Presentation is loading. Please wait.

Presentation is loading. Please wait.

PV204 Security technologies

Published byKerry Taylor Modified over 6 years ago

Similar presentations

Presentation on theme: "PV204 Security technologies"— Presentation transcript:

1 PV204 Security technologies
Trusted element, side channels attacks Petr Švenda Faculty of Informatics, Masaryk University

2 The masterplan for this lab
Implementation of modular exponentiation (RSA) Understand naïve and square&multiply algorithm Toy example with integers (32 bits) Understand how to measure operation (clock()) Pre-prepared functions – console or file output Visualization of multiple measurements (R, What can be inferred from measurements Use large datatype MPI instead of int (> 102 bits) Understand blinding as protection technique Homework | PV204 Trusted element

3 Naïve vs. square and multiply algorithm
SideChannelExercise.zip source code from IS Inspect naïve and square&multiply algorithm Limited to integers (unsigned long) for simplicity Measure timings Pre-prepared measurement functions measureExponentiation() clock() used for measurement (1ms granularity) Identify dependency of algorithm on secret value | PV204 Trusted element

4 Naïve modular exponentiation algorithm
typedef unsigned long ULONG; const int ULONG_LENGTH = sizeof(ULONG); ULONG naiveExponentiation(ULONG message, ULONG exponent, ULONG modulus) { ULONG result = message; for (int i = 1; i < exponent; i++) { // result = (result * message) % modulus; // this may cause type overflow result *= message; result %= modulus; } return result; What is disadvantage of this algorithm? Is algorithm vulnerable to timing side-channel? Is algorithm vulnerable to another side-channel? | PV204 Trusted element

5 typedef unsigned long ULONG; const int ULONG_LENGTH = sizeof(ULONG);
ULONG squareAndMultiply(ULONG message, ULONG exponent, ULONG modulus) { // Obtain effective length of exponent in bits int sizeExponent = ULONG_LENGTH; ULONG mask = 1; ULONG bit = 0; for (int i = 0; i < ULONG_LENGTH * 8; i++) { bit = exponent & mask; if (bit != 0) { sizeExponent = i + 1; } mask <<= 1; } // Compute square and multiply algorithm ULONG result = 1; for (int i = sizeExponent - 1; i >= 0; i--) { //result = (result * result) % modulus; // this may cause type overflow result *= result; result %= modulus; if ((exponent & (1 << i)) != 0) { // given bit is not 0 // result = (result * message) % modulus; // this may cause type overflow result *= message; return result; | PV204 Trusted element

6 Square&multiply algorithm
Pre-prepared function squareAndMultiply() What is advantage of this algorithm? Is algorithm vulnerable to timing side-channel? Which part of code is dependent on secret value? measureExponentiation(65535, 65535, L, SQUAREANDMULTIPLY); What is the time required to complete operation? What are implication for attacker’s ability to mount timing attack? How to mask dependency on secret exponent? Is int (ULONG) enough for cryptographic security? | PV204 Trusted element

7 Big integers (MPI from PolarSSL)
32 bits are not enough, 4096 is recommended No native type in C/C++, use PolarSSL’s MPI void squareAndMultiplyMPI(const mpi* message, const mpi* exponent, const mpi* modulus, mpi* result) { // Obtain length of exponent in bits int sizeExponent = 0; int maxBitLength = mpi_size(exponent) * 8; for (int i = 0; i < maxBitLength; i++) { if (mpi_get_bit(exponent, i) != 0) { sizeExponent = i + 1; } } // Compute square and multiply algorithm mpi_lset(result, 1); for (int i = sizeExponent - 1; i >= 0; i--) { mpi_mul_mpi(result, result, result); // result *= result; mpi_mod_mpi(result, result, modulus); // result %= modulus; if (mpi_get_bit(exponent, i) != 0) { // given bit is not 0 mpi_mul_mpi(result, result, message); mpi_mod_mpi(result, result, modulus); }} | PV204 Trusted element

8 Create large pseudo-random MPI
mpi message; mpi_init(&message); mpi exponent; mpi_init(&exponent); mpi modulus; mpi_init(&modulus); // Cryptographically large number (2048b) const int NUMBER_SIZE = 256; // Init with pseudorandom values (prng will always start with same value) mpi_fill_random(&message, NUMBER_SIZE, generateRNG, NULL); mpi_fill_random(&exponent, NUMBER_SIZE, generateRNG, NULL); mpi_fill_random(&modulus, NUMBER_SIZE, generateRNG, NULL); // Fix MSb and LSb of modulus to 1 modulus.p[0] |= 1; mpi_set_bit(&modulus, 1, 1); measureExponentiationMPI(&message, &exponent, &modulus, SQUAREANDMULTIPLY); | PV204 Trusted element

9 Measure times with MPI Operation with large MPI can be measured
100s-1000s ms Visualize histogram of multiple measurements Pre-prepared measurements functions with file output measureExponentiationRepeat() (Histogram, Traces->Range/bins 1) Try repeated measurement with same data Try repeated measurement with different data Are measured times constant? Why? | PV204 Trusted element

10 Fix: Blinding Create squareAndMultiplyBlindedMPI() as improved version of squareAndMultiplyMPI() Generate random value r and compute re mod N Compute blinded ciphertext b = c * re mod N Decrypt b and then divide result by r | PV204 Trusted element

11 Homework Finalize implementation of blinding of argument with MPI
Create unit tests that will verify identical functionality squareAndMultiplyMPI and squareAndMultiplyBlindedMPI Perform analysis of blinded and non-blinded version Timing results for 1000 measurements Visualized histograms Scenario 1: Same data Scenario 2: Same exponent, low hamming weight of data Scenario 3: Same exponent, high hamming weight of data Scenario 4: Low/high hw exponent and random data Discuss the difference observed Discuss feasibility of attack against non-blinded version | PV204 Trusted element

12 Homework – what to submit
Source code of your blinded operation Test showing that it computes correctly 2 pages of text and figures Visualized measurements (histograms, 4 scenarios) Discussion of difference observed Discussing of feasibility of attack against blinded/non-blinded implementation Submit before :00am into IS HW vault | PV204 Trusted element

Download ppt "PV204 Security technologies"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Data encryption with big prime numbers

Data encryption with big prime numbers
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
The RSA Algorithm Rocky K. C. Chang, March 2014 1.

The RSA Algorithm Rocky K. C. Chang, March
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.

9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Implementing RSA Encryption in Java

Implementing RSA Encryption in Java
Public-Key Encryption

Public-Key Encryption
CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.

CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.

Similar presentations

Ads by Google