Perspectives on the side channel issue
Cost
Restricted 2
Applications
Technology
Maturity

Cost
Restricted 3
Applications
Technology
Maturity

Cost
• Time-to-market
• Knowledge
• Resource usage (memory, energy)
• Performance
Example attack performs simple power analysis on RSA
Restricted 4

RSA recap
• RSA is based on exponentiation (C = Mk)
• Binary exponentiation:
– C := 1
– For each key bit ki do:
• C := C * C
• If ki = 1, then C := M*C
• Number operations performed by numerical co-processor (multi-bit)
• Algorithm execution is sequence of square and/or multiply operations, e.g.
S M S S S M S M S S M ≈
1 0 0 1 1 0 1

Time-Power attack on RSA
11 00 00 00 00 00 0011 11 11
Key bits revealed !

Problem analysis
• Problem discovered in a card produced in 2004
• Basic countermeasure would do square and always multiply:
– C := 1
– For each key bit ki do:
• C := C * C
• D := M*C
• if ki = 1, then C := D
• else D := C // dummy statement executed in same time
• Algorithm execution is sequence of square and multiply operations:
S M S M S M S M S M ≈
? ? ? ? ?
• But that costs time and memory
Restricted 7

Cost
Restricted 8
Applications
Technology
Maturity

Maturity
• Players come and go
– Developers
new people re-introduce old errors…
– Manufacturers
Emerging countries face same challenges…
• Countermeasures
– ‘Defenders’ solve vulnerabilities
– ‘Attackers’ extend and improve exploits
• Example: DFA on RSA-CRT, an ongoing battle
Restricted 9

Fault injection mechanisms
The aim of the manipulations is to change a value read from
memory to another value
•Voltage glitching
•Clock glitching
•Optical glitching
10

Differential Fault Analysis
• Force computational error in few cryptographic operations
• Monitor correct and faulty encryption results
• Extract secret key by analysis and comparison of correct and faulty results
• Notorious example: RSA in CRT mode: only one faulty message is
enough!
Input message
RSA-
CRT
signing
Corrupt signature
Private key
Public key
Fault injected Mathematical
analysis
Private key
11

CRT implementation of RSA
Efficient signing implementation splits exponentiation
precompute
dp = d mod (p-1)
dq = d mod (q-1)
K = p-1 mod q
exponentiation
Sp = M
dp mod p
Sq = M
dq mod q
recombination
S = ( ( (Sq - Sp)*K ) mod q ) * p + Sp
12

Bellcore attack: DFA on CRT
Inject a fault during CRT that corrupts Sq:
S’q is a corrupted result of Sq computation
S’ = ( ( (S’q - Sp)*K ) mod q ) * p + Sp
Subtract S’ from S :
S - S’ = (((Sq - Sp)*K) mod q)*p - (((S’q - Sp)*K) mod q)*p
= (x1-x2)*p mod N = x*p mod N
compute Gcd( S-S’, n ) = Gcd( x*p, p*q ) = p
compute q = n / p
RSA-CRT broken when primes known
13

First defense against DFA on RSA-CRT
• DFA generally requires multiple encryptions of the
same text
• Crypto-protocols have been (re)designed such that
messages are padded with random data before signing
• Randomness results in ‘unique’ input for each
encryption, and DFA no longer possible
• Until a new attack was developed…
Restricted 14

DFA on CRT improvement
• Original BellCore attack requires one good and one faulty signature
• Improved single signature attack needs only a faulty signature
S - S’ = x*p mod N
M = Se mod N = (S’+x*p)e mod N =
M - S’e = p*x*k
Gcd( M - S’e , n ) = Gcd( p*x*k, p*q ) = p
Only message, faulty signature and public key is enough!
Single signature DFA attack breaks RSA-CRT again
( ) ( ) ( ) nxpksnxps
i
e
xpsnxps
i
e eiie
e
i
eiie
e
i
mod'mod''mod'
1
10
+=













+=












 −−
=
−
=
∑∑
15

Second defense against DFA on RSA-CRT
• Single signature DFA on RSA-CRT requires
knowledge of plaintext
• Crypto-protocols improved by keeping random
padding secret
• Unknown plaintext renders single signature DFA
impossible
• Until a new attack is developed…
Restricted 16

Partial input recovery
• Lattice is mathematical
structure describing relations
between sets of vectors
• Lattices can be used to find
partially unknown data in
vector set by solving the
Closest Vector Problem
• Multiple different partially
unknown messages are
modeled as a lattice
• It is now possible to solve these for limited ‘gaps’
17

DFA on RSA-CRT made possible again?
• ‘Bellcore’ attack countered twice by including secret
random data in the signature
– Message is unique
– Message is partially unknown
– Key should be protected even when fault injection successful
• Partial input recovery can already determine secret
data up to 6 bytes
• Attack may break many crypto applications without
hardware protection against fault injection
18

