1 / 69

Lecture7 –More on Attacks

Lecture7 –More on Attacks. Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009. Outline. More on side-channel attacks Fault injection attacks Generic attacks on cryptosystems . Slides are mostly courtesy of Michael Tunstall michael.tunstall@gemplus.com.

neila
Download Presentation

Lecture7 –More on Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture7 –More on Attacks Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009

  2. Outline • More on side-channel attacks • Fault injection attacks • Generic attacks on cryptosystems Slides are mostly courtesy of Michael Tunstall michael.tunstall@gemplus.com

  3. Simple power analysis (SPA) - example

  4. SPA example (cont’d)

  5. SPA example (cont’d) • Unprotected modular exponentiation – square and multiply algorithm

  6. Possible counter measure – randomizing RSA exponentiation

  7. Statistical power analysis • Two categories • Differential power analysis (DPA) • Correlation power analysis (CPA) • Based on the relationship b/w power consumption & hamming weight of the data

  8. Modeling the power consumption • Hamming weight model • Typically measured on a bus, Y=aH(X)+b • Y: power consumption; X: data value; H: Hamming weight • The Hamming distance model • Y=aH(PX)+b • Accounting for the previous value on the bus (P)

  9. Differential power analysis (DPA) • DPA can be performed in any algo that has operation =S(K), •  is known and K is the segment key The waveforms are caotured by a scope and Sent to a computer for analysis

  10. What is available after acquisition?

  11. DPA (cont’d) The bit will classify the wave wi • Hypothesis 1: bit is zero • Hypothesis 2: bit is one • A differential trace will be calculated for each bit!

  12. DPA (cont’d)

  13. DPA (cont’d)

  14. DPA -- testing

  15. DPA -- testing

  16. DPA – the wrong guess

  17. DPA (cont’d) • The DPA waveform with the highest peak will validate the hypothesis

  18. DPA curve example

  19. DPA (cont’d)

  20. Attacking a secret key algorithm

  21. Typical DPA Target

  22. Example -- DPA

  23. Example – hypothesis testing

  24. DPA (Cont’d)

  25. DPA on DES algorithm

  26. DPA on other algorithms

  27. Correlation power analysis (CPA) • The equation for generating differential waveforms replaced with correlations • Rather than attacking one bit, the attacker tries prediction of the Hamming weight of a word (H) • The correlation is computed by:

  28. Statistical PA -- countermeasures

  29. Anti-DPA countermeasures

  30. Anti-DPA • Internal clock phase shift

  31. DPA summary

  32. Electromagnetic power analysis

  33. EMA – probe design

  34. EMA signal

  35. Spatial positioning

  36. Spatial positioning

  37. Example: SEMA on RSA

  38. EMA (cont’d)

  39. Counter measures

  40. Fault injection attacks

  41. Fault attacks

  42. Fault injection techniques • Transient (provisional) and permanent (destructive) faults • Variations to supply voltage • Variations in the external clock • Temperature • White light • Laser light • X-rays and ion beams • Electromagnetic flux

  43. Need some (maybe expensive equipment) – eg, laser

  44. Fault injection steps

  45. Provisional faults • Single event upsets • Temporary flips in a cell’s logical state to a complementary state • Multiple event faults • Several simultaneous SEUs • Dose rate faults • The individual effects are negligible, but cumulative effect causes fault • Provisional faults are used more in fault injection

  46. Permanent faults • Single-event burnout faults • Caused by a parasitic thyristor being formed in the MOS power transistors • Single-event snap back faults • Caused by self-sustained current by parasitic bipolar transistors in MOS • Single-event latch-up faults • Creates a self sustained current in parasitics • Total dose rate faults • Progressive degradation of the electronic circuit

  47. Fault impacts (model) • Resetting data • Data randomization – could be misleading, no control over! • Modifying op-code – implementation dependent

  48. Fault attacks – counter measures

  49. Fault attacks – counter measures

  50. Attacks on systems using smart cards

More Related