Overview of Countermeasures against Implementation Attacks Marcel - - PowerPoint PPT Presentation

overview of countermeasures
SMART_READER_LITE
LIVE PREVIEW

Overview of Countermeasures against Implementation Attacks Marcel - - PowerPoint PPT Presentation

Sep 27, 2022 135 likes •551 views

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

slide-1
SLIDE 1

Overview of Countermeasures against Implementation Attacks

Marcel Medwed marcel.medwed@nxp.com

slide-2
SLIDE 2

Outline

Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions

2 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-3
SLIDE 3

Motivation

3 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

Sensitive applications require certification

– Pay TV, Banking,... – e.g. CC EAL5+ – Semi-formal evidence for security – Standard portfolio of attacks

  • SCA
  • Fault analysis, probing

Cost security tradeoff

slide-4
SLIDE 4

General Mechanisms

4 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

c = Ek(m)

Timing Shielding Detection Low SNR Faults Constant Limit measurements Probing Instantaneous Leakage

m1 m2 ... ... mn

Independence Dependence

slide-5
SLIDE 5

Side-Channel Countermeasures

Data independent timing Hiding Masking Regular key updates Dependent leakage

5 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-6
SLIDE 6

Data Independent Timing

Data dependent branches

– Reduction, Compiler

  • Use regular algorithms
  • Use assembly code

Architectural features

– e.g. ARM7 multiplier

  • time(0xFFFF*Op2) > time(0xFF*Op2)

– Cache – Code alignment

  • Prefetch / Branch

6 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

[ [

slide-7
SLIDE 7

Instantaneous Leakage - Preliminaries

Leakage trace

– Vector of t leakage samples

Sensitive variable v

– Depends on key and input 

Observe noisy function of v

– For some i, – E.g. L = Hamming weight – Normal distributed noise

Univariate, First-order, Hamming weight

– Templates and Correlation are asymptotically equivalent

7 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-8
SLIDE 8

Hiding in General

In each clock cycle, consume either

– (close to) random power  increase n – (close to) constant power  L(v) ~ const.

Hiding only decreases the SNR Hiding dimensions

– Time – Amplitude

8 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-9
SLIDE 9

S3

S4 S1 S2

Hiding in Time with Shuffling (1)

Time

– Insertion of dummy operations – Shuffling

9 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

S1

S2 S3 S4

S3 D

D S4 S1 D D S2

S1

S2 S3 S4

S1

S2 S3 S4

S1

S2 S3 S4 D D S2 S4

S3 D

S4 D S1 D D S2

S3 D

D S4

S3

S4 S1 D D S2

D

D

time

  • bservations
slide-10
SLIDE 10

Hiding in Time with Shuffling (2)

Effect of time randomization with k positions

– Sample from with probability 1/k

Plain attack

– Correlation ~ k – k2 traces

Integration over all k positions

– Noise increases linearly – Correlation ~ k -1/2

10 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-11
SLIDE 11

Hiding in Amplitude

Peripheral activity

– ADCs – Co-processors

Memory addresses

– of dummy registers – of key dependent registers

Random precharge of bus

– Pure HD leakage?

11 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-12
SLIDE 12

Hiding in Hardware

Time

– Dummy instructions – Shuffling – Random jitters

Amplitude

– Filters

  • Switching capacitors
  • Constant drain circuits

– Noise generation engines – Parallelization – Pipelining / Unrolling – Dynamic reconfiguration (FPGAs)

12 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-13
SLIDE 13

Hiding at Cell Level

Dual-rail precharge logic styles

13 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

Trans. l 00 01 1 10 1 11 Trans. l 1000 1 0100 1 0010 1 0001 1

Single

Rail

a b q

Dual

Rail

a ¬a b ¬b q ¬q

 Talk by Ingrid Verbauwhede

slide-14
SLIDE 14

Conclusions for Hiding

Decrease the SNR

– Increase noise – Decrease signal

Only minor changes to the algorithms Noise is essential for masking! EM measurements can overcome many hiding countermeasures

– Shuffling / dummy operations are strong but – Which resources are used? – Exact same behavior of circuit?

14 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-15
SLIDE 15

Masking

Randomized redundant representation

nth-order masking

– All n-1 intermediate variables are independent of v – Adversary needs to

  • identify n leakage samples
  • and combine their information

Challenge

– Usually achieving is not straightforward

15 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-16
SLIDE 16

Masking Few Bits (1)

Assume little structure (e.g. block cipher)

– Boolean masking

  • Alternatively

– Multiplicative masking (zero-value problem)

  • – Affine Masking
  • 16

Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-17
SLIDE 17

Masking Few Bits (2)

Marginal PDFs are independent  joint PDF WH(v)=0 WH(v) = 4 Effect

– k shares, sufficient noise – Number of traces relates to – Combination results in additional loss

17 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

WH(v1) WH(v2) WH(v1) WH(v2)

slide-18
SLIDE 18

Masking Few Bits (3)

18 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

Only masking Only shuffling Combined

slide-19
SLIDE 19

Masking in Software (1)

First-order masking  Lookup tables Higher order masking

– Secure table computation for 2nd order masking – Test all subsets!

Check Hamming distance

– Buses, registers,...

