Introduction to Side-Channel Analysis: Basic Concepts and Techniques

Transcription

1 Introduction to Side-Channel Analysis: Basic Concepts and Techniques Hardware security, Spring 2018 Lejla Batina March 8, 2018 Institute for Computing and Information Sciences Radboud University 1

2 Outline Introduction Timing side-channel Power side-channel Simple power analysis (SPA) EM side-channel Exotic side-channels 2

3 Lecture times and deadlines for this part of the course Lecture 1: Introduction to SCA, March 5 Lecture 2: Advanced SCA and countermeasures, March 19 Assignment 1: posted on March 19, April 2 deadline Assignment 2: posted on March 26, April 9 deadline Lecture 3: Tutorial on template attacks, March 26 Assignment 3: posted on April 2, deadline April 16 Lecture 4: Fault injection attacks, May 14 Excursion to Riscure: tba DiS SCA lab tours: March 26 via Doodle (tba) 3

4 Embedded cryptographic devices 4

5 Introduction

6 Introducing the side channel 5

7 Blackbox scenario Plaintext Cryptographic Device Ciphertext The cipher (e.g. AES) model: the fixed key (unknown to the adversary), as the parameter that takes input to generate output Analyzing the security in the blackbox scenario relates to classical cryptanalysis Can you derive the secret key by observing plaintext/ciphertext pairs? 6

8 Greybox scenario The cryptographic algorithm is implemented on a real device such as a processor, microcontroller, FPGA etc. We can observe certain physical quantities in the device s vicinity and use the additional information during cryptanalysis Can you derive the secret key by observing plaintext/ciphertext pairs and a side-channel? The side-channel is any unintentional signal that can offer us a blurry view of the algorithm s internal computations Execution time, power consumption, electromagnetic emission, sound and others 7

9 Greybox scenario Plaintext Cryptographic Device Ciphertext Leakage We have limited access to the internal computations thus we work with a greybox scenario Algorithms that are secure under a blackbox scenario may not be secure under the greybox i.e. they may have implementations that are not secure Side-channel attacks are attacks on implementations of algorithms 8

10 Side-channel attacks in the news Using EM measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on ios devices. We also showed partial key leakage from OpenSSL running on Android..., March sidechannel_encryption_theft/ 9

11 Taxonomy of implementation attacks Active vs passive: Active i.e. tampering: the key is recovered by exploiting some abnormal behavior e.g. power glitches or laser pulses Passive i.e. eavesdropping: the device operates within its specification Invasiveness: Invasive aka expensive: the strongest type e.g. bus probing Semi-invasive: the device is de-packaged but no direct contact with the chip e.g. optical attacks that read out memory cells (or faults/glitches by voltage, power supply, clock, EM, etc.) Non-invasive aka low-cost: power/em measurements data remanence in memories cooling down is increasing the retention time Rowhammer 10

12 Timing side-channel

13 Timing side-channel 11

14 Timing side-channel: PIN verification Software for PIN code verification Input: 4-digit PIN code Output: PIN verified or rejected Process CheckPIN (pin[4]) int pin_ok=0; if (pin[0]==5) if (pin[1]==9) if (pin[2]==0) if (pin[3]==2) pin_ok=1; end end end end return pin_ok; EndProcess What are the execution times of the process for PIN inputs [0,1,2,3], [5,3,0,2], [5,9,0,0] The execution time increases as we get closer to [5,9,0,2] 12

15 Timing side-channel: Cache attacks in + Sbox... y k update Assume AES implements the Sbox with a lookup table (LUT) stored in memory Every Sbox iteration creates a table index j = input key and uses it to lookup the Sbox output, i.e. y = LUT (j) Accessing different parts of the lookup table may take different amount of time! The underlying cause is cache behavior of modern processors 13

