Side-Channel Cryptanalysis. Joseph Bonneau Security Group

Size: px

Start display at page:

Download "Side-Channel Cryptanalysis. Joseph Bonneau Security Group"

Kelly Foster
6 years ago
Views:

1 Side-Channel Cryptanalysis Joseph Bonneau Security Group

2 Rule 0: Attackers will always cheat xkcd #538

3 What is side channel cryptanalysis?

4 Side Channels: whatever the designers ignored Key c=me mod N Plaintext Encryption Cipher Ciphertext T0 = K0 P0

5 Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher Ciphertext

6 Side Channels: whatever the designers ignored Key Plaintext Time Power Encryption Cipher Noise Heat EM radiation Ciphertext

7 Side Channels: whatever the designers ignored Key Plaintext Time Power Encryption Cipher Noise Heat EM radiation Ciphertext

8 Definition Side-channel cryptanalysis is any attack on a cryptosystem requiring information emitted as a byproduct of the physical implementation.

9 Related attacks

10 White box cryptanalysis: nothing is hidden Key Plaintext Debugger Encryption Cipher int k[] = {0x1e,...} Static analysis Memory dumps Ciphertext

11 TEMPEST: EM signals containing full secrets Key Plaintext Encryption Cipher Ciphertext

12 Fault injection: inducing a telling error Key Plaintext Encryption Cipher Ciphertext

13 Hardware attacks: breaking the box open Key Plaintext Encryption Cipher Ciphertext

14 Covert channels: attack code running from within Key Plaintext Encryption Cipher Ciphertext

15 The grandmother of all timing attacks

16 Insecure password checking routine int check_password(char * test, char * correct){ return (strcmp(test, correct) == 0); }

17 Insecure password checking routine int check_password(char * test, char * correct){ return (strcmp(test, correct) == 0); } int strcmp(char *s1, char *s2){ while (*s1!= '\0' && *s1 == *s2) { s1++; s2++; } return ((s1 < s2)? -1 : (s1 > s2)); }

18 Insecure password checking routine int check_password(char * test, char * correct){ return (strcmp(test, correct) == 0); } int strcmp(char *s1, char *s2){ n A queries && *s1 == *s2) { while (*s1!= '\0' s1++; s2++; } return ((s1 < s2)? -1 : (s1 > s2)); }

19 MAC timing attack against Xbox 360 C:\Documents and Settings\Administrator\Desktop\360\DGTool>DGTool.exe 1 Infectus _5759#4_1888_build2.bin Pairing Data 0x6DF3B8 01 Turn on your Xbox, press any key when the RRoD starts H[0 00XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[0 01XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -3 : 0 NEXT H[0 02XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT... H[0 1AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 12 : 11 RPT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 11 : 0 HIT! H[1 1B00XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[1 1B01XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -1 : 0 NEXT... H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 14 : 8 RPT H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 9 : 0 HIT! H[2 1BFD00XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 1 : 0 NEXT H[2 1BFD01XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 4 : 0 NEXT... H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 15 : 11 RPT H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 10 : 0 HIT!... H[15 1BFDF0625C214F67CD94DCA3FC47CA55] M A D 16 : 0 HIT! Correct hash: 1BFDF0625C214F67CD94DCA3FC47CA55 Result: BOOT

20 MAC timing attack against Xbox 360 C:\Documents and Settings\Administrator\Desktop\360\DGTool>DGTool.exe 1 Infectus _5759#4_1888_build2.bin Pairing Data 0x6DF3B8 01 Turn on your Xbox, press any key when the RRoD starts H[0 00XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[0 01XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -3 : 0 NEXT H[0 02XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT... H[0 1AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 12 : 11 RPT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 11 : 0 HIT! H[1 1B00XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[1 1B01XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -1 : 0 NEXT... H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 14 : 8 RPT H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 9 : 0 HIT! H[2 1BFD00XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 1 : 0 NEXT H[2 1BFD01XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 4 : 0 NEXT... H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 15 : 11 RPT H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 10 : 0 HIT!... H[15 1BFDF0625C214F67CD94DCA3FC47CA55] M A D 16 : 0 HIT! 2,048 queries Correct hash: 1BFDF0625C214F67CD94DCA3FC47CA55 Result: BOOT

