1 / 23

Future Cryptography : Standards Are Not Enough

Future Cryptography : Standards Are Not Enough. Tomáš Rosa Decros-ICZ, CTU FEE tomas.rosa@decros.cz. Attacker. Cryptographic device. Input data. Output data. Inner cryptosystem. Keys and other sensitive values. Abstract Description Versus the Reality. Attacker. Side channels.

malcolm-gamble
Download Presentation

Future Cryptography : Standards Are Not Enough

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Future Cryptography:Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE tomas.rosa@decros.cz

  2. Attacker Cryptographic device Input data Output data Inner cryptosystem Keys and other sensitive values Abstract DescriptionVersus the Reality

  3. Attacker Side channels Cryptographic device Input data Output data Inner cryptosystem Keys and other sensitive values Abstract DescriptionVersus the Reality

  4. Side Channels • Definition(side channel) • The unplanned way which allows a cryptographic device to exchange some information with itsneighborhood.

  5. Side Channels • Analysis of the side channel • The process of extracting the useful information from the particular side channel. • Attack based on the side channel • The process of using the analysis of the particular side channel against a given cryptographic device.

  6. Side Channels • Types of side channels (SC) • Time SC • Power SC • Electromagnetic SC • Fault SC • Kleptographic SC

  7. Side Channels • The effectiveness of attacks based on side channels usually comes from the „cooperation paradox“: • Cryptologists know, that the information coming from the side channel would be dangerous, but they never expected that such side channel would exist. • Technical designers know that such side channel exists, but they never expected that its existence would be dangerous.

  8. Oracle Based Analysis(OBA) • It is important to discuss this technique, because: • It stays behind all major types of Power and Time Analysis. • It allows us to develop the OBA-Fundamental Hypothesis, which can be used to derive useful general countermeasures.

  9. Oracle Based Analysis(OBA) • Proposition 1. Let I be the input set andlet S be the particular sidechannel, giving for each input message the n-dimensional real information as S: I  Rn. • Definition 2.The oracle will be represented by the transformation O: I  B, where B = {0, 1}.

  10. Oracle Based Analysis(OBA) • Proposition 2.Let Im be a subsetIm I, such that for each x  Im we know the appropriate value of S(x).

  11. Oracle Based Analysis(OBA) • Proposition 3.The value of oracle O splits the set Im into the two disjunctive subsets I1, I2, such that for each x  Im we have: x  I1 iff O(x) = 1 and x  I2 iff O(x) = 0. • Next we define the transformations S1, S2, such that S1: I1 Rn, S2: I2 Rn, S1(x) = S(x), S2(x) = S(x). • By the notation S1 or S2 we mean the random variables taking randomly the values from the domain Rn.

  12. Oracle Based Analysis(OBA) • Proposition 3(cont.). • (cond = false)  d((S1), (S2))  • (cond = true)  d((S1), (S2)) >> , for some  R,  0. • Here  denotes the selected characteristic of n-dimensional random variable (: Rn Rn), and d denotes appropriate metric on the field Rn (d: Rn R).

  13. OBAFundamental Hypothesis • Possibility of OBA-based attack implies the existence of some intermediate variable, which value: • is a function of the input data and the secret key. • can be predicted (based on the knowledge of the input data and some part of the key).

  14. OBAFundamental Hypothesis • Sketch of the proof • The oracle itself can represent such a variable. • Corollary • Avoiding the existence of such a variable is an efficient countermeasure against OBA-based attacks.

  15. Fault Analysis • Message sent from the attacker to the device opens up the side channel from the device to the attacker. • The most dangerous techniques are often based on simple (but smart) mathematical observations. • Discussion of the particular FA-based attacks for RSA follows.

  16. Fault AnalysisRSA • Lemma 1.Let us have x, y, n Z, such that n = p*q, where p, q are both primes, x  y (mod p) and x  y (mod q). Then it is easy to compute p as p = gcd((x-y), n). • Question remains: How to find such a pair (x,y)? • Computation of the RSA signature based on the Chinese Remainder Theorem (CRT) is a good place for the inspiration…

  17. Fault AnalysisRSA • Let the quintuple (p, q, dp, dq, pInv) be the RSA private key and let m be the formatted message to sign, m  Zn. • Then signature scan be computed in the following steps: • sp = mdp mod p • sq = mdq mod q • h = pInv*(sq – sp) mod q • s = sp + p*h

  18. Fault AnalysisRSA • By affecting the computation of the particular signature, we can get the value sfaulty, such that: • sfaulty  md (mod p) • sfaulty  md (mod q)

  19. Fault AnalysisRSA • Now we can do: • Signature-Signature attack: we exploit the known value of the correct signature sgood. It holds that: • sfaulty  sgood (mod p) • sfaulty  sgood (mod q) • Known Message-Signature attack: if we know the value of m, we can use the easily derived congruencies: • se  m (mod p) • se  m (mod q)

  20. Fault AnalysisRSA • Importance of checking the integrity of private keys • FA-based attacks can be easily carried out when the attacker is able to force the device to work with the corrupted private key or public parameters. • Recent results (includes similar attacks on DSA) – attack on the OpenPGP format and compatible applications ([2]).

  21. Side ChannelsBasic Countermeasures • Blinding the data being processed • Randomizing the cryptographic transformation • Checking the integrity of keys • Checking the outputs for faults

  22. Side ChannelsFuture Trends • Technicians shall • Try to minimize the power of the signal leaking from the particular side channels • Inform cryptologists about all remaining side channels • Cryptologists shall • Design their cryptosystems with the respect to the known side channels • According to the actual technology, the defense against attacks based on various side channels is mainly a cryptological problem

  23. References [1] Rosa, T.: Future Cryptography: Standards Are Not Enough, in Proc. of CATE 2001, 2001. [2] Klíma, V. and Rosa, T.: Attack on Private Signature Keys of the OpenPGP Format, PGP(tm) Programs and Other Applications Compatible with OpenPGP, ICZ - Technical Report, available at http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf, 2001.

More Related