16 Timing side-channel: Cache attacks 14

17 Timing side-channel: Cache behavior 15

18 Timing side-channel: Cache behavior 16

19 Timing side-channel: Cache behavior 17

20 Timing side-channel: Cache behavior 18

21 Timing side-channel: Cache behavior 19

22 Timing side-channel: Cache behavior 20

23 Timing attacks notes and literature One of the earliest side-channel attacks due to easy measurements Can also be exploited remotely! Shows the unpredictable effects of caches to crypto implementations Has been applied to symmetric and asymmetric cryptography P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, CRYPTO 1996 Daniel Page. Theoretical use of cache memory as a cryptanalytic side-channel, technical report CSTR ,

24 Power side-channel

25 Power side-channel 22

26 Power side-channel: CMOS leakage CMOS is the most popular circuit style and exhibits several types of leakage The most relevant for side-channel attacks is the charge and discharge of the CMOS load capacitance a.k.a dynamic power consumption Dynamic power consumption (P dyn ) is produced by CMOS transitions from state 0 to 1 and from state 1 to 0 Thus a power analysis attack explores the fact that the dynamic power consumption depends on the data and instructions being processed P dyn = CV 2 DD P 0 1f, where C the transistor capacitance, V DD the power supply voltage, f the frequency and P 0 1 the probability of a 0 1 transition 23

27 Power side-channel: Modeling the leakage Starting point: dynamic power consumption depends on bit transitions thus we use the number of transitions to model the leakage The Hamming distance model counts the number of 0 1 and 1 0 transitions, assuming that they are equivalent Example 1: Assume a hardware register R storing the result of an AES round. The register initially contains value v 0 and gets overwritten with value v 1 The power consumption because of the register transition v 0 v 1 is related to the number of bit flips that occurred Thus it can be modeled as HammingDistance(v 0, v 1 ) = HammingWeight(v 0 v 1 ) It s common to see Hamming distances in hardware implementations (FPGA, ASIC) 24

28 Power side-channel: Modeling the leakage Example 2: In a microcontroller, assume register A with value v 0 and an assembly instruction that moves the contents of register A to register B mov rb, ra In general-purpose processors the instruction will transfer value v 0 from register A to B via the CPU, using the bus In several cases the bus is very leaky component and it is also precharged at all bits being zeros or all being one (businitialvalue) The power consumption of the assembly instruction can be modeled as HammingDistance(busInitialValue,v 0 ) = HammingWeight(v 0 0) = HW(v 0 ) It s common to see Hamming weight leakages in software implementations (AVR/ARM microcontrollers) 25

29 Power side-channel: Measurement setup Usually power measurements requires physical proximity to the device and customized measurement equipment (resistor, oscilloscope) 26

30 Power side-channel: Measurement setup 27

31 Simple power analysis (SPA)

32 SPA on AES Power consumption leakage of an AES cipher implementation on an AVR microcontroller How many rounds are executed? 28

33 SPA on AES We see 10 repeating patterns thus it s AES-128 We can even notice that the last round is smaller due to the lack of MixColumns In general, we can use the power side-channel to reverse engineer certain implementation details such as the cipher, its version, assembly instructions used etc. 29

34 SPA on RSA Square and Multiply Software for RSA modular exponentiation Input: integers x, e, n, length l of e Output: x^e mod n Process ModularExponentiation(x, e, n, l) r=1; for j=l-1 down to 0 r=r^2 mod n //square if (bit j of e) == 1 r= r*x mod n //multiply end return r; EndProcess Do you already see a timing attack? The exponent-dependent branch is causing it! Do you see a side-channel attack? The branch is the culprit again! 30

35 SPA on RSA Square and Multiply Can you find the exponent bits by visual inspection of the patterns? 31

36 SPA on RSA Square and Multiply Square and Multiply (bit==1) are lengthier operations than Square only (bit==0) Multiplications are often more power consuming compared to Squarings 32

37 Power side-channel: RSA Square and Multiply Always Trying to fix the problem we create a timing-constant implementation Process ConstantTimeModExp(x, e, n, l) r[0]=1; r[1]=1; for j=l-1 down to 0 r[0]=r[0]^2 mod n //square r[1]= r[0]*x mod n //multiply index=bit j of e r[0]=r[index] return r[0]; EndProcess Does both square and multiply to ensure constant time Still, side-channel information exists! Can you see it? Location-based leakage can lead to key recovery 33

