Presentation is loading. Please wait.

Presentation is loading. Please wait.

Josh Benaloh Brian LaMacchia Winter 2011. Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side.

Published byMeryl Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "Josh Benaloh Brian LaMacchia Winter 2011. Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side."— Presentation transcript:

1 Josh Benaloh Brian LaMacchia Winter 2011

2 Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side or back door – especially on embedded cryptographic devices such as SmartCards and RFIDs. January 27, 2011Practical Aspects of Modern Cryptography2

3 Side-Channel Attacks Some attack vectors … January 27, 2011Practical Aspects of Modern Cryptography3

4 Side-Channel Attacks Some attack vectors … Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography4

5 Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography5

6 Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks January 27, 2011Practical Aspects of Modern Cryptography6

7 Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis January 27, 2011Practical Aspects of Modern Cryptography7

8 Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions January 27, 2011Practical Aspects of Modern Cryptography8

9 Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions January 27, 2011Practical Aspects of Modern Cryptography9

10 Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions Information Disclosure January 27, 2011Practical Aspects of Modern Cryptography10

11 Side-Channel Attacks Some attack vectors … Fault Attacks Timing Attacks Cache Attacks Power Analysis Electromagnetic Emissions Acoustic Emissions Information Disclosure … others? January 27, 2011Practical Aspects of Modern Cryptography11

12 Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography12

13 Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography13

14 Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography14

15 Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography15

16 Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography16

17 Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography17

18 Fault Attacks January 27, 2011Practical Aspects of Modern Cryptography18

19 Timing Attacks How long does it take to perform a decryption? January 27, 2011Practical Aspects of Modern Cryptography19

20 Timing Attacks How long does it take to perform a decryption? The answer may be data-dependent. January 27, 2011Practical Aspects of Modern Cryptography20

21 Timing Attacks How long does it take to perform a decryption? The answer may be data-dependent. For instance… January 27, 2011Practical Aspects of Modern Cryptography21

22 Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography22

23 Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography23

24 Timing Attacks January 27, 2011Practical Aspects of Modern Cryptography24

25 Cache Attacks If you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed. January 27, 2011Practical Aspects of Modern Cryptography25

26 Cache Attacks If you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed. Decryption times may vary in a key-dependent manner based upon which lines have been flushed. January 27, 2011Practical Aspects of Modern Cryptography26

27 Power Analysis Power usage of a device may vary in a key- dependent manner. January 27, 2011Practical Aspects of Modern Cryptography27

28 Power Analysis Power usage of a device may vary in a key- dependent manner. Careful measurement and analysis of power consumption can be used to determine the key. January 27, 2011Practical Aspects of Modern Cryptography28

29 Electromagnetic Emissions One can record electromagnetic emissions of a device – often at a distance. January 27, 2011Practical Aspects of Modern Cryptography29

30 Electromagnetic Emissions One can record electromagnetic emissions of a device – often at a distance. Careful analysis of the emissions may reveal a secret key. January 27, 2011Practical Aspects of Modern Cryptography30

31 Acoustic Emissions Modular exponentiation is using done with repeated squaring and conditional “side” multiplications. January 27, 2011Practical Aspects of Modern Cryptography31

32 Acoustic Emissions Modular exponentiation is using done with repeated squaring and conditional “side” multiplications. It can actually be possible to hear whether or not these conditional multiplications are performed. January 27, 2011Practical Aspects of Modern Cryptography32

33 Information Disclosures (N.B. Bleichenbacher Attack) January 27, 2011Practical Aspects of Modern Cryptography33

34 Information Disclosures (N.B. Bleichenbacher Attack) A protocol may respond differently to properly and improperly formed data. January 27, 2011Practical Aspects of Modern Cryptography34

35 Information Disclosures (N.B. Bleichenbacher Attack) A protocol may respond differently to properly and improperly formed data. Careful manipulation of data may elicit responses which disclose information about a desired key or decryption value. January 27, 2011Practical Aspects of Modern Cryptography35

36 Certificate Revocation January 27, 2011Practical Aspects of Modern Cryptography36

37 Certificate Revocation Every “reasonable” certification should include an expiration. January 27, 2011Practical Aspects of Modern Cryptography37

38 Certificate Revocation Every “reasonable” certification should include an expiration. It is sometimes necessary to “revoke” a certificate before it expires. January 27, 2011Practical Aspects of Modern Cryptography38

39 Certificate Revocation Reasons for revocation … January 27, 2011Practical Aspects of Modern Cryptography39

40 Certificate Revocation Reasons for revocation … Key Compromise January 27, 2011Practical Aspects of Modern Cryptography40

