Presentation is loading. Please wait.

Presentation is loading. Please wait.

H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)

Published byAgatha Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)"— Presentation transcript:

1 H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)
POWER ANALYSIS ATTACK Group Members Supervisors H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104) Dr. Roshan Ragel Darshana Jayasinghe (PhD Student/UNSW)

2 Power analysis attack Break the key of the system by measuring power consumption of the cryptosystem First collect power traces Then do statistical analysis using Pearson Correlation to get the secret key Simple power analysis (SPA) Differential power analysis (DPA) Correlation power analysis (CPA)

3 Target devices for the attack
Security of embedded devices such as smartcards was completely shattered when power analysis attack was introduced But today various countermeasures have been applied

4 Technical approach Dynamic power consumption of CMOS circuits
Secret key Measured power traces Secret key Pearson correlation Power model Eg : Hamming weight 𝜌 = 𝑁 𝑖=0 𝑁 𝑊 𝑖,𝑗 𝐻 𝑖 − 𝑖=0 𝑁 𝑊 𝑖,𝑗 𝑖=0 𝑁 𝐻 𝑖 𝑁 𝑖=0 𝑁 𝑊 𝑖,𝑗 2 − ( 𝑖=0 𝑁 𝑊 𝑖,𝑗 ) 𝑁 𝑖=0 𝑁 𝐻 𝑖 2 − ( 𝑖=0 𝑁 𝐻 𝑖 ) 2 key guesses

5 Why we do it? Why there is cryptography on the first place?
What if a cryptographic system is insecure? Therefore, attack with a genuine intention to help finding vulnerabilities and countermeasures. Also there is a bit of fun when attacking a crypto system ;)

6 Project phases Building the testbed
Attacking the new algorithm called Speck Working on countermeasures

7 Phase 1 Building the testbed

8 Testbed : Hardware part
Digital Oscilloscope Power measuring resistor PIC microcontroller based cryptographic device

9 Testbed : Software Encryption Program on PIC Instrument
Control for automation CPA on CUDA Scripts for post analysis

10 Breaking AES on the testbed
Step Time taken / s Collecting power traces 370 Running CPA 8 Sum 378 No of power traces required : 200 Time : Less than 10 minutes

11 Contributions Step by step methodology to build a testbed
Testbed interfaced via USB Novel power measurement methods that require less power traces but just passive probes Even works on a breadboard Break AES as fast as in 10 minutes : Ideal for testing countermeasures

12 Phase 2 Attacking Speck

13 Speck encryption algorithm
Recent cryptographic algorithm released by NSA(National Security Agency) in June 2013 Light weight and optimized for software implementations Therefore the performance on a microcontroller is impressive So there is a great possibility that it become famous in the future for embedded systems Only 3 operations add round xor Called ARX (add-round-xor cipher)

14 Attack on Speck So far no work on power analysis on Speck.
Why attacking Speck is challenging? Due to difference with AES Difference in mixing the key Lack of substitution box (sbox) operations

15 Our attack methodology
Use the power consumption for values resulting from xor operations to attack

16 Issues faced Zero key issue (All keys falsely return as 0) -> Reason : P XOR 0 = P Solution : Trim power traces at the beginning Breaking on 16 bit or higher microcontroller The number combinations to test increases Solution : Still attack byte wise but change the attacked intermediate value xor does not consume lot of power SNR decreases [SNR=10 log 10 (Power of signal / Power of noise)] Solution : Take more traces

17 Speck is vulnerable No of power traces required : 500 per each round
Step Time taken / s Round 1: Collecting power trace 914 Round 1: Running CPA 29 Round 2: Collecting power traces 907 Round 2: Running CPA 28 Sum 1878 No of power traces required : 500 per each round Time : Less than half an hour

18 Contributions Show that even a latest algorithm is vulnerable despite the lack of sbox operations. Therefore even for new algorithms countermeasures are needed.

19 Phase 3 Countermeasures

20 Countermeasures for power analysis
Techniques developed to protect cryptographic devices against power analysis attacks. Countermeasures Software based approach Hardware based approach Micro architecture level Circuit level

21 Circuit level countermeasures
Method Stated in Clock manipulation E. Sprunk, “Clock frequency modulation for secure microprocessors” Introducing noise to the power line P. Kocher and others, “Differential Power Analysis” Skipping Clock Pulses S.Mangard and others ,“Power Analysis Attacks : Revealing the Secrets of Smart Cards” Multiple Clock Domains Filtering the power line Very few work with related to circuit level countermeasures. Most of them are just stated but not practically tested or analyzed.

