Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.

Slides:

Advertisements

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Advertisements

Smart Card security analysis Smart Card security analysis Marc Witteman, TNO.

ECE 495: Integrated System Design I

Fig Typical voltage transfer characteristic (VTC) of a logic inverter, illustrating the definition of the critical points.

Control path Recall that the control path is the physical entity in a processor which: fetches instructions, fetches operands, decodes instructions, schedules.

10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK

Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.

Physical Unclonable Functions and Applications

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Chapter 3 Basic Logic Gates 1.

1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Room: E-3-31 Phone: Dr Masri Ayob TK 2123 COMPUTER ORGANISATION & ARCHITECTURE Lecture 5: CPU and Memory.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Embedded Systems Laboratory Informatics Institute Federal University of Rio Grande do Sul Porto Alegre – RS – Brazil SRC TechCon 2005 Portland, Oregon,

1 EE 616 Computer Aided Analysis of Electronic Networks Lecture 9 Instructor: Dr. J. A. Starzyk, Professor School of EECS Ohio University Athens, OH,

Cryptography & Number Theory

Probability & Statistics for Engineers & Scientists, by Walpole, Myers, Myers & Ye ~ Chapter 11 Notes Class notes for ISE 201 San Jose State University.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

University of Michigan Electrical Engineering and Computer Science 1 Online Timing Analysis for Wearout Detection Jason Blome, Shuguang Feng, Shantanu.

Side-Channel Attack: timing attack Hiroki Morimoto.

Sequential Circuit Introduction to Counter

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

Torturing OpenSSL Todd Austin University of Michigan with Andrea Pellegrini, William Arthur and Valeria Bertacco (Based on Valeria’s BlackHat 2012 Presentation)

Waveform 2.1 Basic Digital Waveforms 2 Measurement Paul Godin Updated October 2009.

Finite State Machines. Binary encoded state machines –The number of flip-flops is the smallest number m such that 2 m  n, where n is the number of states.

Fault Tolerant Infective Countermeasure for AES

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.

Rabie A. Ramadan Lecture 3

GSM CLONING. GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification.

ELEC 528 Lecture Farinaz Koushanfar, Spring 2009 ECE and CS Depts., Rice University.

9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.

ECE Advanced Digital Systems Design Lecture 12 – Timing Analysis Capt Michael Tanner Room 2F46A HQ U.S. Air Force Academy I n t e g r i.

H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)

Smart card security Nora Dabbous Security Technologies Department.

Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 6: Striving for Confusion Structures.

The EM Side-Channel(s) Dakshi Agrawal Bruce Archambeault Josyula R Rao Pankaj Rohatgi IBM.

Advanced Design Applications Power and Energy © 2014 International Technology and Engineering Educators Association STEM  Center for Teaching and Learning™

Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and.

Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.

Possible Testing Solutions and Associated Costs

Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep.

ECE 4710: Lecture #25 1 Frequency Shift Keying  Frequency Shift Keying = FSK  Two Major FSK Categories  Continuous Phase »Phase between bit transitions.

Some Security Aspects of the Randomized Exponentiation Algorithm (Bradford, UK) Colin D. Walter M IST.

Sliding Windows Succumbs to Big Mac Attack Colin D. Walter

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took.

Power Analysis Attack on the Masking Type Conversion Algorithm Using Exponentiation Young In Cho', Dong-GukHan g, Seokhie Hong', Young-Ho Park a 'LIST.

1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.

Lecture5 – Introduction to Cryptography 3/ Implementation Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009.

WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter

ELEC 303 – Random Signals Lecture 19 – Random processes Dr. Farinaz Koushanfar ECE Dept., Rice University Nov 12, 2009.

ELEC 303, Koushanfar, Fall’09 ELEC 303 – Random Signals Lecture 9 – Continuous Random Variables: Joint PDFs, Conditioning, Continuous Bayes Farinaz Koushanfar.

Investigating latchup in the PXL detector Outline: What is latchup? – the consequences and sources of latchup – techniques to reduce latchup sensitivity.