41 Certificate Revocation Reasons for revocation … Key Compromise False Issuance January 27, 2011Practical Aspects of Modern Cryptography41

42 Certificate Revocation Reasons for revocation … Key Compromise False Issuance Role Modification January 27, 2011Practical Aspects of Modern Cryptography42

43 Certificate Revocation Two primary mechanisms … January 27, 2011Practical Aspects of Modern Cryptography43

44 Certificate Revocation Two primary mechanisms … Certificate Revocation Lists (CRLs) January 27, 2011Practical Aspects of Modern Cryptography44

45 Certificate Revocation Two primary mechanisms … Certificate Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP) January 27, 2011Practical Aspects of Modern Cryptography45

46 Certificate Revocation Lists A CA revokes a certificate by placing the its identifying serial number on its Certificate Revocation List (CRL) Every CA issues CRLs to cancel out issued certs A CRL is like anti-matter – when it comes into contact with a certificate it lists it cancels out the certificate Think “1970s-style credit-card blacklist” Relying parties are expected to check the most recent CRLs before they rely on a certificate “The cert is valid unless you hear something telling you otherwise” January 27, 2011Practical Aspects of Modern Cryptography46

47 The Problem with CRLs Blacklists have numerous problems They can grow very large because certs cannot be removed until they expire. They are not issued frequently enough to be effective against a serious attack. Their size can make them expensive to distribute (especially on low-bandwidth channels). They are vulnerable to simple DOS attacks. (What do you do if you can’t get the current CRL?) January 27, 2011Practical Aspects of Modern Cryptography47

48 More Problems with CRLs January 27, 2011Practical Aspects of Modern Cryptography48

49 Yet More Problems with CRLs Revoking a cert used by a CA to issue other certs is even harder since this may invalidate an entire set of certs. “Self-signed” certificates are often used as a syntactic convenience. Is it meaningful for a cert to revoke itself? January 27, 2011Practical Aspects of Modern Cryptography49

50 Even More Problems with CRLs CRLs can’t be revoked. If a cert has been mistakenly revoked, the revocation can’t be reversed. CRLs can’t be updated. There’s no mechanism to issue a new CRL to relying parties early – even if there’s an urgent need to issue new revocations. January 27, 2011Practical Aspects of Modern Cryptography50

51 Short-Lived Certificates If you need to go to a CA to get a fresh CRL, why not just go to a CA to get a fresh cert? January 27, 2011Practical Aspects of Modern Cryptography51

52 CRLs vs. OCSP Responses Aggregation vs. Freshness CRLs combine revocation information for many certs into one long-lived object OCSP Responses designed for real-time responses to queries about the status of a single certificate Both CRLs & OCSP Responses are generated by the issuing CA or its designate. (Generally this is not the relying party.) January 27, 2011Practical Aspects of Modern Cryptography52

53 Online Status Checking OCSP: Online Certificate Status Protocol A way to ask “is this certificate good right now? Get back a signed response from the OCSP server saying, “Yes, cert C is good at time t” Response is like a “freshness certificate” OCSP response is like a selective CRL Client indicates the certs for which he wants status information OCSP responder dynamically creates a lightweight CRL-like response for those certs January 27, 2011Practical Aspects of Modern Cryptography53

54 January 27, 2011Practical Aspects of Modern Cryptography54 OCSP in Action End-entity CA Relying Party Cert CertRequest OCSP Request OCSPForCert OCSP Response Transaction Response Cert + Transaction ① ② ③ ④ ⑤ ⑥

55 Final thoughts on Revocation From a financial standpoint, it’s the revocation data that is valuable, not the issued certificate itself. For high-valued financial transactions, seller wants to know your cert is good right now. This is similar to credit cards, where the merchant wants the card authorized “right now” at the point-of-sale. Card authorizations transfer risk from merchant to bank – thus they’re worth $$$. January 27, 2011Practical Aspects of Modern Cryptography55

56 Design Charrette How would you design a transit fare card system? January 27, 2011Practical Aspects of Modern Cryptography56

57 Fare Card System Elements An RFID card for each rider Readers on each vehicle and/or transit station (Internet connected?) Card purchase/payment machines A web portal for riders to manage and/or enrich their cards January 27, 2011Practical Aspects of Modern Cryptography57

Download ppt "Josh Benaloh Brian LaMacchia Winter 2011. Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side."

Similar presentations

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSP without Responders Certificate
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Certificate Revocation Serge Egelman. Introduction What is revocation? Why do we need it? What is currently being done?

Certificate Revocation Serge Egelman. Introduction What is revocation? Why do we need it? What is currently being done?
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cryptographic Security Presented by: Josh Baker October 9 th, 2012 1CS5204 – Operating Systems.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

Similar presentations

Ads by Google