Josh Benaloh Brian LaMacchia Winter 2011. Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side.

Slides:

Advertisements

Similar presentations

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

A Framework for Distributed OCSP without Responders Certificate

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

1 Security in Wireless Protocols Bluetooth, , ZigBee.

Certificate Revocation Serge Egelman. Introduction What is revocation? Why do we need it? What is currently being done?

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Homework #8 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

Real-World Problems of PKI Hierarchies Daniel Cvrček Department of Computer Science and Engineering, Brno University of Technology SPI Conference 2001,

Defining Computer Security cybertechnology security can be thought of in terms of various counter measures: (i) unauthorized access to systems (ii) alteration.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Configuring Directory Certificate Services Lesson 13.

DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier.

Certificate revocation list

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Module 9: Fundamentals of Securing Network Communication.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International.

Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Using Public Key Cryptography Key management and public key infrastructures.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Lecture 5 Page 1 Advanced Network Security Review of Cryptography: Cryptographic Keys Advanced Network Security Peter Reiher August, 2014.

Revocation in WebPKI Phill Hallam-Baker Comodo. Standards intersection PKIX OTHER.

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Key management issues in PGP

CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.

Document update - what has happened since GGF11

Web Applications Security Cryptography 1

CS 465 Certificates Last Updated: Oct 14, 2017.

Practical Aspects of Modern Cryptography

OCSP Requirements GGF13.

Presentation transcript:

Josh Benaloh Brian LaMacchia Winter 2011

Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side or back door – especially on embedded cryptographic devices such as SmartCards and RFIDs. January 27, 2011Practical Aspects of Modern Cryptography2

Side-Channel Attacks Some attack vectors … January 27, 2011Practical Aspects of Modern Cryptography3

Side-Channel Attacks Some attack vectors … Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography4

Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography5

Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks January 27, 2011Practical Aspects of Modern Cryptography6

Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis January 27, 2011Practical Aspects of Modern Cryptography7

Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions January 27, 2011Practical Aspects of Modern Cryptography8

Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions January 27, 2011Practical Aspects of Modern Cryptography9

Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions Information Disclosure January 27, 2011Practical Aspects of Modern Cryptography10

Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions Information Disclosure … others? January 27, 2011Practical Aspects of Modern Cryptography11

Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography12

Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography13

Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography14

Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography15

Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography16

Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography17

Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography18

Timing Attacks How long does it take to perform a decryption? January 27, 2011Practical Aspects of Modern Cryptography19

Timing Attacks How long does it take to perform a decryption? The answer may be data-dependent. January 27, 2011Practical Aspects of Modern Cryptography20

Timing Attacks How long does it take to perform a decryption? The answer may be data-dependent. For instance… January 27, 2011Practical Aspects of Modern Cryptography21

Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography22

Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography23

Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography24

Cache Attacks If you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed. January 27, 2011Practical Aspects of Modern Cryptography25

Cache Attacks If you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed. Decryption times may vary in a key-dependent manner based upon which lines have been flushed. January 27, 2011Practical Aspects of Modern Cryptography26

Power Analysis Power usage of a device may vary in a key- dependent manner. January 27, 2011Practical Aspects of Modern Cryptography27

Power Analysis Power usage of a device may vary in a key- dependent manner. Careful measurement and analysis of power consumption can be used to determine the key. January 27, 2011Practical Aspects of Modern Cryptography28

Electromagnetic Emissions One can record electromagnetic emissions of a device – often at a distance. January 27, 2011Practical Aspects of Modern Cryptography29

Electromagnetic Emissions One can record electromagnetic emissions of a device – often at a distance. Careful analysis of the emissions may reveal a secret key. January 27, 2011Practical Aspects of Modern Cryptography30

Acoustic Emissions Modular exponentiation is using done with repeated squaring and conditional “side” multiplications. January 27, 2011Practical Aspects of Modern Cryptography31

Acoustic Emissions Modular exponentiation is using done with repeated squaring and conditional “side” multiplications. It can actually be possible to hear whether or not these conditional multiplications are performed. January 27, 2011Practical Aspects of Modern Cryptography32

Information Disclosures (N.B. Bleichenbacher Attack) January 27, 2011Practical Aspects of Modern Cryptography33

Information Disclosures (N.B. Bleichenbacher Attack) A protocol may respond differently to properly and improperly formed data. January 27, 2011Practical Aspects of Modern Cryptography34

Information Disclosures (N.B. Bleichenbacher Attack) A protocol may respond differently to properly and improperly formed data. Careful manipulation of data may elicit responses which disclose information about a desired key or decryption value. January 27, 2011Practical Aspects of Modern Cryptography35

Certificate Revocation January 27, 2011Practical Aspects of Modern Cryptography36