Embedded system security

Click to edit Present’s Name Three Attacks, Many Process Variations and One Expansive Countermeasure International Workshop on Cybersecurity Darshana Jayasinghe,

Atacama Large Millimeter/submillimeter Array Karl G. Jansky Very Large Array Robert C. Byrd Green Bank Telescope Very Long Baseline Array Single Event.

Efficient Montgomery Modular Multiplication Algorithm Using Complement and Partition Techniques Speaker: Te-Jen Chang.

1 Chapter 1 Basic Structures Of Computers. Computer : Introduction A computer is an electronic machine,devised for performing calculations and controlling.

Yossi Oren, yos strudel bgu.ac.il, yossioren System Security Engineering course, Dec

Advanced Information Security 6 Side Channel Attacks

Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser

Sequential circuits and Digital System Reliability

Design of a ‘Single Event Effect’ Mitigation Technique for Reconfigurable Architectures SAJID BALOCH Prof. Dr. T. Arslan1,2 Dr.Adrian Stoica3.

Presentation transcript:

Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009

Outline More on side-channel attacks Fault injection attacks Generic attacks on cryptosystems Slides are mostly courtesy of Michael Tunstall

Simple power analysis (SPA) - example

SPA example (cont’d)

Unprotected modular exponentiation – square and multiply algorithm

Possible counter measure – randomizing RSA exponentiation

Statistical power analysis Two categories –Differential power analysis (DPA) –Correlation power analysis (CPA) Based on the relationship b/w power consumption & hamming weight of the data

Modeling the power consumption Hamming weight model –Typically measured on a bus, Y=aH(X)+b –Y: power consumption; X: data value; H: Hamming weight The Hamming distance model –Y=aH(P  X)+b –Accounting for the previous value on the bus (P)

Differential power analysis (DPA) DPA can be performed in any algo that has operation  =S(  K), –  is known and K is the segment key The waveforms are caotured by a scope and Sent to a computer for analysis

What is available after acquisition?

DPA (cont’d) The bit will classify the wave w i –Hypothesis 1: bit is zero –Hypothesis 2: bit is one –A differential trace will be calculated for each bit!

DPA (cont’d)

DPA -- testing

DPA – the wrong guess

DPA (cont’d) The DPA waveform with the highest peak will validate the hypothesis

DPA curve example

DPA (cont’d)

Attacking a secret key algorithm

Typical DPA Target

Example -- DPA

Example – hypothesis testing

DPA (Cont’d)

DPA on DES algorithm

DPA on other algorithms

Correlation power analysis (CPA) The equation for generating differential waveforms replaced with correlations Rather than attacking one bit, the attacker tries prediction of the Hamming weight of a word (H) The correlation is computed by:

Statistical PA -- countermeasures

Anti-DPA countermeasures

Anti-DPA Internal clock phase shift

DPA summary

Electromagnetic power analysis

EMA – probe design

EMA signal

Spatial positioning

Example: SEMA on RSA

EMA (cont’d)

Counter measures

Fault injection attacks

Fault attacks

Fault injection techniques Transient (provisional) and permanent (destructive) faults –Variations to supply voltage –Variations in the external clock –Temperature –White light –Laser light –X-rays and ion beams –Electromagnetic flux

Need some (maybe expensive equipment) – eg, laser

Fault injection steps

Provisional faults Single event upsets –Temporary flips in a cell’s logical state to a complementary state Multiple event faults –Several simultaneous SEUs Dose rate faults –The individual effects are negligible, but cumulative effect causes fault Provisional faults are used more in fault injection

Permanent faults Single-event burnout faults –Caused by a parasitic thyristor being formed in the MOS power transistors Single-event snap back faults –Caused by self-sustained current by parasitic bipolar transistors in MOS Single-event latch-up faults –Creates a self sustained current in parasitics Total dose rate faults –Progressive degradation of the electronic circuit

Fault impacts (model) Resetting data Data randomization – could be misleading, no control over! Modifying op-code – implementation dependent

Fault attacks – counter measures

Attacks on systems using smart cards

Trusted path Normal key validation on a PC

Trusted path PIN code validation – can you come up with attacks?

Are smart cards good or bad?

Let’s go thru a few common scenarios

A few common scenarios…

Example – fault attack on DES

15-th round DPA

15-th round DES