Ali Galip Bayrak EPFL, Switzerland June 7th, 2011

Slides:

Advertisements

Similar presentations

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April

Advertisements

Code optimization: –A transformation to a program to make it run faster and/or take up less space –Optimization should be safe, preserve the meaning of.

Information Security – Theory vs. Reality , Winter 2011 Guest Lecturer: Yossi Oren 1.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

CryptoBlaze: 8-Bit Security Microcontroller. Quick Start Training Agenda What is CryptoBlaze? KryptoKit GF(2 m ) Multiplier Customize CryptoBlaze Attacks.

Statistical Tools Flavor Side-Channel Collision Attacks

White-Box Cryptography

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Runtime Protection via Dataflow Flattening Bertrand Anckaert Ghent University/ Boston Consulting Group The Third International Conference on Emerging Security.

Counting Stream Registers: An Efficient and Effective Snoop Filter Architecture Aanjhan Ranganathan (ETH Zurich), Ali Galip Bayrak (EPFL), Theo Kluter.

Block Ciphers and the Data Encryption Standard

1 Authors: MILENA STANOJLOVIĆ PREDRAG PETKOVIĆ LABORATORY FOR ELECTRONIC DESIGN AUTOMATION Faculty of Electronic Engineering University of Nis.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.

Accurate Emulation of Wireless Sensor Networks Hejun Wu Joint work with Qiong Luo, Pei Zheng*, Bingsheng He, and Lionel M. Ni Department of Computer Science.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak Francesco Regazzoni David Novo Philip Brisk François-Xavier Standaert Paolo Ienne.

SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.

Fault Tolerant Infective Countermeasure for AES

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (1) Information Security.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.

H.M.Gamaarachchi (E/10/102) P.B.H.B.B.Ganegoda (E/10/104)

Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 6: Striving for Confusion Structures.

WEP Protocol Weaknesses and Vulnerabilities

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Roh, Yohan October.

Hardware-Software Integrated Approaches to Defend Against Software Cache-based Side Channel Attacks Jingfei Kong* University of Central Florida Onur Acıiçmez.

Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.

Lecture 2: Introduction to Cryptography

DPA Countermeasures by Improving the Window Method Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii Workshop on Cryptographic Hardware and Embedded.

Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.

An EDA-Friendly Protection Scheme against Side-Channel Attacks Ali Galip Bayrak 1 Nikola Velickovic 1, Francesco Regazzoni 2, David Novo 1, Philip Brisk.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

CRYPTOGRAPHY PRESENTED BY : NILAY JAYSWAL BRANCH : COMPUTER SCIENCE & ENGINEERING ENTRY NO. : 14BCS033 1.

A High-Level Synthesis Flow for Custom Instruction Set Extensions for Application-Specific Processors Asia and South Pacific Design Automation Conference.

Power Analysis Attack on the Masking Type Conversion Algorithm Using Exponentiation Young In Cho', Dong-GukHan g, Seokhie Hong', Young-Ho Park a 'LIST.

New Methods for Cost-Effective Side- Channel Attacks on Cryptographic RFIDs Chair for Embedded Security Ruhr University Bochum David Oswald Timo Kasper.

1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.

Reut Caspi & Moriah Stern Advisors: Dr. Osnat Keren & Mr. Itamar Levi.

Thermal-Aware Data Flow Analysis José L. Ayala – Complutense University (Spain) David Atienza – EPFL (Switzerland) Philip Brisk – EPFL (Switzerland)

Efficient Leakage Resilient Circuit Compilers

Attacks on Public Key Encryption Algorithms

Overview on Hardware Security

Symmetric Cryptography

Advanced Information Security 6 Side Channel Attacks

Automatic Application of Power Analysis Countermeasures

Evaluating Register File Size

Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser

Protect Your Hardware from Hacking and Theft

ABYSS : An Architecture for Software Protection

On The Feasibility of Internal-Nodes Power Analysis

Cryptography Basics and Symmetric Cryptography

Implementation of IDEA on a Reconfigurable Computer

Hardware Masking, Revisited

Secure Processing On-Chip

Practical Difficulties of Physical Attacks

Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.

High-Level Synthesis for Side-Channel Defense

امنیت و اعتماد سخت افزاری

Secure Execution Crypto Microprocessor

Protect Your Hardware from Hacking and Theft

CSE 484 Midterm Review “1st half of the quarter in 5 slides”

Dynamic High-Performance Multi-Mode Architectures for AES Encryption

Provable Security at Implementation-level

Presentation Outline Introduction to Side Channel Attacks

SOHAIL SHAHUL HAMEED Dr. BHARGAVI GOSWAMI

Presentation transcript:

Ali Galip Bayrak EPFL, Switzerland June 7th, 2011 A First Step Towards Automatic Application of Power Analysis Countermeasures Ali Galip Bayrak EPFL, Switzerland June 7th, 2011 and Francesco Regazzoni (UCL and Alari) Philip Brisk (UC Riverside, USA) François-Xavier Standaert (UCL, Belgium) Paolo Ienne (EPFL, Switzerland)

Side-Channel Attacks Cryptographic Algorithm Plaintext Ciphertext (e.g., “Encrypt me”) Ciphertext (e.g., “aB14t752s”) Secret Key (e.g., “I’m unknown”) Leakage (power consumption, EM radiation, timing etc.) 2

Power Analysis Attacks 3

They are handled manually!!! Motivation PROBLEM: They are handled manually!!! VS ATTACK! COUNTERMEASURE! Software Implementation Analyze the algorithm Determine the weaknesses Apply the countermeasure Protected Implementation 4

Automatic Protection Flow 5

Step I: Information Leakage Analysis Normalized Mutual Information of Key and Leakage Main point: Determine the leaking parts of the software!

Step II: Transformation Target Identification Local Modifications: Protect each sensitive instruction (peephole optimization). Random Precharging (used here) Global Modifications: Protect all the nodes between two sensitive nodes. Masking sbci r28,0xfd ld r25,r28:r29 movw r18,r26 subi r18,0x4f sbci r19,0xfd movw r28,r18 ld r30,r28:r29 Main point: Determine the portions of the implementation that need to be protected!

Step III: Code Transformation sbci r28,0xfd ld r25,r28:r29 movw r18,r26 subi r18,0x4f sbci r19,0xfd movw r28,r18 ld r30,r28:r29 sbci r28,0xfd lds r25,rnd mov r24,r25 ld r25,r28:r29 … movw r18,r26 subi r18,0x4f … Main point: Apply the given protection on the determined portions of the implementation!

Experimental Results (Security) Advanced Encryption Standard (AES) is used. Traces are collected from board with 8-bit AVR MCU. Correlation-based DPA attack is used for attack. ρ = 0.437 ρ = 0.048 Correlation values for unprotected and protected implementations are shown. Number of necessary traces to mount a successful attack increases over 76 times. 9

Experimental Results (Performance) # of clock cycles during the execution of three different implementations 4212 100% 2700 64% 1190 10

Conclusions Software Implementation Protected Implementation AUTOMATIC PROTECTION Software Implementation Protected Implementation Off-the-Shelf Compiler AP Security-Aware Compiler security vs. performance vs. energy etc. 11