38 Power attacks notes and literature Very powerful attacks that require proximity to the target Countermeasures on all levels required i.e. algorithm, implementation, transistor etc. P. Kocher, J. Jaffe, B. Jun. Differential Power Analysis, CRYPTO T. Eisenbarth et al. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme, CRYPTO Mangard et al. Power Analysis Attacks, Springer, T. Kasper et al. All You Can Eat or Breaking a Real-World Contactless Payment System, Financial Cryptography J. Balasch et al. Power Analysis of Atmel CryptoMemory - Recovering Keys from Secure EEPROMs, CT-RSA

39 EM side-channel

40 Electromagnetic side-channel 35

41 EM side-channel: Probing I Observing a power signal in a complicated embedded device can be messy I Board capacitors, complicated SoCs, multiple peripherals I Countermeasures trying to flatten the power consumption signal I Use an electromagnetic probe instead I A probe is an easy way to access the power consumption with less board modifications I Smaller probes can focus on interesting locations and ignore interference from unrelated electrical components 36

42 EM side-channel: Decapsulation and Microprobing To improve spatial resolution of analysis use a micrometer-sized antenna To exploit more leakage decapsulate the chip using chemicals 37

43 EM side-channel: Decapsulation and Microprobing Left: close inspection of decapsulated ARM processor using a microscope Right: EM emission heatmap of the same chip 38

44 EM side-channel: TEMPEST project Instead of going very close, try to identify screen emission from a large distance The adversary can take a look at your screen! It was known since 1960s, declassified only in

45 EM side-channel: notes and literature EM enables side-channel attacks both in high proximity scenarios and distance scenarios Standard EM is quite cheap to perform, microprobing and TEMPEST-like scenarios can be more expensive J. -J. Quisquater and D. Samyde. ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards esmart Heyszl et al. Localized Electromagnetic Analysis of Cryptographic Implementations, CTRSA2012. K. Gandolfi et al. Electromagnetic Analysis: Concrete Results, CHES

46 Exotic side-channels

47 Exotic side-channels Exotic side-channels 41

48 Optical emission Accessing the chip SRAM cells emits photons that can be detected by a high-resolution camera Visual inspection can reveal the memory location accessed The memory location maps to a specific value (e.g. in the AES LUT), i.e. it maps directly to Sbox(in key) Since the input in is known, knowledge of the memory location reveals the key Schlösser et al. Simple Photonic Emission Analysis of AES, CHES

49 Sound emission In 1965, MI5 put a microphone near the rotor-cipher machine used by the Egyptian Embassy, the click-sound the machine produced was analyzed to deduce the core position of the machines rotors RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Shamir et al. Attacking a computer by listening to the high-pitched (10 to 150 KHz) sounds produced as it decrypts data Extracted 4096-bit RSA keys Using low- and high-pass filters to ensure to get only the sounds that emanate from the PC while the CPU is decrypting data Can be carried out over a distance of 4m with a high-quality microphone (or a smartphone) 43

50 Out-of-order and speculative execution January 3rd 2018 Kernel addresses were access unintentionally due to out-of-order execution Taking all possible branches may also cause issues Seems hard to patch since the culprit is the structure of a processor Meltdown and Spectre, 44

51 Attackers goals and targets Typical targets are transportation cards, medical care, RFID passports, mobile payment system, supply chain management The goals of side-channel analysis: Recover the key and data Gain anauthorized access Acquire intellectual property Privacy mining Reverse engineering Malware/intrusion detection 45

52 Attackers goals and targets Overall side-channels pose a threat to secure implementations Side-channel attacks are usually passive (i.e. just listening or eavesdropping) Some are non-invasive e.g. power analysis or simple EM probing Others are classified as semi-invasive attacks e.g. high-resolution EM or photonic side-channel, since they require decapsulation Passive and non-invasive attacks are fairly cheap to launch 46