Download presentation
Presentation is loading. Please wait.
Published byAnis Houston Modified over 9 years ago
1
"The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory
2
n (modulus) = product of secret primes p and q e (public key) = relatively prime to (p-1)(q-1) d (private key) = e -1 mod ((p-1)(q-1))) Encrypt c=m e mod n Decrypt m=c d mod n Eve gets ciphertext message c from Alice, wants to read it i.e., she wants to find m = c d mod n Choose random r < n, and use Alice’s public key e x=r e mod n y=xc mod n t=r -1 mod n Note if x=r e mod n, then r=x d mod n ! Eve tricks Alice into encrypting (signing) y with her d Alice sends Eve u=y d mod n Eve then calculates tu mod n = r -1 y d mod n = r -1 x d c d mod n = c d mod n = m 2 Chosen ciphertext attack against RSA -Schneier
3
ECRYPT 2012 Key Length Advice 3 See www.keylength.com/en/3
4
Captured One-Time Pads
5
Russian One-Time Pad captured by MI5 5
6
Don’t reuse those one-time pads! If C1=P1 K1 C2=P2 K1 C3=P3 K1 Then try C1 C2 => P1 K1 P2 K1 => P1 P2 C1 C3 => P1 K1 P3 K1 => P1 P3 C2 C3 => P2 K1 P3 K1 => P2 P3 and (P1 P2) (P1 P3) => (P2 P3) (P1 P2) (P2 P3) => (P1 P3) … 6
7
7 + + + From Rick Smith: http://cryptosmith.com/archives/70 Don’t reuse those one-time pads!
8
Key? What Key? Alice encrypts: P K=>C Bob knows the key and decrypts: C K=>P They agree on a dummy plaintext D and if they’re ever captured, they will give up the key K’=C D If the authorities decrypt C K’ => D 8
9
Case study: Heartbleed SSL Bug http://xkcd.com/1353/ struct { HeartbeatMessageType type; uint16 payload_length; uchar payload [HeartbeatMessage.payload_length]; uchar padding[padding_length]; } HeartbeatMessage; 9
10
10
11
Power Analysis 11
12
Simple Power Analysis: `DES Parity Check DES-CheckParity(byte Key[8]) for i = 8 down to 1 parity=0; for j = 8 down to 1 if (bit j of Key[i] is set) // CONDITIONAL parity = parity+1 // OPERATION endif endfor if (parity is even) parity_error(); endfor end DES-CheckParity 12
13
SPA Attack on DES-Parity 13
14
EM History Classified TEMPEST standards. Some parts declassified Jan '01, http://www.cryptome.org. http://www.cryptome.org Published work – EM Leakages from Peripherals, E.g., Monitors: Van Eck, Anderson & Kuhn. – EM Leakage from smart-cards during Computation. J.-J. Quisquater & David Samyde, E-smart 2001, Gemplus Team [GMO ’01], CHES ’01. – SEMA/DEMA attacks. Best results require "decapsulation" of chip packaging and/or precise micro-antennas positioning on chip surface
15
Rao et.al.’s Work` Deeper understanding of the EM leakages. – Similar to declassified TEMPEST literature. Key Insights/Results – Plenty of EM signals are available, provided you know what to look for and where. Superior signals and attacks possible without micro- antennas or decapsulation. Some attacks possible from a distance. – EM side-channel(s) >> Power side-channel EM can break DPA-resistant implementations.
16
EM Emanations Background Origin/Types of EM Emanations – Direct emanations from intended currents. Maxwell’s equations, Ampere’s and Faraday’s laws. – Unintentional emanations from coupling effects. Depend on physical factors, e.g., circuit geometry. Most couplings ignored by circuit designers. Manifest as modulation of carriers (e.g. clock harmonics) present/generated/introduced in device. – AM or Angle (FM/Phase) Modulation. Compromising signals available via demodulation. Propagation of EM – Radiation, Conduction, Combination of both. E.g., Faint EM signals riding on power line.
17
EM Capturing Equipment Antennas (Far-field) and Near-field probes Current probes. Analog processing: Filters/Amplifiers, Tunable wideband receiver or equivalent $$ Digital sampling hardware.
18
ICOM wideband radio receiver with IF output
19
MAKE YOUR OWN
20
EM vs. Power Sometimes, EM is the only side-channel available. – Filtered power supplies, restricted access… – E.g. Crypto Tokens, SSL Accelerators,...
21
Time (10ns) Amplitude EM Signal from SSL Accelerator S at 15 feet
22
EM vs. Power Is EM useful in the presence of power? Yes, several EM carriers: Generated, Ambient, Introduced… – Experimentally verified: Different carriers carry different information. Some EM leakages substantially different from Power leakages.
23
Bad Instructions Instructions where some EM leakage >> Power leakage. Typically CPU intensive rather than bus intensive. All architectures have BAD Instructions. Example: Bit-test on several 6805 based systems leaks tested bit.
24
EM Attack Example 2 signals, different data, same exp & modulus 24
25
O TESTED BIT = 0 IN BOTH TRACES
26
O TESTED BIT DIFFERENT
27
Countermeasures Require sound vulnerability assessment. Countermeasures include: – Circuit redesign to reduce unintentional emanations. – Reducing S/N ratio EM Shielding Noise introduction Physically secure zones. – Randomization based software countermeasures similar to DPA countermeasures.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.