Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Daniel Ferrer
Outline of presentation
Definitions. History. Types of attacks Paul Kocher attacks and tools China IDEAL Countermeasures Questions/answers
Definitions Basics
Cryptanalysis study of (mathematical) techniques for attempting to break cryptographic schemes or cryptosystems. Switching back and forth. Design a new system and then turn around and break it ! Attacks and counter measures.
Some people are born attackers !
Definitions Basics
A side-channel is any observable information emitted as a byproduct of the physical implementation of the cryptosystem. Joseph Bonneau.
First used 1995 by Paul Kocher against RSA. Information from on the side.
Side Channels
Side Channel (SC)
side channel
Definitions Basics
A system of encrypting private communication. A cryptosystem designed to keep information private. Ideal system. Ideal has to live in the real world. In the real world, the actual cryptosystem has to work with cpu, memory, software, 22,236 miles (35,786 km) geosynchronous orbits of satellites.
Definitions Basics
Key
Plaintext
Cipher
Side Channels
Ciphertext
Definitions Basics
Implementation (real world) attacks: Active Attacks One distinguishes three kinds of Active Attacks: non-invasive Attacks semi-invasive Attacks (fault analysis) Skorobogatov and Anderson (open chip) invasive Attacks (broken parts on the floor)
Definitions Basics
Passive attacks. 1). side-channel attacks (morein this lecture) 2). logical attacks Example: Bleichenbacher attacks took advantage of flaws within the PKCS #1 function to gradually reveal the content of an RSA encrypted message. Doing this requires sending several million test ciphertexts to the decryption device (eg, SSL-equipped web server.)
Older History
1985 W. van Eck published emanations from computer monitors. TEMPEST storiesearlier standards. 1950-60s. Intercept of commercial satellite trunk, microwaves etcside channel rumors. As 2006, 99% of the world's longdistance voice and data traffic was carried over optical-fiber.
Recent History
1995 Paul Kocher attacked RSA, DSS using time analysis. 1996 Differential Fault Analysis (E. Biham and A. Shamir. 1998 Paul Kocher Power Analysis 2000/2001 Electromagnetic emanation by J. Quisquater and D. Samyde, K. Gandolfi. 2002 Optical S. Shorobogatov and R. Anderson.
More history
DPA Statistical analysis (Messerges, 2002).
Dan Boneh, David Brumley demonstrate first remote timing attack against RSA in 2003.
Probing attack
Attack smart card with probing station ($10,000). Speed or slow down the chips clock. UV, light, Focused Ion Beam workstation, flips bits in memory. Microwave reported as personal communication. Fault Induction attackscreate a fault and see the results.
Glitch attack
Differences of averages of 5 side channel samples: upper figure is for the same key while the lower is for two different keys
Power Analysis
Use a model built from the ideal to the real world working of the device.
Template Attack
Template Attack Chari, 2002. Profile device Build a database for example 3DES on Intel Core i7 920 Processor. 10 signals to break after building database.
Timing Attacks
Timing Attacks (TA) Kocher 1996
Computational time access to the cpu cycle information. Timing of other processes. http://en.wikipedia.org/wiki/Timing_attack
0 0 0
Cache-timing attacks on AES After building a database 160 minutes took one minute on a 850 MHz Pentium III to crack the AES Advanced Encryption Standard (Bernstein, 2005). N.B. Started a re-thinking !
AES
Advanced Encryption Standard (AES).
Spent 5 years to come up with this standard in 2001 to replace DES and 3DES; and it was broken by side channel attack. A timing attack against Rijndael by Francois Koeune and Jean-Jacques Quisquater was published as a technical report in June of 1999. Special case. D. Bernstein broke it hard !!! General case.
Access
Assumptions: The bad guys/ladies have access to computer. CPU, power, memory, network, fiber cable, etc.
Questions ?
Open questions. More attacks will be described guess the areas? Listen closely, there will be plenty of time to think about counter measures. Some counter measures have to do with manufacturing chips. Who makes money on improving security?
Electromagnetic Radiation
Electromagnetic Radiation. Gandolf, 2001. In 1985, Wim van Eck published the first unclassified technical analysis of the security risks of emanations from computer monitors. Supposedly, first discovered in 1943 Bell Labs from a teletype machine. TEMPEST open literature in 1967.
Electromagnetic Radiation
Acoustic attacks
Soviet put microphones into IBM Selectric typewriters in the 1960s. The researchers were able to take several 10-minute sound recordings of users typing at a keyboard, feed the audio into a computer, and use an algorithm to recover up to 96 percent of the characters entered. Reported Berkeley, CA 2005.
Acoustic attacks
Acoustic attacks
12-minute recording with 2300 characters Over 90% hit rate. Three different kind of keyboards. Keyboard Acoustic Emanations Revisited by Zhuang, Zhou, and Tygar (CCS 2005)
Light attack
Broken
AES: Cache-timing attacks on AES. D. Bernstein 800 operations and 65 milliseconds. Osvik, Shamir and Eran Tromer AES of WinZip. T. Kohno
Broken
Encryption protocols: 3DES IDEA RC4 RSA-CRT Chinese Remainder Theorem More.?
Plastic Bottle
[Backes et al.]
slide 47
Teapots
[Backes et al.]
From 5 meters
From 10 meters
slide 48
slide 49
Timing equipment
Paul Kocher
Paul Kocher
Algorithm negotiation Version negotiation (backward + forward) Man-in-the-middle Message replay (within a session, multiple sessions) Message forwarding & impersonation E.g.: A connects to B, who connects to C pretending to be A. Certificate handling & validation (or lack thereof) Out -of-sequence messages Error handling reveals information Denial of service n Timing analysis Excessive complexity or lack of defined state machine Improper or inadequate use of hash functions Inefficiencies (round trips) Redundant informationn Management/debug functions (code upgrades, etc.)
Cloud Computing
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. By Ristenpart others. August 2009. current state of the art, for unconditional security against cross-VM attacks one must resort to avoiding co-residence.
Next step?
Professional penetration testing : creating and operating a formal hacking lab. Author Wilhelm, Thomas. ISBN-13 9781597494250 ISBN-10 1597494259 528 pages Publisher: Syngress; Pap/Cdr edition (August 28, 2009)
Concrete Countermeasures
Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing. YongBin Zhou, DengGuo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, 100080, China {zyb,feng}@is.iscas.ac.cn Section: 5.2 Concrete Countermeasures
Countermeasures
Countermeasures against each attack? Or, can we come up with a global answer to a group of attacks or is even possible to counter-all of the side channel attacks?
Side channel attacks are aimed a very specific areas of implementation of encryption -- good or bad news for us?
Questions
Thank you. Questions?