Cost of security? Smart cards Implementation (not the risk) Comms 9600b-100kb-…- Silicon area 3mm 2- O.1… Programs (protocols) 2kBytes- Detectors (intrusion) and firewalls % Physical security (tamperresistance) !!!??? Update: Java applets

7 © UCL Crypto group October 2004 - I0 7 Security is a dynamic process Best at the beginning of the system life, if static Initialisation (keys, names, …): here we need some physical security (context) Uses: new applications and contexts Update, new attacks (algo, hardware, …) End of life

8 © UCL Crypto group – October 2004 – I0 Short Story of Smart Cards René Barjavel (1966) « La nuit des temps » (Gondas) several inventors in USA (IBM - 1968), Japan, Germany, France Roland Moreno (F) pushed the right version (1974) Michel Ugon and Louis Guillou were the technical inventors (~ 1977) SPOM: single chip (security): 1981: first crypto algo and protocol (secret key): tests in France first DES: 1985 (TRASEC, Belgium,TB100 -> Proton) first RSA: CORSAIR(Philips): 1989 (coprocessor) first RISC 32 bits: 1997 (CASCADE-> GemExpresso) first JAVA smart card: 1997 (Schlumberger-software)...

9 © UCL Crypto group October 2004 - I0 9 Ring by Moreno (1974) and first smart card (1980)

10 © UCL Crypto group October 2004 - I0 10 The chip (a complete computer) CPU security logic and sensors ROM: OS - including self-test procedures RAM (mainly static) (E)EPROM and/or flash memory –cryptographic keys –PIN –biometric profiles –applications serial I/O internal bus(ses) accelerators for cryptoalgorithms DES, RSA... (coprocessors)

11 © UCL Crypto group October 2004 - I0 11 The chip (IC) ROM EEPROM flash memory EEPROM flash memory CPU I/O coprocessor DES – RSA -ECC coprocessor DES – RSA -ECC security logic security logic RAM sensors firewall Reset Ground Volt Clock

12 © UCL Crypto group October 2004 - I0 12 A complete computer with crypto

13 © UCL Crypto group October 2004 - I0 13 Standards for (secure) chips ISO-7816 GSM 11.* EMV FIPS 140-1,-2 … Do you need it?

14 © UCL Crypto group October 2004 - I0 14 Lesson learned from smart cards Design for: – access for payTV, – phone coins, – banking cards, – common property: easy to trace or small loss. Security is « easy »: avoiding intrusion But used for many applications with high targets (SWIFT, …) Problems of side-channels (1996)

15 © UCL Crypto group October 2004 - I0 15 identification possession knowledge (biological)characteristics PIN - password passport smart card I-0 device passport smart card I-0 device biometrybiometry  IEEE spectrum Feb. 94  IEEE spectrum Feb. 94 proof? proof? proof?

16 © UCL Crypto group October 2004 - I0 16 (Physical) naming process By an authority (TTP) Self-nomination (using some random process) Distributed // election of a leader in a group

17 © UCL Crypto group October 2004 - I0 ; transform or add redondancy : cryptography SENDER (Alice) SENDER (Alice) RECEIVER (Bob) Trust! RECEIVER (Bob) Trust!  message 10010100111      

18 © UCL Crypto group October 2004 - I0 authentication PROVER VERIFIER password computer warden carlamp user person driverswitch identity  spy (on line)  fake prover (copy or fake identity)  fake verifier

19 © UCL Crypto group October 2004 - I0 Authentication today PROVER VERIFIER contract commitment surprise answer

20 © UCL Crypto group October 2004 - I0  proof: –specific protocol: theory invented in 1984, called “zero-knowledge”  new proof (fresh): –verifier must be convinced it is not a replay  tamper-resistant object: –“smart card” –secure and powerful microprocessor –important subject of research Solutions

21 © UCL Crypto group – October 2004 – I0 AliceBob Query: (d-bit string) Response: (t-bit string) q ← g etRandomCorner(); send (q); r ← receive(); if (abs(r-f(q)) { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/13/3877799/slides/slide_21.jpg", "name": "© UCL Crypto group – October 2004 – I0 AliceBob Query: (d-bit string) Response: (t-bit string) q ← g etRandomCorner(); send (q); r ← receive(); if (abs(r-f(q))

22 © UCL Crypto group October 2004 - I0 22

23 © UCL Crypto group October 2004 - I0 23 Generic model of card for passive attacks ChipChip CLK GRD VCC RST I/O 2. SPA-DPA 1. timing 3. probing 4. measures of radiations 4. measures of radiations