21 Attacks against RSA

22 RSA: The original public key algorithm

23 RSA: The original public key algorithm Private Key: p, q (random primes) d e-1 (mod φ(n)) (exponent) Public Key: N = p q e Encryption: Verification: c = me (mod N) m = cd (mod N) Signing: Verification: s = md (mod N) m = se (mod N) (modulus) (exponent)

24 RSA is implemented via square-and-multiply b65553 b0x10011 b( ) b b65536 b16 b1 (mod N) (mod N) (mod N) (mod N) n digit exponentiation requires log n squares, up to log n multiplications

25 RSA is implemented via square-and-multiply def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result

26 Simple power analysis of RSA (Paul Kocher et. al 1999)

27 Simple power analysis setup Key Plaintext Encryption Cipher Ciphertext

28 What does power consumption reveal? Trace courtesy of Cryptography Research, Inc.

29 Each set exponent bit inserts a multiplication def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result

30 Multiplies can often be visually detected Trace courtesy of Cryptography Research, Inc.

31 Multiplies can often be visually detected Trace courtesy of Cryptography Research, Inc.

32 Secret exponent can be easily read out Trace courtesy of Cryptography Research, Inc.

33 Secret exponent can be easily read out 1 encryption Trace courtesy of Cryptography Research, Inc.

34 Algorithmic patch: square and always multiply def power(b, e, N): result = 1 b = mult(b, r, N) for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) else: result = mult(result, r, N) return mult(result, r_inverse, N)

35 Timing attack against RSA (Paul Kocher 1996)

36 Timing attack setup Key Plaintext Encryption Cipher Ciphertext

37 Timing leaks Hamming weight of exponent def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result

38 Timing of individual multiplies varies significantly Kocher 1996

39 Need a model relating multiplication inputs to time Example: (mod 9997) Multiply: = Reduce: = =11770 =11770 =

40 Attack exponent one bit at a time def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result

41 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-1: always 1

42 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-2: Is T(power(r,e,N)) M(mult(1,r,N)) + M(square(r,N)) + M(mult(r,r,N)) + M(square(r,N))? 2 3

43 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-2: Is T(power(r,e,N)) M(mult(1,r,N)) + M(square(r,N)) + M(mult(r,r,N)) + M(square(r,N))? 2 3

44 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-3: Is T(power(r,e,N)) M(mult(1,r,N)) e[n-1] + M(square(r,N)) + M(mult(r,r,N)) e[n-2] + M(square(r,N)) M(mult(r,r,N)) + M(square(r,N))? 2 e [n-1:n-1] e [n-1:n-2] 2 e [n-1:n-2] e [n-1:n-2] 1

45 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-3: Is T(power(r,e,N)) M(mult(1,r,N)) e[n-1] + M(square(r,N)) + M(mult(r,r,N)) e[n-2] + M(square(r,N)) M(mult(r,r,N)) + M(square(r,N))? 2 e [n-1:n-1] e [n-1:n-2] 2 e [n-1:n-2] e [n-1:n-2] 1

46 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-i: Is T(power(r,e,N)) M(mult(r,r,N)) + M(square(r,N))? 2 e [n-1:n-i] e [n-1:n-i] 1

47 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-i: Is T(power(r,e,N)) M(mult(r,r,N)) + 2,500 encryptions M(square(r,N))? 2 e [n-1:n-i] e [n-1:n-i] 1

48 More complicated attacks work across a LAN Boneh and Brumley, 2003

49 More complicated attacks work across a LAN 1,000,000 encryptions Boneh and Brumley, 2003

50 Blinded RSA provides generic defense Private Key: p, q (random primes) d e-1 (mod φ(n)) (exponent) Public Key: N = p q e Signing: s = md (mod N) Blind Signing: r1 = r0e (mod N) (modulus) (exponent) s = r0-1 (r1 m)d (mod N)

