Presentation is loading. Please wait.

Presentation is loading. Please wait.

"The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.

Similar presentations


Presentation on theme: ""The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory."— Presentation transcript:

1 "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory

2 n (modulus) = product of secret primes p and q e (public key) = relatively prime to (p-1)(q-1) d (private key) = e -1 mod ((p-1)(q-1))) Encrypt c=m e mod n Decrypt m=c d mod n Eve gets ciphertext message c from Alice, wants to read it i.e., she wants to find m = c d mod n Choose random r < n, and use Alice’s public key e x=r e mod n y=xc mod n t=r -1 mod n Note if x=r e mod n, then r=x d mod n ! Eve tricks Alice into encrypting (signing) y with her d Alice sends Eve u=y d mod n Eve then calculates tu mod n = r -1 y d mod n = r -1 x d c d mod n = c d mod n = m 2 Chosen ciphertext attack against RSA -Schneier

3 ECRYPT 2012 Key Length Advice 3 See www.keylength.com/en/3

4 Captured One-Time Pads

5 Russian One-Time Pad captured by MI5 5

6 Don’t reuse those one-time pads! If C1=P1  K1 C2=P2  K1 C3=P3  K1 Then try C1  C2 => P1  K1  P2  K1 => P1  P2 C1  C3 => P1  K1  P3  K1 => P1  P3 C2  C3 => P2  K1  P3  K1 => P2  P3 and (P1  P2)  (P1  P3) => (P2  P3) (P1  P2)  (P2  P3) => (P1  P3) … 6

7 7 + + +    From Rick Smith: http://cryptosmith.com/archives/70 Don’t reuse those one-time pads!

8 Key? What Key? Alice encrypts: P  K=>C Bob knows the key and decrypts: C  K=>P They agree on a dummy plaintext D and if they’re ever captured, they will give up the key K’=C  D If the authorities decrypt C  K’ => D 8

9 Case study: Heartbleed SSL Bug http://xkcd.com/1353/ struct { HeartbeatMessageType type; uint16 payload_length; uchar payload [HeartbeatMessage.payload_length]; uchar padding[padding_length]; } HeartbeatMessage; 9

10 10

11 Power Analysis 11

12 Simple Power Analysis: `DES Parity Check DES-CheckParity(byte Key[8]) for i = 8 down to 1 parity=0; for j = 8 down to 1 if (bit j of Key[i] is set) // CONDITIONAL parity = parity+1 // OPERATION endif endfor if (parity is even) parity_error(); endfor end DES-CheckParity 12

13 SPA Attack on DES-Parity 13

14 EM History Classified TEMPEST standards. Some parts declassified Jan '01, http://www.cryptome.org. http://www.cryptome.org Published work – EM Leakages from Peripherals, E.g., Monitors: Van Eck, Anderson & Kuhn. – EM Leakage from smart-cards during Computation. J.-J. Quisquater & David Samyde, E-smart 2001, Gemplus Team [GMO ’01], CHES ’01. – SEMA/DEMA attacks. Best results require "decapsulation" of chip packaging and/or precise micro-antennas positioning on chip surface

15 Rao et.al.’s Work` Deeper understanding of the EM leakages. – Similar to declassified TEMPEST literature. Key Insights/Results – Plenty of EM signals are available, provided you know what to look for and where. Superior signals and attacks possible without micro- antennas or decapsulation. Some attacks possible from a distance. – EM side-channel(s) >> Power side-channel EM can break DPA-resistant implementations.

16 EM Emanations Background Origin/Types of EM Emanations – Direct emanations from intended currents. Maxwell’s equations, Ampere’s and Faraday’s laws. – Unintentional emanations from coupling effects. Depend on physical factors, e.g., circuit geometry. Most couplings ignored by circuit designers. Manifest as modulation of carriers (e.g. clock harmonics) present/generated/introduced in device. – AM or Angle (FM/Phase) Modulation. Compromising signals available via demodulation. Propagation of EM – Radiation, Conduction, Combination of both. E.g., Faint EM signals riding on power line.

17 EM Capturing Equipment Antennas (Far-field) and Near-field probes Current probes. Analog processing: Filters/Amplifiers, Tunable wideband receiver or equivalent $$ Digital sampling hardware.

18 ICOM wideband radio receiver with IF output

19 MAKE YOUR OWN

20 EM vs. Power Sometimes, EM is the only side-channel available. – Filtered power supplies, restricted access… – E.g. Crypto Tokens, SSL Accelerators,...

21 Time (10ns) Amplitude EM Signal from SSL Accelerator S at 15 feet

22 EM vs. Power Is EM useful in the presence of power? Yes, several EM carriers: Generated, Ambient, Introduced… – Experimentally verified: Different carriers carry different information. Some EM leakages substantially different from Power leakages.

23 Bad Instructions Instructions where some EM leakage >> Power leakage. Typically CPU intensive rather than bus intensive. All architectures have BAD Instructions. Example: Bit-test on several 6805 based systems leaks tested bit.

24 EM Attack Example 2 signals, different data, same exp & modulus 24

25 O TESTED BIT = 0 IN BOTH TRACES

26 O TESTED BIT DIFFERENT

27 Countermeasures Require sound vulnerability assessment. Countermeasures include: – Circuit redesign to reduce unintentional emanations. – Reducing S/N ratio EM Shielding Noise introduction Physically secure zones. – Randomization based software countermeasures similar to DPA countermeasures.


Download ppt ""The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory."

Similar presentations


Ads by Google