24 © UCL Crypto group October 2004 - I0 24 Side Story of Side Channel Analysis 1986: PIN code of smart card broken by timing attack … 1992: TNO discovers a relation between smart card power consumption and program code 1992: Philips did the same … 1994: TNO develops software to visualise program structure 1995: BellCore invents the “MicroWave Attack”, and Differential Fault Analysis (DFA) 1995: Paul Kocher invents timing attack 1997: Paul Kocher invents Differential Power Analysis (DPA) 1998: TNO implements DPA 1998: Gemplus invents Voltage Manipulation (VM) 1999: TNO implements VM for Single Fault Injection (SFI) 2000: Q.-Samyde implements Electromagnetic Analysis (EMA) TNO ©

25 © UCL Crypto group October 2004 - I0 25 Security: Baran (1964, Rand)

26 © UCL Crypto group October 2004 - I0 26 Analysis of a simple model (Vernam) EXOR secret key k i output c i input m i mi ki ci 0 0 0 0 1 1 1 0 1 1 1 0 mi ki ci 0 0 0 0 1 1 1 0 1 1 1 0 if for some reason the two zeroes are not the same (SPA...) this perfect system is completely broken.

27 © UCL Crypto group October 2004 - I0 27 Timing attacksChipChip CLK GRD VCC RST I/O 1. timing the measure of the timing and the (some) knowledge of the implementation of the used cryptographic algorithm together a lot of well chosen inputs-outputs with some statistical treatment give the secret key in use (works well for RSA-like algorithms) countermeasure: I/O not related to the key at all (constant run-time for instance).

28 © UCL Crypto group October 2004 - I0 28 Fault attacks (Bellcore) Key=1010110...

29 © UCL Crypto group October 2004 - I0 29 Implementation problems (Joye, Lenstra, Q.) - optimisation: minimisation of the number of multiplications and square Error or attack? Bug Pentium … - Chinese Remainder Theorem mod p mod q exp m m combine error! p and q are in danger! p and q are in danger!

30 © UCL Crypto group October 2004 - I0 30 ElectroMagnetic Analysis Similar processing as PA, sensing and leakage are different. Use a different probe (that not interferes with the chip): –Hand-made (Gemplus) –RF receiver (IBM) –Flat inductor and MEMS (UCL) 3 mm 0.5 mm

31 © UCL Crypto group October 2004 - I0 31 Spatial positioning Horizontal cartography (XY plane) –to pinpoint instruction related areas –better if automated CPU EEPROM ROM RAM CRYPTO Probe 4.5 mm 5.5 mm Gemplus ©

32 © UCL Crypto group October 2004 - I0 32 Side Channel Conclusion Direct and serious threat to the security of crypto systems Applicable to all algorithms (mostly) a non-destructive class of attacks Can be developed in order of weeks, repeated in order of hours Can be prevented or discouraged by (combinations of) countermeasures

33 © UCL Crypto group October 2004 - I0 33 Faults insertion - Eddy Currents (ESmart 2002) Aim: Cryptanalysis of an algorithm using fault(s) -Local heating -Optical attack (Ches 2002) -Glitch attack clock -Local ionisation (Rads 2003) - UV light applied to a certain location - X-rays

34 © UCL Crypto group October 2004 - I0 34 Security? Free slot at a cyclotron

35 © UCL Crypto group October 2004 - I0 35 Countermeasures Scramble the memory structure Dedicated sensors Opaque passivation layer or top-layer shielding Self-timed circuit & Dual-rail logic CRC Software countermeasures

36 © UCL Crypto group October 2004 - I0 36 Countermeasures Software –Check each bit before to set/reset it –Test integrity of all ( Data, Crypto, … ) Hardware : –Scramble the memory structure –Implement CRC (Well chosen) –Build new architecture for error detection/corrections –Asynchronous processors (www.g3card.org)www.g3card.org –Dedicated sensors and avoid static sensors If there is a CRC check, there’s a transistor to give a right or wrong value… It could then be possible to lock the value (FPGA,…). UCL ©

37 © UCL Crypto group October 2004 - I0 37 Countermeasures A lot: New hardware design, new technology, … Randomize carefully! No difference between square and multiply (add and doubling): subtle solutions, Verify the result before outputs, … Very mathematical, very cryptographic, Another story (see recent thesis of Mathieu Ciet – UCL, June 2003 about ECC, aso).

38 © UCL Crypto group October 2004 - I0 38

39 © UCL Crypto group October 2004 - I0 39 Other directions Quantum cryptography: nanocrypto More physics less cryptography: new research Identify the object (variations, added or not) Use the object in protocols?


Download ppt "© UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater (visiting scientist."

Similar presentations


Ads by Google