22 Power line filters Without filter With filter
Low pass filters that removes higher frequency components in the power trace. That is peaks that leak information are flattened. SNR is reduced. Needs more power traces. Eg : Capacitor, Inductor, LC filter, RC filter Without filter With filter

23 Example circuits VDD VDD VDD Capacitor filter Inductor filter
100 ohm 100 ohm 100 ohm 1mH 1mH Microcontroller Microcontroller 1000µF 100µF 1000µF Microcontroller 1mH Capacitor filter Inductor filter LC filter

24 Results for power line filters
Method Approximate minimum number of traces Approximate minimum time Without countermeasures 50 5 minutes Inductor (1mH) connected serially 500 30 minutes Capacitor (1mF) connected in parallel 1500 1.5 hours LC (Inductor-capacitor) second order filter 5000 4.5 hours Not that effective

25 Our own ideas VDD VDD VDD Zener diode : Operational amplifier :
100 ohm 100 ohm 330 ohm +Vcc 100 ohm + 5V + - C828 - -Vcc Microcontroller Microcontroller Microcontroller 1 ohm Zener diode : Regulates the voltage Operational amplifier : Non linear response Constant current source

26 Results Not useful at all Method Approximate minimum number of traces
Approximate minimum time Without countermeasures 50 5 minutes Voltage regulator Current source Zener diode 300 20 minutes Operational amplifier 4000 3.5 hours Not useful at all

27 Software countermeasures
Method Introduced by Injecting dummy instructions P. Kocher and others, “Differential Power Analysis” Injecting valid instructions J. A. Ambrose and others “RIJID: Random Code Injection to Mask Power Analysis based Side Channel Attacks” Dividing the standard SBOX into two different SBOX L. Goubin and J. Patarin, “DES and Differential Power Analysis (The ”Duplication” Method)” Processing words containing both the data bits and their complements J. Daemen and V. Rijmen, “Resistance against implementation attacks: a comparative study of the AES proposals” Doubling the data width, to include original data and its complement A. Arora and others “A double-width algorithmic balancing to prevent power analysis Side Channel Attacks in AES,” Injecting random instruction is less costly and easily feasible with respect to others.

28 Random instruction injection
Randomly insert instructions at the middle of encryption. Misaligns the power traces. SNR is reduced. Will need more power traces, Before After

29 Results N=1 N=0 N=7 N=3 More than 200 traces Even 50 traces are enough
Correct Key N=1 N=0 Correct Key More than 2000 traces More than 500 traces Correct Key N=7 N=3

30 Results Maximum number of random instructions injected Approximate minimum number of traces Approximate minimum time 50 5 minutes 1 200 15 minutes 3 500 30 minutes 7 2000 2 hours 15 40000 45 hours Number of power traces grow quadratically with the number of instructions added. 100 random instruction would take at least traces. That would take about 25 days.

31 Issue in random instruction injection
From where do you get the randomness? If seed is same pseudorandom algorithms give same sequence. In computers we can use time in milliseconds as the seed. But in microcontroller no real time clocks. We are working on solution that generates the seed by amplified noise signals which are true random.

32 Conclusion Phase 1 Making a testbed for power analysis is complicated and time consuming. A prebuild testbed would save the time of a researcher. Phase 2 Though Speck is a very new encryption algorithm designed especially for embedded devices, yet it is vulnerable. Phase 3 Circuit level countermeasures such as power line filters are not that effective. Software based countermeasure called random instruction injection is relatively good. But still improvements are needed to provide a true randomness.

33 Questions

Download ppt "H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)"

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
Statistical Tools Flavor Side-Channel Collision Attacks

Statistical Tools Flavor Side-Channel Collision Attacks
White-Box Cryptography

White-Box Cryptography
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.

1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.
Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.

Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Introduction to Analog-to-Digital Converters

Introduction to Analog-to-Digital Converters
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak Francesco Regazzoni David Novo Philip Brisk François-Xavier Standaert Paolo Ienne.

Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak Francesco Regazzoni David Novo Philip Brisk François-Xavier Standaert Paolo Ienne.
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

Similar presentations

Ads by Google