A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Slides:



Advertisements
Similar presentations
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Advertisements

Computer Architecture
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard
Cryptography and Network Security
5/4/2006BAE Analog to Digital (A/D) Conversion An overview of A/D techniques.
Data Encryption Standard (DES)
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Advanced Encryption Standard
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
1 Validation and Verification of Simulation Models.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
Decryption Algorithms Characterization Project ECE 526 spring 2007 Ravimohan Boggula,Rajesh reddy Bandala Southern Illinois University Carbondale.
Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak Francesco Regazzoni David Novo Philip Brisk François-Xavier Standaert Paolo Ienne.
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.
Lecture 24: CPU Design Today’s topic –Multi-Cycle ALU –Introduction to Pipelining 1.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Data Encryption Standard (DES). Symmetric Cryptography  C = E(P,K)  P = D(C,K)  Requirements  Given C, the only way to obtain P should be with  the.
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
1 Chapter 1: Introduction to Design of Experiments 1.1 Review of Basic Statistical Concepts (Optional) 1.2 Introduction to Experimental Design 1.3 Completely.
Techniques to Prevent Power Analysis on Encryption Hardware CS252 Final Project By Shengliang Song & Nikita Borisov Professor: Jan Rabaey & Kurt Keutzer.
Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)
Midterm Review Cryptography & Network Security
Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.
13. Other Block Ciphers 13.1 LUCIFER 13.2 MADRYGA 13.3 NEWDES 13.4 FEAL 13.5 REDOC 13.6 LOKI.
Cryptography Team Presentation 2
Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and.
“Implementation of a RC5 block cipher algorithm and implementing an attack on it” Cryptography Team Presentation 1.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.
Possible Testing Solutions and Associated Costs
Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea
Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.
Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Chapter 2 Symmetric Encryption.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took.
Digital to Analog Converter (DAC)
Power Analysis Attack on the Masking Type Conversion Algorithm Using Exponentiation Young In Cho', Dong-GukHan g, Seokhie Hong', Young-Ho Park a 'LIST.
1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.
Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
Pipelining: Implementation CPSC 252 Computer Organization Ellen Walker, Hiram College.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Advanced Information Security 6 Side Channel Attacks
Automatic Application of Power Analysis Countermeasures
Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser
On The Feasibility of Internal-Nodes Power Analysis
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.
Protect Your Hardware from Hacking and Theft
ECE 352 Digital System Fundamentals
Presentation Outline Introduction to Side Channel Attacks
Cryptography Lecture 15.
Presentation transcript:

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson

Power Analysis Introduction Simple Power Analysis (SPA) Theory Experimental Results Prevention Differential Power Analysis (DPA) Theory Experimental Results Prevention Comments

Introduction About the paper… Written by Paul Kocher, Joshua Jaffe, and Benjamin Jun of Cryptography Research, Inc in 1998 This was the first introduction of power analysis based side channel attacks on cryptographic systems All analysis and experimentation was performed on a DES implementation

Introduction Power Analysis Power Analysis is a form of side channel attack in which operation and key material can be exposed through the measurement of a cryptographic device’s power consumption To measure a circuit’s power consumption A small resistor (e.g. 50Ω) is placed in series with the power or ground input An oscilloscope or other sampling device captures voltage drop across the resistor Data is transferred to a PC for analysis

Simple Power Analysis Theory This technique directly interprets power consumption measurements to expose information about an encryptor/decryptor A trace refers to a set of power consumption measurements taken across a cryptographic operation Higher resolution traces reveal more information about the circuit’s operation Claim SPA traces can reveal the sequence of instructions and can therefore be used to break cryptographic implementations in which execution path depends on the data being processed

Simple Power Analysis Experimental Results The figure below clearly shows the 16 rounds of a DES operation

Simple Power Analysis Experimental Results A more detailed view shows small variations between the rounds 28-bit DES key registers C & D are rotated once in round 2 and twice in round 3 Discernable features typically caused by conditional jumps based on key bits and computational intermediates

