Loading in 2 Seconds...

Smart-Card Security under the Threat of Power Analysis Attacks

Loading in 2 Seconds...

- By
**jacob** - Follow User

- 652 Views
- Uploaded on

Download Presentation
## Smart-Card Security under the Threat of Power Analysis Attacks

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Smart-Card Security under the Threat of Power Analysis Attacks

Robert Sloan, U. Illinois Chicago

Joint work with Tom Messerges and Ezzy Dabbish, Motorola Labs

Old Puzzle/Joke

- Employee daily takes 1 brick in wheelbarrow to his car at quitting time.
- Bricks are very cheap.
- Why is he doing this?
- Side channel. . . .

Summary/Outline of Presentation

- Review of Basic Concepts
- Power analysis attacks
- Smartcards
- Review of Previous Power Analysis Work
- Our Research
- Initial results attacking smartcards
- Modeling and strengthening DPA attacks
- Power analysis attacks against public-key cryptosystems
- A drop about countermeasures

Cryptography Review

- Uses: Authentication, secrecy, integrity, nonrepudiation
- Implementations:
- Rotor machines: Hagelin, Enigma
- Computers, special chips, smartcards

Modern Cryptography Review

- Public algorithms
- Security depends on secret key
- Two main varieties (used for many things):
- Public-key cryptography
- Symmetric-key cryptography

Two kinds of Attacks

- Traditional Mathematical Attacks
- Algorithm modeled as ideal mathematical object
- Attack would typically generalize
- Attacks mostly theoretical rather than operational
- Implementation Attacks
- Physical implementation is attacked
- Vulnerabilities are difficult to control
- Attacks are often operational—historically used to crack ciphers
- Attack strategies are specific and do not generalize

Power Analysis Attacks

- Khokar et al., June 1998: Measure instantaneous power consumption of a device while it runs a cryptographic algorithm
- Different power consumption when operating on logical ones vs. logical zeroes.

Smart Card Overview (1)

- A smartcard is
- credit-card size plastic with an embedded microprocessor (and memory)
- “secure” against malicious tampering and monitoring

Smartcard Overview (2)

- Typical Smartcard at time of our research
- 8-bit CPU, 384 bytes RAM, 3–5 Mhz clock rate
- Upcoming
- 32-bit RISC CPU, 4 Kbytes RAM, 50 Mhz clock

Smartcard Applications

- Loyalty, financial, healthcare, government
- Identification, electronic money, computer access
- Access to physical items (e.g., buildings, cell phones)

Cryptography on smartcards

- Symmetric: DES, 3DES, AES
- Public-key: RSA, El-Gamal, Elliptic Curves
- Physically secure storage device:
- Passwords or keys
- Personal Information
- All sometimes susceptible to leakage attacks

Previous work

- P. Kocher et al., June 1998. White paper, announcing new “Differential Power Attack (DPA)”, a statistical analysis of power consumption and stating “all commercially available” smartcards examined vulnerable.
- Very sketchy high-level idea of how to do DPA attack against DES on smartcard.

Goals of our research

- Establish ability to monitor and analyze power consumption information
- Examine the leaked information and determine the extent of the problem
- Study and implement newly announced DPA
- Document DPA against DES on smartcard

Simple Power Analysis

- (E.g., Kocher 1998) Attacker directly uses power consumption to learn bits of secret key. Wave forms visually examined.
- Big features like rounds of DES, square vs. multiply in RSA exponentiation, and small features, like bit value.
- Relatively easy to defend against.

Experiment 1: SPA

- Power trace of load instruction on an HC05-based smartcard.
- Hope voltage consumed will track number of bit transitions, revealing Haming weight.
- Averaged 500 runs to reduce noise.

Cracking DES w/Hamming Leak

- Proposition If attacker knows Hamming weight of each of the kn-bit words of secret key, then brute-force search space is reduced from 2kn to

DES example: 256 keys reduced to 240.

(n = 8, k = 7).

New SPA attack on DES

- (Half of) key is in C register and rotated on each round in deterministic way.
- If we know when to measure the Hamming weights of the rotated key, we can solve set of equations to get entire key.
- Similar algorithms with bigger keys (e.g., triple DES) also vulnerable to this attack.

Differential Power Analysis

Definition

Differential Power Analysis (DPA):

Attacker uses statistical techniques to extract tiny differences in power consumption and extract the bits of the secret key.

Attacker doesn’t need to know as many implementation details as for SPA.