Cost
Restricted 19
Applications
Technology
Maturity

Applications
Financial
Mobile
Communication
Identification
Access
control
Secure
storage
Public
transport
Smart
metering
20
Conditional
Access
New applications bring
• new crypto algorithms
• new crypto protocols
• new business risks
• and… new attacks

Which algorithms, which protocols?
Algorithms
• DES
• 3DES
• RSA
• AES
• DSA
• ECDSA
• ECNR
• HMAC
• SEED
• COMP128
• …
Confidential 21
Protocols
• EMV
• A3A8
• Milenage
• OTA
• BAC, EAC
• PKCS*
• PSS
• OAEP
• DSS
• Proprietary
• …
DPA attack
possible

ECDSA
• private key d and a public key Q (where Q = d*G)
• To sign a message m:
• Calculate z = left most bits of HASH(m)
• Select a random integer k
• Calculate r = x-coordinate of kG
• Calculate s = k − 1(z + r*d)(mod n)
• The signature is the pair (r,s)
Restricted 22
Attack with DPA

Big Number multiplication
Big numbers multiplication of r and d is split in smaller parts
Bytes of r r2 r1 r0
Bytes of d d2 d1 d0
------------------------------------------------------------------------- *
Intermediates r2 * d0 r1 * d0 r0 * d0
------------------------------------------------------------------------- +
• Parts of private key d are multiplied with known parts of r
• Hypothetical values of di can be tested by correlating traces
Restricted 23

24
Differential Power Analysis
• Differential trace proves difference due to processing different data
• S/N ratio can be improved by:
• Averaging multiple traces before subtraction
• Compute correlation with Hamming weight rather than bit value

Correlation for intermediate values
• Peaks of correlation traces are sorted for hypothetical di values
• Highest peak reveals correct di value
• Repeat for all key parts
• Key revealed!
Restricted 25

Cost
Restricted 26
Applications
Technology
Maturity

Technology
New inventions may help defenders and/or attackers
Example: fast improvement of fault injection tools
Restricted 27

Fault injection opportunities in PIN check
short pin_check(byte* buffer) {
if(pin_ctr > 0) {
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {
auth = TRUE; // PIN ok
pin_ctr = MAX_PIN_CTR; // reset PIN counter
return 0x9000;
} else {
auth = FALSE; // wrong PIN
return 0x6985; }
} else {
auth = FALSE; // no attempts left
return 0x6987; }}
Change condition Manipulate function
Skip instruction
Modify assignment
Change condition
28

Countermeasures
Protect PIN verification routine with
• Random delays
• Double checking
• Traps
29

PIN check protection
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { … } // PIN ok
} else { … } // PIN not ok at first check
Prevent timed glitch
30

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
31
Double check

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
trap
32

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Prevent timed glitch
33

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Double check
34

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
trap
35

New fault injection tools
• Dedicated hardware for glitch control
precise, fast, repetitive, adaptive
• Smart triggering
start glitch at pattern recognition
• Powerful diode lasers
36

Glitch control hardware
FPGA technology used for
• arbitrary signal generation
• real time interaction with
I/O and external triggers
• 2 ns precision
• drives multiple channels
ControlUSB
Trigger in
LaserContact
smart card
LCD
Display
Trigger out
Smart card RST
Smart card I/O
Smart card VCC
Smart card CLK
Glitch
circuit
with smart
card
Glitch generatorCPU+ memory
Switch
Power monitor
mode
CLK
VCC
vcc/clk/laser
37

Signal behaviour with variable delays
Variable delays stop time based glitch triggers
Instruction to hit
38

Smart triggering, a solution
Use signal pattern as trigger source
39

Smart triggering result
Trigger moment is now fixed to device behavior
Instruction to hit
40

Glitch speed
Diode lasers can switch at high frequency
42

Real time multi glitching process
if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Find end with smart triggering
43

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Glitch condition
44

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Find begin with smart triggering
and force power down
45

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Glitch condition
46

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Find end with smart triggering
47

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Glitch condition
48

if(pin_ctr > 0) {
random_delay();
pin_ctr--;
random_delay();
Find begin with smart triggering
and force power down
49

Conclusion
• Side Channel attacks exist for more than a decade
• Analysed developments for four perspectives
– Cost
– Maturity
– Applications
– Technology
• All perspectives show that threat remains
• Attacks have become mainstream
51

52
Questions & Discussion
Marc Witteman
witteman@riscure.com
Riscure B.V.
Frontier Building
Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 (0)15 251 4090
www.riscure.com
Thank you

Why are we still vulnerable to Side Channel Attacks?

More Related Content

What's hot (20)

Similar to Why are we still vulnerable to Side Channel Attacks? (20)

More from Riscure (13)

Recently uploaded (20)

Why are we still vulnerable to Side Channel Attacks?