Simple Power Analysis Experimental Results An even higher resolution view shows details of a single clock cycle Comparison of trace through two regions shows visible variations between clock cycles caused by different processor instructions Upper trace shows where a jump instruction is performed Lower trace shows where a jump instruction is not performed

Simple Power Analysis Motivation for Prevention Because SPA can reveal the sequence of instructions executed, it can be used to break cryptographic implementations in which the execution path depends on the data being processed, such as DES key schedule computations DES permutations Comparisons Multipliers Exponentiators Prevention Techniques Avoid procedures that use secret intermediates or keys for conditional branching operations Creative coding, performance penalty Implement hard-wired symmetric cryptographic algorithms in hardware Small power consumption variations

Differential Power Analysis Theory In addition to large-scale power variations addressed by SPA, there are effects correlated to the specific data values that are being manipulated Using statistical functions tailored to the target algorithm, these much smaller variations can be detected

Differential Power Analysis Detailed Theory A DPA selection function, D(C,b,Ks), computes the value of bit 0 ≤ b < 32 of the DES intermediate L at the beginning of the 16 th round C is ciphertext Ks is the 6 key bits entering the S box corresponding to bit b To implement, an attacker Observes m encryption operations Captures m traces, each with k samples Records m ciphertext values

Differential Power Analysis Detailed Theory Using the observation, the attacker computes a k-sample differential trace ∆[1..k] by finding the difference between the average of the traces for which D(C,b,Ks) is one and the average of the traces for which D(C,b,Ks) is zero For each sample, the differential trace ∆[j] is the average over the measured ciphertexts of the effect caused by the selector function D(C,b,Ks) on the power consumption measurement at the sample point If Ks is incorrect, the probability that D will yield the correct bit b is ½, so the trace components and D are uncorrelated. The result is that ∆[j] approaches zero for large m. If Ks is correct, the computed value for D will equal the actual value of the target bit b with probability 1, making the selection function correlated to the bit. The result will be spikes in the differential trace where D is correlated to the value being processed.

Differential Power Analysis Claim The correct Ks can be identified from the spikes in the differential trace. Four values of b correspond to each S box, providing confirmation of key block guesses. Finding all 8 key block guesses yields the entire 48-bit round subkey. The remaining 8 key bits can be found by trial-and-error or by analyzing an additional round.

Differential Power Analysis Experimental Results The figure shows 4 traces prepared using known plaintexts entering a DES encryption function The top trace is power reference Next trace is a correct key block guess Last two traces are incorrect key block guesses m = 1000 samples

Differential Power Analysis Experimental Results A more detailed view shows the average effect of a single bit on detailed power consumption measurements Reference power consumption trace is on top Standard deviation of power consumption measurements is next Differential trace is last m = 10,000

Differential Power Analysis Prevention Reduce signal sizes (still vulnerable to attacker with infinite samples) Constant execution path code Choose operations that leak less information in their power consumption Balance hamming weights and state transitions Physically shielding the device Introduce noise into power consumption measurements Randomize execution timing and order Design cryptosystems with realistic assumptions about the underlying hardware Nonlinear key update procedures can be employed to ensure that power traces cannot be correlated between transactions Hashing Aggressive use of exponent and modulus multiplication processes Prevent attacker from gathering large numbers of samples

Comments Pros Innovative concepts, given the timeframe of the paper The authors successfully demonstrate that power analysis attacks are a real security vulnerability that must be considered in new designs and fielded devices Cons The authors claim that the attacks are (or can be) effective even if nothing is known about the encryption implementation; however, no evidence of this is presented Likely due to the pioneering nature of the paper, it lacked the level of detail I would have desired Discussion of how to come up with a selection function? Quantitative comparisons for hardware vs. software implementations? Demonstration of performance improvement for suggested prevention methods?

Questions? Contact information: Michelle Dickson

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.