EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread

Similar documents
Practical Electromagnetic Template Attack on HMAC

Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks

SECURITY CRYPTOGRAPHY Cryptography Overview Brochure. Cryptography Overview

External Encodings Do not Prevent Transient Fault Analysis

Riscure Inspector Release Notes

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Breaking Korea Transit Card with Side-Channel Attack

HOST Differential Power Attacks ECE 525

Chapter 24 Wireless Network Security

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN

A Surfeit of SSH Cipher Suites

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Breaking the Bitstream Decryption of FPGAs

Plaintext-Recovery Attacks Against Datagram TLS

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

A New Attack with Side Channel Leakage during Exponent Recoding Computations

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits

A FRAMEWORK FOR EMBEDDED HARDWARE SECURITY ANALYSIS

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Power Analysis Attacks

Power Analysis of Atmel CryptoMemory Recovering Keys from Secure EEPROMs

Towards a Software Approach to Mitigate Correlation Power Analysis

SIDE CHANNEL ANALYSIS : LOW COST PLATFORM. ETSI SECURITY WEEK Driss ABOULKASSIM Jacques FOURNIERI

Towards a Software Approach to Mitigate Correlation Power Analysis

Lightweight DTLS Implementation in CoAP-based IoT

Symmetric Crypto MAC. Pierre-Alain Fouque

Sensor-to-cloud connectivity using Sub-1 GHz and

Chapter 17. Wireless Network Security

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Countermeasures against EM Analysis for a Secured FPGA-based AES Implementation

Concrete cryptographic security in F*

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

Security Requirements for Crypto Devices

CS408 Cryptography & Internet Security

Examples for the Calculation of Attack Potential for Smartcards

SSH Algorithms for Common Criteria Certification

SecureDoc Disk Encryption Cryptographic Engine

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

Advanced security notions for the SSH secure channel: theory and practice

Lowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018

Countermeasures against EM Analysis

Side-channel Analysis of Grøstl and Skein

: Practical Cryptographic Systems March 25, Midterm

Side-Channel Attack against RSA Key Generation Algorithms

Cryptography for Embedded Systems. Elisabeth Oswald Reader, University of Bristol

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Non-Profiled Deep Learning-Based Side-Channel Attacks

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Introduction to Software Countermeasures For Embedded Cryptography

Configuring IPv6 First-Hop Security

Ezetap V3 Security policy

Masking as a Side-Channel Countermeasure in Hardware

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

Lecture 1 Applied Cryptography (Part 1)

Differential Power Analysis of MAC-Keccak at Any Key-Length

Data Integrity. Modified by: Dr. Ramzi Saifan

Legacy-Compliant Data Authentication for Industrial Control System Traffic

FIPS Crypto In the IoT. Chris Conlon ICMC17, May 16-19, 2017 Westin Arlington Gateway Washington DC

Memory Address Side-Channel Analysis on Exponentiation

Data Integrity & Authentication. Message Authentication Codes (MACs)

IEEE 1588 Hardware Assist

Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

Unit 8 Review. Secure your network! CS144, Stanford University

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

HACK MY CHIP: A RED TEAM BLUE TEAM APPROACH FOR SOC SECURITY. David HELY Grenoble INP Esisar LCIS, Valence

The IPsec protocols. Overview

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Smart card Power Analysis: From Theory To Practice

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Data Integrity & Authentication. Message Authentication Codes (MACs)

Design Considerations for Low Power Internet Protocols

Security against Timing Analysis Attack

ZigBee IP update IETF 87 Berlin. Robert Cragie

FIPS SECURITY POLICY FOR

Bluefly Processor. Security Policy. Bluefly Processor MSW4000. Darren Krahn. Security Policy. Secure Storage Products. 4.0 (Part # R)

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Summary on Crypto Primitives and Protocols

Implementation Tradeoffs for Symmetric Cryptography

M2351 Security Architecture. TrustZone Technology for Armv8-M Architecture

Fault Sensitivity Analysis

WiMAX Security: Problems & Solutions

Test Vector Leakage Assessment (TVLA) Derived Test Requirements (DTR) with AES

Dolphin DCI 1.2. FIPS Level 3 Validation. Non-Proprietary Security Policy. Version 1.0. DOL.TD DRM Page 1 Version 1.0 Doremi Cinema LLC

ON PRACTICAL RESULTS OF THE DIFFERENTIAL POWER ANALYSIS

Lesson 4 RPL and 6LoWPAN Protocols. Chapter-4 L04: "Internet of Things ", Raj Kamal, Publs.: McGraw-Hill Education

Trace Augmentation: What Can Be Done Even Before Preprocessing in a Profiled SCA?

