CSE 291-E: Applied Cryptography

Keegan Ryan UCSD

Some slides from Nadia Heninger Legal Notice

The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements

1. HW 8 is due Thursday Last time: ● Lattice-based cryptanalysis

This time ● Side-channel attacks and fault injection Why Use Side Channels Private ● Traditional vulnerabilities try to extract the secrets directly ● Cryptanalytic attacks try to recover private values from public ● What if the implementation Crypto Impl produces the correct output?

Public Why Use Side Channels Private ● Traditional vulnerabilities try to extract the secrets directly ● Cryptanalytic attacks try to recover private values from public ● What if the implementation Crypto Impl produces the correct output? ● Collect additional information to supplement recovery process Side-channel leakage

Public Why Use Side Channels Private ● Traditional vulnerabilities try to extract the secrets directly ● Cryptanalytic attacks try to recover Fault private values from public ● What if the implementation Crypto Impl’ produces the correct output? ● Collect additional information to supplement recovery process ● Force the implementation to return

incorrect output Public’ History of Side Channels

● WWII - Bell Telephone discovers electromagnetic leakage in OTP teleprinter ○ Recovered plaintext, implemented solution was to maintain control of 100-ft diameter area ● 1945 - Soviet Union gifts US Ambassador wooden Great Seal ○ Contained a remotely activated bug which broadcast audio over radio waves ● 1951 - CIA rediscovers teleprinter leakage, can recover plaintext from ¼ mile ● 1964 - TEMPEST rules established ○ NSA specification of methods and countermeasures for side-channel attacks ● 1984 - US removes Soviet bugs from embassy typewriters (GUNMAN project) ○ Ambiguity in typed characters, but could use “laws of probability” to recover original text ● 1985 - Wim van Eck publishes image-recovery attack on CRTs via EM ● 1996 - Paul Kocher publishes timing attack on crypto implementations https://www.nsa.gov/Portals/70/documents/news-features/declassified-documents/cryptologic-histories/history_comsec.pdf https://www.nsa.gov/Portals/70/documents/news-features/declassified-documents/cryptologic-histories/Learning_from_the_Enemy.pdf Kocher, Paul C. "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems." 1996. Zcash Ceremony

● How do you protect a $1B cryptocurrency? ● Security of the system depends on generation of zk-SNARK parameters ● Ceremony between 6 parties in 2016 ensures that no one knows private key ● Fresh, air gapped laptops to prevent software attacks ● Auditable software to limit cryptographic attacks ● Journalist documented process of Boulder party ○ Equipment constantly monitored ○ All electronic equipment in hotel room unplugged ○ Laptop placed away from any walls ● Canadian party drove across BC with laptop surrounded by tin foil

https://spectrum.ieee.org/tech-talk/computing/networks/the-crazy-security-behind-the-birth-of-zcash https://www.wnycstudios.org/podcasts/radiolab/articles/ceremony Threat model is realistic

● We require unknown secret, proximity, and ability to measure ● Credit cards with a chip ● Devices playing encrypted DRM content ○ Android uses ARM TrustZone ○ Desktop will use SGX… someday ● Authenticator tokens or hardware wallets ● Embedded devices with encrypted firmware ● Cable box/card hacking ● Cloud computing Cold Boot Attacks Halderman et al. 2009

● Assumes physical access to machine with secrets in memory ● Lower temperature of DRAM and run custom kernel to read DRAM ● Because of low temperature, memory state persists for longer ● Partially recover cryptographic keys, use cryptanalytic techniques to recover ○ Coppersmith attack to recover RSA key from half of one factor HMAC Timing Attack bool MAC_verify(string msg, char* tag) { char correct_tag[TAG_LENGTH]; MAC_compute(msg, correct_tag); for (int i = 0; i < TAG_LENGTH; i++) if (tag[i] != correct_tag[i]) return false; return true; } void parse_incoming_packet(string msg, char* tag) { if (MAC_verify(msg, tag)) { ... Side-Channel Attacks

● Only useful when there are no easy attacks ● Exploitation must happen as the private key is used ● Requires some sort of proximity ○ Physical proximity ○ Network proximity ○ Hardware colocation ● Only leaks small amount of information ● Not always limited to cryptographic attacks ● Very powerful attacks under the correct threat model Physical Attacks Basic Electronics

● CPU power usage depends on what instruction it is executing and the values of bits it is manipulating ● Maintaining bit value 1 takes more energy than maintaining bit value 0 ● Can solder on a new resistor in line with power supply. Power drop across resistor is proportional to changes in current draw. ● Use oscilloscope or other tool to measure change in voltage over time. ● Can also measure EM radiation or sound ● Costs ~$300 for equipment Power Analysis of Yubikey AES Oswald Richter Paar 2009

● Yubikey wrapped ECDSA private keys with AES for U2F authentication ● AES has 10 rounds

● In the first round, for each key byte Ki, -1 ⊕ compute SBOX (Ci Ki) ● When this value has more bits set, slightly more power draw in round 1.

