1. Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009

2. Outline More on side-channel attacks Fault injection attacks Generic attacks on cryptosystems Slides are mostly courtesy of Michael Tunstall michael.tunstall@gemplus.com

3. Simple power analysis (SPA) - example

4. SPA example (cont’d)

5. Unprotected modular exponentiation – square and multiply algorithm

6. Possible counter measure – randomizing RSA exponentiation

7. Statistical power analysis Two categories –Differential power analysis (DPA) –Correlation power analysis (CPA) Based on the relationship b/w power consumption & hamming weight of the data

8. Modeling the power consumption Hamming weight model –Typically measured on a bus, Y=aH(X)+b –Y: power consumption; X: data value; H: Hamming weight The Hamming distance model –Y=aH(P  X)+b –Accounting for the previous value on the bus (P)

9. Differential power analysis (DPA) DPA can be performed in any algo that has operation  =S(  K), –  is known and K is the segment key The waveforms are caotured by a scope and Sent to a computer for analysis

10. What is available after acquisition?

11. DPA (cont’d) The bit will classify the wave w i –Hypothesis 1: bit is zero –Hypothesis 2: bit is one –A differential trace will be calculated for each bit!

12. DPA (cont’d)

14. DPA -- testing

16. DPA – the wrong guess

17. DPA (cont’d) The DPA waveform with the highest peak will validate the hypothesis

18. DPA curve example

19. DPA (cont’d)

20. Attacking a secret key algorithm

21. Typical DPA Target

22. Example -- DPA

23. Example – hypothesis testing

24. DPA (Cont’d)

25. DPA on DES algorithm

26. DPA on other algorithms

27. Correlation power analysis (CPA) The equation for generating differential waveforms replaced with correlations Rather than attacking one bit, the attacker tries prediction of the Hamming weight of a word (H) The correlation is computed by:

28. Statistical PA -- countermeasures

29. Anti-DPA countermeasures

30. Anti-DPA Internal clock phase shift

31. DPA summary

32. Electromagnetic power analysis

33. EMA – probe design

34. EMA signal

35. Spatial positioning

37. Example: SEMA on RSA

38. EMA (cont’d)

39. Counter measures

40. Fault injection attacks

41. Fault attacks

42. Fault injection techniques Transient (provisional) and permanent (destructive) faults –Variations to supply voltage –Variations in the external clock –Temperature –White light –Laser light –X-rays and ion beams –Electromagnetic flux

43. Need some (maybe expensive equipment) – eg, laser

44. Fault injection steps

45. Provisional faults Single event upsets –Temporary flips in a cell’s logical state to a complementary state Multiple event faults –Several simultaneous SEUs Dose rate faults –The individual effects are negligible, but cumulative effect causes fault Provisional faults are used more in fault injection

46. Permanent faults Single-event burnout faults –Caused by a parasitic thyristor being formed in the MOS power transistors Single-event snap back faults –Caused by self-sustained current by parasitic bipolar transistors in MOS Single-event latch-up faults –Creates a self sustained current in parasitics Total dose rate faults –Progressive degradation of the electronic circuit

47. Fault impacts (model) Resetting data Data randomization – could be misleading, no control over! Modifying op-code – implementation dependent

48. Fault attacks – counter measures

50. Attacks on systems using smart cards

51. Trusted path Normal key validation on a PC

52. Trusted path PIN code validation – can you come up with attacks?

53. Are smart cards good or bad?

54. Let’s go thru a few common scenarios

55. A few common scenarios…

66. Example – fault attack on DES

67. 15-th round DPA

69. 15-th round DES