Certificate Revocation Every “reasonable” certification should include an expiration. January 27, 2011Practical Aspects of Modern Cryptography37

Certificate Revocation Every “reasonable” certification should include an expiration. It is sometimes necessary to “revoke” a certificate before it expires. January 27, 2011Practical Aspects of Modern Cryptography38

Certificate Revocation Reasons for revocation … January 27, 2011Practical Aspects of Modern Cryptography39

Certificate Revocation Reasons for revocation … Key Compromise January 27, 2011Practical Aspects of Modern Cryptography40

Certificate Revocation Reasons for revocation … Key Compromise False Issuance January 27, 2011Practical Aspects of Modern Cryptography41

Certificate Revocation Reasons for revocation … Key Compromise False Issuance Role Modification January 27, 2011Practical Aspects of Modern Cryptography42

Certificate Revocation Two primary mechanisms … January 27, 2011Practical Aspects of Modern Cryptography43

Certificate Revocation Two primary mechanisms … Certificate Revocation Lists (CRLs) January 27, 2011Practical Aspects of Modern Cryptography44

Certificate Revocation Two primary mechanisms … Certificate Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP) January 27, 2011Practical Aspects of Modern Cryptography45

Certificate Revocation Lists A CA revokes a certificate by placing the its identifying serial number on its Certificate Revocation List (CRL) Every CA issues CRLs to cancel out issued certs A CRL is like anti-matter – when it comes into contact with a certificate it lists it cancels out the certificate Think “1970s-style credit-card blacklist” Relying parties are expected to check the most recent CRLs before they rely on a certificate “The cert is valid unless you hear something telling you otherwise” January 27, 2011Practical Aspects of Modern Cryptography46

The Problem with CRLs Blacklists have numerous problems They can grow very large because certs cannot be removed until they expire. They are not issued frequently enough to be effective against a serious attack. Their size can make them expensive to distribute (especially on low-bandwidth channels). They are vulnerable to simple DOS attacks. (What do you do if you can’t get the current CRL?) January 27, 2011Practical Aspects of Modern Cryptography47

More Problems with CRLs January 27, 2011Practical Aspects of Modern Cryptography48

Yet More Problems with CRLs Revoking a cert used by a CA to issue other certs is even harder since this may invalidate an entire set of certs. “Self-signed” certificates are often used as a syntactic convenience. Is it meaningful for a cert to revoke itself? January 27, 2011Practical Aspects of Modern Cryptography49

Even More Problems with CRLs CRLs can’t be revoked. If a cert has been mistakenly revoked, the revocation can’t be reversed. CRLs can’t be updated. There’s no mechanism to issue a new CRL to relying parties early – even if there’s an urgent need to issue new revocations. January 27, 2011Practical Aspects of Modern Cryptography50

Short-Lived Certificates If you need to go to a CA to get a fresh CRL, why not just go to a CA to get a fresh cert? January 27, 2011Practical Aspects of Modern Cryptography51

CRLs vs. OCSP Responses Aggregation vs. Freshness CRLs combine revocation information for many certs into one long-lived object OCSP Responses designed for real-time responses to queries about the status of a single certificate Both CRLs & OCSP Responses are generated by the issuing CA or its designate. (Generally this is not the relying party.) January 27, 2011Practical Aspects of Modern Cryptography52

Online Status Checking OCSP: Online Certificate Status Protocol A way to ask “is this certificate good right now? Get back a signed response from the OCSP server saying, “Yes, cert C is good at time t” Response is like a “freshness certificate” OCSP response is like a selective CRL Client indicates the certs for which he wants status information OCSP responder dynamically creates a lightweight CRL-like response for those certs January 27, 2011Practical Aspects of Modern Cryptography53

January 27, 2011Practical Aspects of Modern Cryptography54 OCSP in Action End-entity CA Relying Party Cert CertRequest OCSP Request OCSPForCert OCSP Response Transaction Response Cert + Transaction ① ② ③ ④ ⑤ ⑥

Final thoughts on Revocation From a financial standpoint, it’s the revocation data that is valuable, not the issued certificate itself. For high-valued financial transactions, seller wants to know your cert is good right now. This is similar to credit cards, where the merchant wants the card authorized “right now” at the point-of-sale. Card authorizations transfer risk from merchant to bank – thus they’re worth $$$. January 27, 2011Practical Aspects of Modern Cryptography55

Design Charrette How would you design a transit fare card system? January 27, 2011Practical Aspects of Modern Cryptography56

Fare Card System Elements An RFID card for each rider Readers on each vehicle and/or transit station (Internet connected?) Card purchase/payment machines A web portal for riders to manage and/or enrich their cards January 27, 2011Practical Aspects of Modern Cryptography57