DPA: Basic Idea

- Attacker runs N encryptions on N randomly chosen plaintext inputs (PTIi, 1 ≤ i ≤ N).
- Collects discrete time power signal Si(n). Sampled version of power consumption during portion of algorithm being attacked.
- Also collect ciphertext output, CTOi
- Partition the Si(n) by 0-1 function D.

Partition/Selection

- Function D(C,KI) depends on key information KI and ciphertext C
- D is some bit that software must compute. E.g., D(C,KI) = C1 SBOX1(C6 K16)
- Computed by software in round 16 of DES:
- C1 = 1 bit CTOi that is XORed with SBOX #1’s output; SBOX #1’s input is K16, 6 bits of round 16 subkey and 6 bits CTOi

Summary of initial results

- (Messerges) designed and implemented power analysis equipment
- Discovered that Hamming weight (or distance) information is leaking
- Implemented and documented Kocher et al.’s DPA attack on an actual smartcard running DES. (N = 1,300, time ≈ 1 hour, equipment cost < $10K.)

Strengthening DPA attacks

- Goal: Come up with stronger attack: use fewer signals to crack.
- Idea: Filter noise from DPA bias signal
- Math model first, then experimentally confirm!

Testing multiple-bit DPA

- Ran 1, 4, and 8-bit DPA attacks, for 1 bit of SBOX output, all 4 bits of SBOX output, and 2 SBOX outputs.
- Also tried partitioning S0 from S1 based on 8-bits used as address for SBOX lookup.
- HC05-based smartcard, N = 1,000

Tradeoff on number of signals

- As number of bits d used in multiple-bit DPA attack goes up, signal gets stronger, so need fewer signals.
- But can use only those where D function outputs d 0’s or d 1’s, throwing away rest. I.e., only 2/2d are usable.
- For same SNR as 1-bit Nd = 2d-1N/d2

Attacking Modular Exponentiation

- Modular exponentiation is at heart of two-key, public-key cryptosystems
- Square-and-multiply in RSA; analogous double-and-add in Elliptic Curve
- Our Goal: Model, devise attacks, and implement attacks!

First Attempt: Just Correlation

- Ran a simple correlation experiment: correlate power signal from one multiply operation with entire exponentiation’s power signal.
- Averaged 5,000 exponentiations with same input value.
- Revealed timing but not operation:

SEMD Attack

- Single-Exponent Multiple-Data attack
- Needs smartcard willing to do arbitrary number of exponentiations with both its secret key and supplied known key. E.g., supporting ISO 7816 “internal authenticate” and “external authenticate” commands.
- Compare the two signals.

SEMD Attack (2)

- Comparing the two signals hard, because square-and-multiply causes widely varying signal.
- So average many trials and subtract one average from the other.
- Parts of signals that are independent of exponent bits should have about same average so about 0 difference.

MESD Attack

- Multiple-Exponent Single-Data (MESD) Attack: Requires Smartcard will exponentiate a constant value (not necessarily known to attacker) with exponents chosen by attacker.
- Goal is to get better SNR than SEMD attack.
- Learns bits one at a time.

MESD Attack Algorithm

- Collect SM[j] for raising M to secret e
- Put eg = 0
- For i = n-1 to 0
- Collect S0[j] with guess ith bit of eg = 0
- Collect S1[j] with guess ith bit of eg = 1
- Calculate 2 DPA bias signals:
- D0[j] = SM[j] - S0[j] and D1[j] = SM[j] - S1[j]
- Update 1 bit of eg to DPA’s answer

ZEMD Attack

- Zero-Exponent, Multiple-Data (ZEMD) attack: Similar to MESD, but different assumptions.
- Does not require adversary to know any exponents.
- Instead, must know particular exponentiation algorithm being used (only a few common ones).

ZEMD attack (2)

- Learn secret exponent one bit at a time.
- Choose many arbitrary values Mand simulate i steps of exponentitation, guessing ith bit is 1.
- Create DPA bias signal by comparing to first i steps of smartcard run on M, based on Hamming weight of answer.

Countermeasures for Power Analysis Attacks

- Software Countermeasures
- Time randomization: add random delays
- Permuted execution
- Data Masking Techniques
- Hardware Countermeasures
- Noise generation, power signal filtering, novel circuit designs
- But must consume some energy to process data

Message & Exponent Blinding

- Kocher defense against timing attacks.
- Select random starting bit for exponentiation.
- Left to MSB; back to start; right to LSB.

Thanks for Listening

Any Questions?

Download Presentation

Connecting to Server..