51 Attacks against AES (Rijndael)

52 AES is cryptography's standard block cipher

53 AES is very complicated Jeff Moser

54 AES is very complicated Wikipedia

55 AES is very complicated Wikipedia

56 AES is very complicated Wikipedia

57 AES is very complicated Wikipedia

58 AES is designed for very efficient implementation t0 = t1 = t2 = t3 = Te0[(s0 Te1[(s1 Te2[(s2 Te3[(s3 rk[0]; Te0[(s1 Te1[(s2 Te2[(s3 Te3[(s0 rk[1]; Te0[(s2 Te1[(s3 Te2[(s0 Te3[(s1 rk[2]; Te0[(s3 Te1[(s0 Te2[(s1 Te3[(s2 rk[3]; >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^

59 AES utilises large pre-computed lookup tables static const u32 Te0[256] = { 0xc66363a5U, 0xf87c7c84U, 0xfff2f20dU, 0xd66b6bbdU, 0x U, 0x U, 0xe7fefe19U, 0xb5d7d762U,... 0x824141c3U, 0x299999b0U, 0x7bb0b0cbU, 0xa85454fcU, }; 0xee777799U, 0xde6f6fb1U, 0xce6767a9U, 0x4dababe6U, 0xf67b7b8dU, 0x91c5c554U, 0x562b2b7dU, 0xec76769aU, 0x5a2d2d77U, 0x1e0f0f11U, 0x6dbbbbd6U, 0x2c16163aU,

60 Lookups into shared cache are vulnerable Plaintext Key XOR Lookup Mix Key XOR Mix Lookup Key XOR Ciphertext

61 Lookups into shared cache are vulnerable Plaintext Key XOR Lookup Mix Key XOR Mix Lookup Key XOR Ciphertext First round: T[Pi Ki]

62 Lookups into shared cache are vulnerable Plaintext Key XOR Lookup First round: T[Pi Ki] Mix Key XOR Mix Final round: T[T [Ci Ki]] -1 Lookup Key XOR Ciphertext

63 Simple power analysis of AES (Bertoni et. Al, 2005; Bonneau 2006)

64 Cache hit/miss is very obvious in power trace Bertoni et. al, 2005

65 Every miss yields many constraints Plaintext Key XOR Lookup Miss? P0 K0 P1 K1 Hit? P0 K0 P1 K1

66 Every miss yields many constraints Plaintext Key XOR Lookup Miss? P0 K0 P1 K1 P0 P1 K0 K1 Hit? P0 K0 P1 K1 P0 P1 K0 K1

67 Every miss yields many constraints Plaintext Key XOR Lookup Miss? P0 P2 K0 K2 P1 P2 K1 K2

68 Table of possible key byte differences refined K0 K1 K2... K15 K0 K1 K2... K15 00 {27,e0} {35} {23,70,c 4} {65} 00 {32,45,8 9} {5f,f3} {0a,db} 00 {86} {17,64,9 c} 00 {42,d5} 00

69 Table of possible key byte differences refined K0 K1 K2... K15 K0 K1 K2... K15 00 {27,e0} {35} {23,70,c 4} {65} 10000encryptions {32,45,8 {5f,f3} 9} 00 {0a,db} {86} {17,64,9 c} 00 {42,d5} 00

70 Cache observation attack (Osvik et. al, 2006)

71 1) Attacker primes the cache with known data AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++;

72 1) Attacker primes the cache with known data AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++;

73 2) Attacker triggers AES encryption AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++; aes_encrypt(random_p());

74 3) AES loads some cache lines AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++; aes_encrypt(random_p());

75 4) Attacker can test which lines were touched AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++; aes_encrypt(random_p()); while(i < CACHE_SIZE) t[i++] = timed_read(p, i);

76 5) All untouched lines yield constraints Plaintext Key XOR Lookup P0 K0 {Untouched lines}

77 5) All untouched lines yield constraints Plaintext Key XOR Lookup K0 {Untouched lines P0}

78 5) All untouched lines yield constraints Plaintext Key XOR Lookup 300 encryptions K0 {Untouched lines P0}

79 Cache timing attack (Bonneau and Mironov, 2006)

80 Observation: self-collisions lower encryption time Plaintext Key XOR Lookup Pi Ki Pj Kj

81 Observation: self-collisions lower encryption time Plaintext Key XOR Lookup Pi Ki Pj Kj Pi Pj Ki Kj

82 Internal collisions cause most timing variation Timing deviation (cycles) # of cache collisions

83 Key byte differences ranked by average time K0 K0 K1 K2... K15 K1 K2... K15

84 Key byte differences ranked by average time K0 K1 K0 K1 K2... K15 0) 1) 2) 3) 255) f2 37 7a 26 a K2... K15

85 Key byte differences ranked by average time K0 K1 K2... K0 K1 K2... K15 0) 1) 2) 3) 255) f2 37 7a 26 a ) 1) 2) 3) ) 5d dc K15

