Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Slides:

Advertisements

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Advertisements

Smart Card security analysis Smart Card security analysis Marc Witteman, TNO.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK

Mobile Appliance Security: Concerns and Challenges Mahesh Mamidipaka ICS 259: Seminar in Design Science 1. Securing Mobile Appliances: New Challenges for.

CENTRAL PROCESSING UNIT

Cryptography and Network Security

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

FIT3105 Smart card based authentication and identity management Lecture 4.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.

An Expandable Montgomery Modular Multiplication Processor Adnan Abdul-Aziz GutubAlaaeldin A. M. Amin Computer Engineering Department King Fahd University.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Public Key Algorithms 4/17/2017 M. Chatterjee.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Side-Channel Attack: timing attack Hiroki Morimoto.

Cryptography and Network Security Chapter 9 5th Edition by William Stallings Lecture slides by Lawrie Brown.

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,

Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.

RSA Ramki Thurimella.

CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.

LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.

Smart card security Nora Dabbous Security Technologies Department.

Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.

Implementing RSA Encryption in Java

The EM Side-Channel(s) Dakshi Agrawal Bruce Archambeault Josyula R Rao Pankaj Rohatgi IBM.

Private-Key Cryptography  traditional private/secret/single key cryptography uses one key  shared by both sender and receiver  if this key is disclosed.

Public-Key Encryption

Cryptography and Network Security Chapter 9 - Public-Key Cryptography

Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.

Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.

Possible Testing Solutions and Associated Costs

Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep.

DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded.

Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.

Sliding Windows Succumbs to Big Mac Attack Colin D. Walter

CSCI-100 Introduction to Computing

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.

Program Design. The design process How do you go about writing a program? –It’s like many other things in life Understand the problem to be solved Develop.

Future Cryptography: Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)

M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)

Power Analysis Attack on the Masking Type Conversion Algorithm Using Exponentiation Young In Cho', Dong-GukHan g, Seokhie Hong', Young-Ho Park a 'LIST.

1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.

Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 7 – The RSA Cryptosystem.

WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter

Computer Security Lecture 5 Ch.9 Public-Key Cryptography And RSA Prepared by Dr. Lamiaa Elshenawy.

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer.

Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.

In The Name of Allah Fault attacks on ECC

Copyright © Zeph Grunschlag, RSA Encryption Zeph Grunschlag.

Attacks on Public Key Encryption Algorithms

PV204 Security technologies

Advanced Information Security 6 Side Channel Attacks

Public Key Cryptosystems - RSA

Efficient CRT-Based RSA Cryptosystems

z , and therefore u =  x ~ /s is an approximation of p z.

Introduction to Cryptography

Presentation transcript:

Side-Channel Attacks on Smart Cards

Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations in software Branching/condiational statements Caching in RAM Variable length instructions (multiply,divide) Timing measurements taken with various input data can be used to deduce internal workings.

Input: M, N, d = (d n-1 d n-2...d 1 d 0 ) 2 Output: S = M d mod N S = 1 for j = n do S = S 2 mod N if (d j == 1) then S = S*M mod N return S Timing Analysis Example: Repeated Square and multiply of modular exponentiation

Timing Analysis Counter-measure Input: M, N, d = (d n-1 d n-2...d 1 d 0 ) 2 Output: S = M d mod N S = 1 for j = n do S = S 2 mod N T = S*M mod N if (d j == 1) then S = T return S

Timing Analysis Counter measures: Implementing constant timing for all operations Add noise to the execution time. Prevent an attacker from learning the inputs to a vulnerable operation. Previous example: S = M d mod N (Can sign multiple M’s to deduce d) M’ = R e. M mod N=> S’ = M’ mod N (M’ is hidden from attacker) R -1 S’ = R -1 R ed M d = R -1 RM d = M d mod N = S

Computational Fault Analysis Induce faults on computation by: power supply clock frequency and duty cycle, working temparature UV lights microwaves ion beam

Computational Fault Analysis Fault induced in CRT used to speed up RSA signature S = M d mod N S p = M dp mod pand S q = M dq mod q dp = d mod (p-1), dq = d mod (q-1) S = u p S p + u q S q mod N 2 signatures on same message, 1 good, 1 faulty can be used to factor N when exactly one of S p or S q is faulty. S’ q = M dq mod q. Signature S’ will be invalid. p = gcd(N,M- S’ e )

Computational Fault Analysis Coutermeasure: Results could be verified before exposed. Randomization by padding messages.

Power Analysis Simple Power Analysis (SPA) Information about the operation is deduced directly from tracing the global consumption power of the chip Eg. DES key rotation Eg. RSA exponentiation Differential Power Analysis (DPA) Statistical analysis on power consumption over several executions of the same algorithm with different inputs Idea: The average traces on power consumption reduces noise and reveals otherwise obscured small biases.

Conclusion Smart cards crypto is constrained by the physical limitation of the microprocessor. Implementation needs to take into account of possible attacks. Counter measures taken for attacks need to take into account the efficiency of the implementation in practice.