● Brute force 256 values of Ki to see which best matches this behavior ● Takes ~500 traces Modular Exponentiation

RSA signing/decryptions use fast methods to compute cd mod N.

m = 1 for i = 0 ... len(d): m = (m * m) % N if d[i] = 1: m = (c * m) % N return m

● We are looping over the bits of the secret exponent ● Square in every iteration, multiply when the secret bit is 1 ● Also used for point multiplication k*G in ECDSA Attacks on Modular Exponentiation Kocher Jaffe Jun 1998 Modular Exponentiation

RSA signing/decryptions use fast methods to compute cd mod N.

m = 1 for i = 0 ... len(d): m = (m * m) % N if d[i] = 1: m = (c * m) % N return m Modular Exponentiation

RSA signing/decryptions use fast methods to compute cd mod N.

m = 1 for i = 0 ... len(d): m = (m * m) % N t = (c * m) % N if d[i] = 1: m = t return m ● Always multiply in every iteration ● Use Montgomery ladder ● RSA blinding - Compute r-1 * (c * re)d mod N to randomize internal state

● Exponent blinding - exponentiate to db = d + r휑(N) to randomize exponent Fault Injection

● Briefly connect power supply to ground to short out CPU ● Alternatively, CPU overvolt, undervolt, clock glitch EM pulse ● With luck, the CPU computes an incorrect value but does not reset ● Can attack symmetric ciphers Fault Injection Attack on RSA Boneh DeMillo Lipton 1997

RSA implementations use the Chinese Remainder Theorem:

1. Precompute dp = d mod (p - 1) and dq = d mod (q - 1). 2. To generate a signature on m, compute d_p d_q sp = m mod p sq = m mod q 3. Use the Chinese remainder theorem to construct s mod N. Fault Injection Attack on RSA Boneh DeMillo Lipton 1997

RSA implementations use the Chinese Remainder Theorem:

1. Precompute dp = d mod (p - 1) and dq = d mod (q - 1). 2. To generate a signature on m, compute d_p d_q sp = m mod p sq = m mod q 3. Use the Chinese remainder theorem to construct s mod N.

If a fault is induced during the computation of sp, then m ≡ se mod p m ≢se mod q So se - m ≡ 0 mod p and gcd(m - se, N) = p Countermeasures against physical attacks

● Constant time implementation ● Blinding ● Logical masking ● Inserting dummy instructions ● Surrounding the chip with a metal mesh ● Reset on unexpected voltage or temperature changes ● Encode a single bit using multiple states Zcash Ceremony

● In the middle of the ceremony, sudden echo on joint video call ● A device in the Denver room had been turned on and connected to the Google Hangout ● No additional participants appeared in the meeting list ● Tracked the echo to the reporter’s cell phone, which had never been connected to the meeting ● While looking at the processes on the phone, the echo vanished ● Was this device hacked and microphone used for a side-channel attack? Software Side Channels Timing attack on Modular Exponentiation

● In an incorrect ECDSA implementation, a nonce k with several leading zero bits will have fewer iterations during the computation of k*G ● Attacker queries ECDSA signer several times, saves fastest signatures ● Use the biased-nonce lattice attack to recover the private key. ● This works on TPMs in computers [Moghimi et al. 2019] ● And against TLS servers [Brumley Tuveri 11] Timing attacks on TLS

● RSA decryption exploitable via timing attack [Brumley Boneh 2005] ● CBC Padding Oracle attack exploitable via timing attack (Lucky 13) ● Bleichenbacher’s Padding Oracle exploitable via timing attack (ROBOT) ● Diffie-Hellman exploitable (in theory) via timing attack [Merget et al. 2020] ... Cache Attacks load(Data1); load(Data2);

... // Yield to Victim

// Victim Execution