86 Key byte differences ranked by average time K0 K1 K2... K0 K1 K ,000 encryptions K15 0) 1) 2) 3) 255) f2 37 7a 26 a ) 1) 2) 3) ) 5d dc K15

87 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] X=Y Ci Ki = Cj Kj Ci Cj = Ki Kj Lookup Key XOR Ciphertext

88 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] X=Y 32,000 encryptions C K =C K i i j j Ci Cj = Ki Kj Lookup Key XOR Ciphertext

89 Hardware countermeasures on the way /* AES-128 encryption sequence. The data block is in xmm15. Registers xmm0 xmm10 hold the round keys(from 0 to 10 in this order). In the end, xmm15 holds the encryption result. */ pxor xmm15, xmm0 // Input whitening aesenc xmm15, xmm1 // Round 1 aesenc xmm15, xmm2 // Round 2 aesenc xmm15, xmm3 // Round 3 aesenc xmm15, xmm4 // Round 4 aesenc xmm15, xmm5 // Round 5 aesenc xmm15, xmm6 // Round 6 aesenc xmm15, xmm7 // Round 7 aesenc xmm15, xmm8 // Round 8 aesenc xmm15, xmm9 // Round 9 aesenclast xmm15, xmm10 // Round 10 Courtesy of Intel

90 Differential power analysis (Kocher et. al, 1999)

91 Simple power analysis ineffective Trace courtesy of Cryptography Research, Inc.

92 Hardware implementations don't use cache Plaintext Key XOR Lookup Mix

93 Hardware implementations don't use cache Plaintext Key XOR Lookup Mix S[P0 K0]

94 Partition traces by some predicted intermediate bit Guessing K0 = 00, traces where high bit of S[P0 K0] is set

95 Partition traces by some predicted intermediate bit Guessing K0 = 01, traces where high bit of S[P0 K0] is set

96 Partition traces by some predicted intermediate bit Guessing K0 = 02, traces where high bit of S[P0 K0] is set

97 Partition traces by some predicted intermediate bit 10,000 encryptions Guessing K0 = 02, traces where high bit of S[P0 K0] is set

98 Perfect countermeasures are very difficult

99 Even further down the rabbit hole...

100 CPU Noise ƒ PC (Recording Station) ADC (Sound Card) Bandpass Filter Amplifiers Collects sounds which emanates from CPU Capacitor emits sound from its foils due to fast pulse charging n discharging Adi Purwono, 2008

101 Photon emissions Sergei Skorobogatov, 2009

102 Lessons

103 Don't design or implement your own crypto Jeff Moser

104 Do break whatever you can Algorithms: Elliptic curve DSS/DH Pairing-based algorithms AES-GCM authentication SHA-3 candidates Side-channels: Motherboard sensors CPU debug registers Killer target: Cross-VM key compromise

105 Thank you

106 Complication: cache lines

107 Complication: cache lines table lookup

108 Complication: cache lines table lookup cache

109 Complication: Table families t0 = t1 = t2 = t3 = Te0[(s0 Te1[(s1 Te2[(s2 Te3[(s3 rk[0]; Te0[(s1 Te1[(s2 Te2[(s3 Te3[(s0 rk[1]; Te0[(s2 Te1[(s3 Te2[(s0 Te3[(s1 rk[2]; Te0[(s3 Te1[(s0 Te2[(s1 Te3[(s2 rk[3]; >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^

110 Final round is much better to attack Lookup Key XOR Ciphertext

111 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] Lookup Key XOR Ciphertext

112 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] X=Y Ci Ki = Cj Kj Ci Cj = Ki Kj Lookup Key XOR Ciphertext

FACE : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data

FACE : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data Jin Hyung Park and Dong Hoon Lee Center for Information Security Technologies, Korea University Introduction 1 IV(Counter)