SEL-3021 Serial Encrypting Transceiver Security Policy Document Version 1.9

CS 161 Computer Security

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

July 2, Diet-IPsec: Requirements for new IPsec/ESP protocols according to IoT use cases draft-mglt-ipsecme-diet-esp-requirements-00.

Transcription:

EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1, Ilya Kizhvatov 2 1 Virginia Tech 2 Radboud University Nijmegen CHES 2018

Outline 1 Introduction 2 Side-Channel Vulnerability Analysis 3 The Most Feasible Attack 4 Countermeasures 5 Lessons Learned 1 / 14

EM Analysis leakage commands/traces Oscilloscope data Target Device PC 2 / 14

Thread Networking protocol for the IoT Simple for consumer Built-in security Power efficient IPv6 connectivity Robust mesh network Runs on IEEE 802.15.4 radio silicon More than 100 members 3 / 14

Motivation Numerous low-cost hardware and software tools for side-channel attacks Evaluate the effort required to apply an EM attack in the IoT context Do cryptographic implementations in the network layer need protection against side-channel attacks? 4 / 14

Outline 1 Introduction 2 Side-Channel Vulnerability Analysis 3 The Most Feasible Attack 4 Countermeasures 5 Lessons Learned 4 / 14

Communication Security Security is enforced at two layers: Medium Access Control (MAC) AES CCM using key K MAC Mesh Link Establishment (MLE) AES CCM using key K MLE A node gets the master key K when it is commissioned to a Thread network Fresh keys are generated from the 16-byte K and 4-byte Sequence number: K MAC K MLE = HMAC SHA 256(K, Sequence Thread ) The default key rotation period is set to 28 days 5 / 14

Processing a MLE Parent Request Message Received Sequence Current Sequence? NO YES MLE Parent Request Generate temporary key HMAC SHA 256 Child Parent (Router) Tag verification AES CCM 6 / 14

AES CCM Combines CBC MAC mode and CTR mode The execution of both modes of operation can be attacked The attacker can control up to 12 input bytes of the first block: Source MAC Address 8 bytes Frame Counter 4 bytes Known attack: Jaffe [CHES 07], O Flynn and Chen [COSADE 16] AES-CBC 49 Source MAC Address Frame Counter 05 00 15 AES-CTR 01 Source MAC Address Frame Counter 05 00 01 7 / 14

Relationship between K and K MLE Master key to MLE key (K K MLE ) Key derivation using HMAC 8 / 14

Relationship between K and K MLE Master key to MLE key (K K MLE ) Key derivation using HMAC MLE key to master key (K MLE K) Send MLE Child ID Request to ask for the master key The MLE Child ID Response includes the master key 8 / 14

Relationship between K and K MLE Master key to MLE key (K K MLE ) Key derivation using HMAC MLE key to master key (K MLE K) Send MLE Child ID Request to ask for the master key The MLE Child ID Response includes the master key Master key and MLE key are equivalent! K K MLE 8 / 14

Outline 1 Introduction 2 Side-Channel Vulnerability Analysis 3 The Most Feasible Attack 4 Countermeasures 5 Lessons Learned 8 / 14

The Most Feasible Attack Attacker Target Router 9 / 14

The Most Feasible Attack MLE Advertisement Attacker MLE Advertisement MLE Advertisement Target Router Step 1: Observe an MLE Advertisement message Record the Sequence number 9 / 14

The Most Feasible Attack MLE Parent Request Attacker Target Router Step 2: Inject MLE Parent Request messages Recorded Sequence number Random Source MAC Address and Frame Number 9 / 14

The Most Feasible Attack MLE Parent Request Attacker Target Router Step 3: Observe the EM leakage Save the injected inputs and corresponding EM traces 9 / 14

The Most Feasible Attack Attacker Target Router Step 4: Recover the MLE key K MLE Mount a DEMA attack 9 / 14