19 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-20
SLIDE 20

Masking in Software (2)

Rivain and Prouff – CHES10

– Provable secure masking for AES with arbitrary order – Based on Private Circuits

Genelle, Prouff, and M. Quisquarter – CHES11

– Combination of additive and multiplicative masking

Cycle counts for a masked AES

– Pay for security directly in execution time

20 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

Masking order AES cycles w/o masking 2 000 1 25 000 2 69 000 3 180 000

slide-21
SLIDE 21

Masking in Hardware (1)

Unclear what synthesizer does

– Unintentional unmasking – Unintentional combination function

Data dependent phenomena

– Glitches – Early propagation – Cross-talk

21 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

Masked

S-box

vm m S(v)m„ m„

slide-22
SLIDE 22

Masking in Hardware (2)

Nikova et al. – Threshold implementation

– Independent processing of subset of shares

If shares processed in parallel

– Univariate leakage – But still higher order attack

22 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

f1

v1 v2 v3

f2 f3 f4

y1 y2 y3

f5 f6

z1 z2 z3

 Talk by Svetla Nikova

slide-23
SLIDE 23

Can only provide a constant factor Do you measure right or left of the line, how bad is your flaw? Test: Does your second-order attack work better than your first-order one?

Flawed Masking

23

Taken from http://perso.uclouvain.be/fstandae/PUBLIS/107_slides.pdf

Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-24
SLIDE 24

Masked Logic Styles

Remove requirement for balanced routing

– Average power consumption is constant (in theory) – E.g. MDPL NAND gate

24 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

SR

MAJ

am bm m q

SR

MAJ

¬am ¬bm ¬m ¬q am bm m ¬am ¬bm ¬m q ¬q 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

slide-25
SLIDE 25

Exploiting Algebraic Structures

Scalar blinding Message blinding Embeddings

25 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-26
SLIDE 26

Using Inherent Redundancy

ECC point projection

– Originally to avoid inversions – Free randomization

26 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-27
SLIDE 27

Conclusions for Masking

Take care of

– Unintentional unmasking – Glitches – Lower order leakages

For small mask widths

– PDFs can be estimated – But exponential increase in data complexity

For large mask widths (PKC)

– Inexpensive and very effective – But complex operations  Additive masking of multiplicative masking,…

27 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-28
SLIDE 28

Key / Message Transformations

Sequential key update

– E.g. with hash function

Indexed key update

– Use invertible function

Parallel key update

– Easy to protect key update function

Leakage resilient cryptography

– Proof that (small) leakages cannot be combined during (key) evolvement

Message transformation

– Also apply to ciphertext

28 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-29
SLIDE 29

Evaluating Countermeasures

Correlation attacks might overestimate the security Compute mutual information between leakage and sensitive variable Attacks might become too sophisticated

– lower bound moves far away from real security

Measurement equipment must be leading edge Key rank estimation

29 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-30
SLIDE 30

Invasive-Attack Countermeasures

Fault injection prevention Error detection

30 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices www.coders4fun.com

C = f(A,B) D = f(A,B) If (C != D) then errorHandling(); EndIf;

ADD XOR AND CMP

slide-31
SLIDE 31

Protecting All Points-of-Attack

Crypto

– Data integrity

OS level

– Self-check – Redundant state machines

Hardware level

– Prevent physical access – Increase cost for physical access – Filter fault sources

Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices 31

slide-32
SLIDE 32

Active-Attack Prevention

Shields Sensors (e.g. light) Filter power line On-chip generation of clock signal Limit number of operations Bury sensitive parts

Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices 32

slide-33
SLIDE 33

General Countermeasures

Time redundancy (checks shall not leak) Space redundancy Loop invariants CRC sums Flow protection Watchdog timers MMU constraints Encrypted memory / Encoded memory / Bus scrambling Self destruction

33 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-34
SLIDE 34

Countermeasures for SKC (1)

Inverse S-box with parities Operate on error detection codes

  • Code properties might not hold for the whole algorithm!

34 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-35
SLIDE 35

Countermeasures for SKC (2)

Digest values in Software

– Find robust protection for each operation – Overlap them

Key update

– Frequency: Attack on AES needs only two operations with the same input

Probabilistic encryption

– What about decryption?

35 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-36
SLIDE 36

Countermeasures for PKC

Inverse computation Ring extensions / embeddings Point integrity check (ECC) Algorithmic invariants  Montgomery ladder Output insufficient or useless information

– ECDSA – Infective computation

36 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-37
SLIDE 37

Using Cell Level Redundancy

Logic styles

– Precharge values as invalid states – Potentially trigger a precharge wave

37 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

Enc(v) V 10 1 01 00 X 11 X

Dual

Rail

a ¬a b ¬b q ¬q

slide-38
SLIDE 38

Conclusions

Timing

– Simple to handle

SCA

– Effects are (mostly) well studied – Information theoretic analysis of countermeasures

FA

– Crypto might be the last element in the chain – What is a reasonable adversary? – Detection probability vs. correctness check!

38 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices

slide-39
SLIDE 39

Overview of Countermeasures against Implementation Attacks

Marcel Medwed marcel.medwed@nxp.com

slide-40
SLIDE 40

Further Reading

  • S. Mangard, E. Oswald, T. Popp – “Power Analysis Attacks -

Revealing the Secrets of Smartcards”

  • W. Rankl, W. Effing – “Smart Card Handbook”
  • M. Joye, M. Tunstall – “Fault Analysis in Cryptography”
  • S. Nikova – “Secure Hardware Implementation of Nonlinear Functions in the

Presence of Glitches”

  • L. Genelle, E. Prouff, M. Quisquater: Thwarting Higher-Order Side Channel

Analysis with Additive and Multiplicative Maskings. F.-X. Standaert et al. – “The World is Not Enough: Another Look on Second-Order DPA”

  • M. Medwed et al. – Fresh Re-keying II: Securing Multiple Parties against Side-

Channel and Fault Attacks

  • N. Veyrat-Charvillon, B. Gérard, F.-X. Standaert -- Security Evaluations beyond

Computing Power

40 Marcel Medwed, Albena, May 2013 Design and Security of Cryptographic Functions, Algorithms and Devices