1 / 17

Wide Collisions in Practice: Enhancing AES Security Through Side Channel Analysis

This paper presents techniques for Wide Collisions in AES, improving recognition rates of collision attacks, and key recovery methods in embedded systems with constrained resources. It highlights the challenges, methodologies, results, and the importance of minimizing false positives in collision detection. The study emphasizes Wide Collisions phases and the Outlier Method for efficient detection. Results from unprotected software implementations on 8-bit Smart Cards and the effectiveness of Blind Templates for device profiling are discussed. The optimized collision detection approach targets Wide Collisions, leveraging strong leakage insights and chosen inputs while reducing false positives through the Outlier Detection method. In conclusion, Wide collisions offer feasible power-based collision attacks, with the Outlier Method serving as a useful tool to enhance detection accuracy and minimize false positives. Thank you for your attention and feel free to contact teisenba@fau.edu for further inquiries.

kory
Télécharger la présentation

Wide Collisions in Practice: Enhancing AES Security Through Side Channel Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10thACNS 2012- Singapore

  2. Overview • Side Channel Collision Attacks • Wide Collisions for AES • Improving Recognition Rates • Attack Results

  3. Embedded Systems • Specific purpose device with computing capabilities • Constrained resources • Many require security

  4. Side Channel Attacks … leaks additional information via side channel! e.g. power consumption / EM emanation plaintext AES Leakage ciphertext

  5. Collisions in AES plaintext Collision:Querying same S-box value twice Collision Attack: Exploiting collision detections to recover secret key Add_Key Sub_Bytes y1 y4 = y1 S-box 1 S-box 4

  6. Collision Detection Collisions are highly frequent: • First round: .41 collisions • One encryption: >40 collisions Detecting collisions is hard: • One encryption: 12 720 comparisons • Probability of a collision: <0.4% • False positive rate of 1%: >120 faulty detections  Shouldminimize false positives

  7. Wide Collisions (I) • Two AES encryptions with chosen inputs • Same plaintexts except for diagonals! • AddRoundKey, SubBytes -> same difference

  8. Wide Collisions (II) • ShiftRows aligns differences • MixColumns can result in equal bytes Collision

  9. Wide Collisions (III) • 2ndShiftRows results in equal columns • Full column collides until next ShiftRows! • 5predictable S-Box collisions between 2 encryptions! Full Column Collision

  10. Collision Detection • Direct Comparison of two power traces • Ideally only compared in leaking regions(5 s-Boxes and full MixColumnscolliding) Point selection necessary: • Knowledge of implementation or profiling needed + S-box in round 2 + Mix Columns S-box 4 S-boxes (in round 3)

  11. Key Recovery Phase • 1st byte after 1stMixColumns: • 4 collisions reduce key candidates from 232 to 1 candidate per diagonal. • Full key recovery: 16 distinct collisions. Avoid false positives

  12. Outlier Method Procedure: Find overall Mean Trace Locate Outlier Region Locate Neighboring Pairs Mean Trace Individual Trace Outlier Region

  13. Outlier Method: Details Two parameters: • Size of outlier region • Admitted distance betweenneighboring points Both influence • Number of detected collisions • Rate of false positives Tradeoff depends on implementation

  14. Results • Unprotected SW implementation, 8-bit Smart Card • Results on 3000 power traces: • Wide Collisions stronger, but knowledge of implementation or profiling needed • Blind Templates (+ PCA) are great for device profiling

  15. Optimized Collision Detection • Targeting Wide Collisions • Strong leakage, easier to detect • Requires chosen inputs • UsingOutlier Detection method: • Reduces overall detection of collisions • Minimizes false positives

  16. Conclusion • Wide collisions yield feasible power based collision attack • Outlier Method is a helpful tool for decreasing false positive detections

  17. Thank you very much for your attention! teisenba@fau.edu

More Related