1 / 17

Side-Channel Attack Pitfalls

Side-Channel Attack Pitfalls. Kris Tiri . Side-Channels. Information leakage from implementation Example : safecracker feels tumblers impacting and opens lock without trying each combination Similarly : hacker observes time/power and cracks cipher without trying each key

tommy
Télécharger la présentation

Side-Channel Attack Pitfalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Side-Channel Attack Pitfalls Kris Tiri

  2. Side-Channels • Information leakage from implementation • Example: safecracker feels tumblers impactingand opens lock without trying each combination • Similarly: hacker observes time/power and cracks cipher without trying each key • Device in normal operation, no physical harm • Covert channel without conspiracy/consent

  3. unknown secret key device measurement analysis input 7 2 0 8 4 0 2 7 2 3 3 6 7 1 2 8 7 53 1 8 2 6 5 5 2 3 model estimation P = S-1(KGC)E = HmW(P) key fragment guess Side-Channel Attacks in a Nutshell e.g. estimated power =number of changing bitscan be lousy model AES: 128-bit secret keybrute force impossible P = S-1(KGC) E = HmW(P) compare both and choose key guess with best match e.g. guess 8 bitsbrute force easy

  4. Power Analysis Example • Unprotected ASIC AESwith 128-bit datapath, key scheduling • Measurement: Ipeakin round 11 • Estimation: HamDistance of 8 internal bits • Comparison: correlation • Key bits easily found despite algorithmic noise • 128-bit key under 3 min. ‘start encryption’-signal clock cycle of interest supply current

  5. New Design Dimension • Mitigations conflict with common design goals • Resistance analysis, precise mitigation cost not always well understood • Design trade-offs difficult to make power performance area side-channelmitigation

  6. Side-Channel Pitfalls • Resource sharing • Reduces HW to implement certain functionality • Results in interaction and competition • Create + facilitate observation side-channel info • Optimization features • Improves a system’s performance/cost • Typical case optimized, corner case leaks info • Create side-channel info • Increased visibility/functionality • Provides more information or introduces new interactions • Facilitate observation side-channel info

  7. Example using Cache Attacks • Resource sharing Cache accesses observed by spy process evicting cached data of crypto • Optimization features Cache implemented to overcome latency penalty • Increased visibility Performance counters provide accurate picture CPU Fast Slow MEMORY CACHE

  8. Side-Channel Classification • Simple attacks • e.g. textbook square-and-multiply RSA algorithm • Number of measurements, not simplicity attack • Requires precise knowledge of implementation and effect on measurement sample • Relatively easy to protect from • Differential attacks • Many observations • Statistical techniques • Leakage channel • Timing, power / EMA

  9. Mitigation Strategies • Timing attacks • Typically target variable instruction flow main focus on public key ciphers • Exponent and base blinding prevent multiple measurements of same operation on different data • Power Attacks / EMA • Typically target data dependent power variations main focus on symmetric key ciphers • Randomize / equalize power consumption to increase the number of measurements

  10. Randomize ( noise!) Decorrelate power from state signal=statemask Algorithmic masking, logic level Problems: glitches, early propagation, higher order attack, templates Equalize Same power for every transition Dual rail precharge logic Problems: early propagation, capacitance mismatch Main Challenge: Power Analysis

  11. Same experiment Automated design flow WDDL: single switching event per clock cycle Differential routing:constant load capacitance Security is not for free mitigatedcore clock cycle of interest Equalizing Mitigation Example ‘start encryption’-signal supply current

  12. Opportunities (Pitfalls?) for Research • Mitigations do not come cheap • Randomization: factor 1.5 • Equalization: factor 3 • (Mitigations)2 push envelop • Improvements: partitioning, custom logic • Optimize current state-of-the-art, develop breakthrough mitigation? • Communicate full cost • e.g. mask distribution, random mask generator

  13. Visual inspection, standard deviation no figure of merit for mitigation strength Easily distinguish quality of implementation from adversary strength? Expression based on design parameters (activity factor, power profile, etc…)? New Mitigations?

  14. Design Time Resistance Assessment • Resistance cannot be added as afterthought • Few automatic design flows proposed • Quality only as good as power simulation • Glitches, early propagation enable attacks • Control arrival times on 20K+ signals? • Proper simulation model to correctly (yet quickly) evaluate design? • Minor differences have a big influence • Process variations in deep submicron technology?

  15. Balanced Interconnect capacitances • Crucial for ALL dual rail circuit mitigations to succeed • e.g. differential routing • Cross-coupling? • Process variations in deep submicron technology?

  16. Conclusions • Mathematical complexity circumvented with information leaking from HW/SW • Pitfalls that create, facilitate observation • Mitigations generally challenging and costly • Opportunities for future research

More Related