Presentation is loading. Please wait.

Presentation is loading. Please wait.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations."— Presentation transcript:

1 Side-Channel Attacks on Smart Cards

2 Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations in software Branching/condiational statements Caching in RAM Variable length instructions (multiply,divide) Timing measurements taken with various input data can be used to deduce internal workings.

3 Input: M, N, d = (d n-1 d n-2...d 1 d 0 ) 2 Output: S = M d mod N S = 1 for j = n-1...0 do S = S 2 mod N if (d j == 1) then S = S*M mod N return S Timing Analysis Example: Repeated Square and multiply of modular exponentiation

4 Timing Analysis Counter-measure Input: M, N, d = (d n-1 d n-2...d 1 d 0 ) 2 Output: S = M d mod N S = 1 for j = n-1...0 do S = S 2 mod N T = S*M mod N if (d j == 1) then S = T return S

5 Timing Analysis Counter measures: Implementing constant timing for all operations Add noise to the execution time. Prevent an attacker from learning the inputs to a vulnerable operation. Previous example: S = M d mod N (Can sign multiple M’s to deduce d) M’ = R e. M mod N=> S’ = M’ mod N (M’ is hidden from attacker) R -1 S’ = R -1 R ed M d = R -1 RM d = M d mod N = S

6 Computational Fault Analysis Induce faults on computation by: power supply clock frequency and duty cycle, working temparature UV lights microwaves ion beam

7 Computational Fault Analysis Fault induced in CRT used to speed up RSA signature S = M d mod N S p = M dp mod pand S q = M dq mod q dp = d mod (p-1), dq = d mod (q-1) S = u p S p + u q S q mod N 2 signatures on same message, 1 good, 1 faulty can be used to factor N when exactly one of S p or S q is faulty. S’ q = M dq mod q. Signature S’ will be invalid. p = gcd(N,M- S’ e )

8 Computational Fault Analysis Coutermeasure: Results could be verified before exposed. Randomization by padding messages.

9 Power Analysis Simple Power Analysis (SPA) Information about the operation is deduced directly from tracing the global consumption power of the chip Eg. DES key rotation Eg. RSA exponentiation Differential Power Analysis (DPA) Statistical analysis on power consumption over several executions of the same algorithm with different inputs Idea: The average traces on power consumption reduces noise and reveals otherwise obscured small biases.

10

11

12 Conclusion Smart cards crypto is constrained by the physical limitation of the microprocessor. Implementation needs to take into account of possible attacks. Counter measures taken for attacks need to take into account the efficiency of the implementation in practice.

Download ppt "Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Smart Card security analysis Smart Card security analysis Marc Witteman, TNO.

Smart Card security analysis Smart Card security analysis Marc Witteman, TNO.
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Mobile Appliance Security: Concerns and Challenges Mahesh Mamidipaka ICS 259: Seminar in Design Science 1. Securing Mobile Appliances: New Challenges for.

Mobile Appliance Security: Concerns and Challenges Mahesh Mamidipaka ICS 259: Seminar in Design Science 1. Securing Mobile Appliances: New Challenges for.
CENTRAL PROCESSING UNIT

CENTRAL PROCESSING UNIT
Cryptography and Network Security

Cryptography and Network Security
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.

MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.
An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.

An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Similar presentations

Ads by Google