Yossi Oren, yos strudel bgu.ac.il, yossioren System Security Engineering course, Dec

מאלגוריתם למציאות : התקפות על מימושים של מערכות מאובטחות

3 Input Output Secure Functionality Secret

Output Sound Heat EM Radiation Power Vibration Timing Secure Device Bad Input Errors 4 Secret Input

 A technique that allows attackers to extract information hidden inside a device, by analyzing the physical signals that the device emits as it performs a secure computation 5 From: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Mangard, Oswald and Popp, 2007

6 From: An Introduction to Implementation Attacks and Countermeasures, Thomas Popp, MEMOCODE 2009

7

 Fundamentals  Power/EM attacks  Low Data Complexity  + Research Questions  High Data Complexity  + Research Questions  Architectural Attacks  + Research Questions 8

 2 classes of chips: ASICs and Microcontrollers MicrocontrollerASIC Software-Defined Functionality Fixed (Hardware) Functionality Serial OperationParallel Operation Cheap to UseCheap to Manufacture 9

10

11

⇐ Low Variance High ⇒ Variance ⇐ Low Correlation High ⇒ Correlation 12

 Hamming Weight – amount of bits that are 1  HW(5) = ?  HW(0xE) = ?  Hamming Distance – amount of bits that are different  HW(5,0) = ?  HW(0xE,0xD) = ? 13

 What device are we attacking? (DUT)  What countermeasures does the DUT have?  What secret are we after?  What is our measurement setup?  What sort of access do we have?  How intimate is our physical access?  How much data can we collect?  Is there an offline phase? 14

 Power consumption is variable  Power consumption depends on instruction  Power consumption depends on data  Electromagnetic emanation depends on power consumption 15

q Power consumption V dd GND a q A P1 C1 C2 N1  The power consumption of a CMOS gate depends on the data: q: 0->0 virtually no power cons. q: 1->1 virtually no power cons. q: 0->1 high power cons. (proportional to C2) q: 1->0 high power cons. (proportional to C1)

Source: DPA Book 17

Source: DPA Book 18

Arm Activate Capture Retrieve 19

20

21 From: Introduction to differential power analysis, Kocher, Jaffe, Jun and Rotaghi, J. Cryptogr Eng. (2011) 1: s_0_0_0 +1 s_0_0_1 +1 s_0_0_5 +1 s_0_0_ s_0_0_7 +1 e_s_0_0_p −1 e_s_0_0_n = 4 ;

 Use statistical properties of traces to recover key  Pros:  Very limited reverse engineering  Harder to confuse  Cons:  Large amount of traces  Two main types of DPA:  Difference of means (traditional DPA)  Correlation power analysis (CPA) 22

 We want to discover the correct key value (c k ) and when it is used (c t )  Idea:  On the correct time, the power consumption of all traces is correlated with the correct key  On other times and other keys the traces should show low correlation 23

 Assume plaintext and correct key are known but correct time is unknown  Form hypothesis and test it  Good hypothesis:  Depends on known plaintext  Depends on small amount of key bits  Non-linear – sensitive to small changes  Maps to power consumption using a model 24

 1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  1 known key  Hypothesis is vector of 1000 hypothetical power values  Output of warm-up CPA: vector of 1 million correlation values with peak at c t 25

26

 Plaintext is known, but correct key and correct time unknown  Idea: run warm-up CPA many times in parallel  Create many competing hypotheses 27

 1000 traces, each consisting of 1 million points  Each trace uses a different known plaintext – 1000 plaintexts  Key is unknown – 256 guesses for first byte  Hypothesis is matrix of 1000X256 hypothetical power values  Output of full CPA: matrix of 1,000,000X256 correlation values with peak at (c k,c t ) 28

29

 Q1: How can we extract the most information from power traces?  Q2: How can we align different power traces together (in the presence of countermeasures)?  Q3: How can we expand the attacker model?  Simpler equipment  Less physical proximity 30

“attacks that exploit deeper processor ingredients below the trust architecture boundary” 31 From: Yet Another MicroArchitectural Attack: Exploiting I-Cache, Aciicmez, ACM CSAW 2007

Safari Private BrowsingTor Browser 4.5.1

 Q4: Can we break keys with this method?  Q5: Can we scale the measurement into the “open web”? 33

 Join our cyber mailing list: