1 / 17

Wide Collisions in Practice

Wide Collisions in Practice. Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore. Overview. Side Channel Collision Attacks Wide Collisions for AES Improving Recognition Rates Attack Results. Embedded Systems.

knut
Download Presentation

Wide Collisions in Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10thACNS 2012- Singapore

  2. Overview • Side Channel Collision Attacks • Wide Collisions for AES • Improving Recognition Rates • Attack Results

  3. Embedded Systems • Specific purpose device with computing capabilities • Constrained resources • Many require security

  4. Side Channel Attacks … leaks additional information via side channel! e.g. power consumption / EM emanation plaintext AES Leakage ciphertext

  5. Collisions in AES plaintext Collision:Querying same S-box value twice Collision Attack: Exploiting collision detections to recover secret key Add_Key Sub_Bytes y1 y4 = y1 S-box 1 S-box 4

  6. Collision Detection Collisions are highly frequent: • First round: .41 collisions • One encryption: >40 collisions Detecting collisions is hard: • One encryption: 12 720 comparisons • Probability of a collision: <0.4% • False positive rate of 1%: >120 faulty detections  Shouldminimize false positives

  7. Wide Collisions (I) • Two AES encryptions with chosen inputs • Same plaintexts except for diagonals! • AddRoundKey, SubBytes -> same difference

  8. Wide Collisions (II) • ShiftRows aligns differences • MixColumns can result in equal bytes Collision

  9. Wide Collisions (III) • 2ndShiftRows results in equal columns • Full column collides until next ShiftRows! • 5predictable S-Box collisions between 2 encryptions! Full Column Collision

  10. Collision Detection • Direct Comparison of two power traces • Ideally only compared in leaking regions(5 s-Boxes and full MixColumnscolliding) Point selection necessary: • Knowledge of implementation or profiling needed + S-box in round 2 + Mix Columns S-box 4 S-boxes (in round 3)

  11. Key Recovery Phase • 1st byte after 1stMixColumns: • 4 collisions reduce key candidates from 232 to 1 candidate per diagonal. • Full key recovery: 16 distinct collisions. Avoid false positives

  12. Outlier Method Procedure: Find overall Mean Trace Locate Outlier Region Locate Neighboring Pairs Mean Trace Individual Trace Outlier Region

  13. Outlier Method: Details Two parameters: • Size of outlier region • Admitted distance betweenneighboring points Both influence • Number of detected collisions • Rate of false positives Tradeoff depends on implementation

  14. Results • Unprotected SW implementation, 8-bit Smart Card • Results on 3000 power traces: • Wide Collisions stronger, but knowledge of implementation or profiling needed • Blind Templates (+ PCA) are great for device profiling

  15. Optimized Collision Detection • Targeting Wide Collisions • Strong leakage, easier to detect • Requires chosen inputs • UsingOutlier Detection method: • Reduces overall detection of collisions • Minimizes false positives

  16. Conclusion • Wide collisions yield feasible power based collision attack • Outlier Method is a helpful tool for decreasing false positive detections

  17. Thank you very much for your attention! teisenba@fau.edu

More Related