The Most Feasible Attack MLE Child ID Request MLE Child ID Response Attacker Target Router Step 5: Get the master key K Send a MLE Child ID Request message The MLE Child ID Response message contains K 9 / 14

The Most Feasible Attack Thread communication Attacker Target Router Full network access! 9 / 14

Experimental Setup Target: TI CC2538 (Cortex-M3, 32 MHz) Thread stack: OpenThread Oscilloscope: LeCroy waverunner 625Zi Langer EM probes No trigger signal from target! 10 / 14

Results Sampling rate set to 1 GS/s 10,000 EM traces acquired in about 3 hours Full recovery of the MLE key K MLE Two key bytes were much more difficult to recover than the rest Message fragmentation prevented recovery of the master key The attack may succeed on other implementations of the stack 11 / 14

Outline 1 Introduction 2 Side-Channel Vulnerability Analysis 3 The Most Feasible Attack 4 Countermeasures 5 Lessons Learned 11 / 14

Countermeasures Shielding & tamper resistance Protected cryptographic implementations Protocol level mitigations Security certification scheme 12 / 14

Countermeasures Shielding & tamper resistance Protected cryptographic implementations Protocol level mitigations Security certification scheme A combination of the above countermeasures is recommended for high security! 12 / 14

Outline 1 Introduction 2 Side-Channel Vulnerability Analysis 3 The Most Feasible Attack 4 Countermeasures 5 Lessons Learned 12 / 14

Lessons Learned Lessons learned from our evaluation can be applied to other IoT systems and protocols. 13 / 14

Lessons Learned Lessons learned from our evaluation can be applied to other IoT systems and protocols. Prevent electromagnetic leakage 13 / 14

Lessons Learned Lessons learned from our evaluation can be applied to other IoT systems and protocols. Prevent electromagnetic leakage Do not allow access to the master key from temporary key(s) 13 / 14

Lessons Learned Lessons learned from our evaluation can be applied to other IoT systems and protocols. Prevent electromagnetic leakage Do not allow access to the master key from temporary key(s) A network-wide master key is a double-edged sword 13 / 14

Lessons Learned Lessons learned from our evaluation can be applied to other IoT systems and protocols. Prevent electromagnetic leakage Do not allow access to the master key from temporary key(s) A network-wide master key is a double-edged sword Side-channel attacks are a real threat for the IoT! 13 / 14

SECURE 14 / 14

SECURE Thank you! 14 / 14

Appendix

References Joshua Jaffe. A first-order DPA attack against AES in counter mode with unknown initial counter. In Cryptographic Hardware and Embedded Systems - CHES 2007. Colin O Flynn and Zhizhang Chen. Power analysis attacks against IEEE 802.15.4 nodes. In Constructive Side-Channel Analysis and Secure Design - COSADE 2016. 1 / 8

Thread Stack Source: https://www.threadgroup.org/ 2 / 8

Mesh Link Establishment (MLE) Facilitates the secure configuration of radio links Allows exchange of network parameters MLE messages are sent inside UDP datagrams Routers periodically multicast MLE Advertisement messages Link configuration is initiated by a MLE Parent Request message 3 / 8

Establishing a Communication Link Attach. Child Sync. Link Sync. MLE Parent Request MLE Parent Response MLE Child ID Request MLE Child ID Response MLE Child Update Request MLE Child Update Response MLE Link Request MLE Link Accept & Request MLE Link Accept Child (N 1 ) Parent (N 2 ) 4 / 8

HMAC SHA 256 m = Sequence Thread 0x80 0x00... 0x00 len The attacker targets k 1 and k 2 k 1, k 2, and Sequence give K MAC and K MLE Not enough control of the input! K ipad m IV F k 1 F K opad IV F k 2 F K MAC K MLE 5 / 8

Attack Feasibility Attack Effort Adaptation of the rating for smart cards from the Joint Interpretation Library Last step of the attack is feasible enhanced-basic no rating basic enhanced-basic moderate high Equipment Cost Cost Oscilloscope Attack Success HIGH LeCroy WaveRunner 6Zi MEDIUM PicoScope, ChipWhisperer-Pro LOW ChipWhisperer-Lite 6 / 8

Guessing Entropy Figure: Evolution of the guessing entropy for the second key byte. 7 / 8

Correlation Matrix Figure: Correlation of all key candidates for the second key byte when using 3,000 traces. 8 / 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback