Final Copy 2019 03 19 Yan
Total Page:16
File Type:pdf, Size:1020Kb
This electronic thesis or dissertation has been downloaded from Explore Bristol Research, http://research-information.bristol.ac.uk Author: Yan, Yan Title: Side Channel Attacks on IoT Applications General rights Access to the thesis is subject to the Creative Commons Attribution - NonCommercial-No Derivatives 4.0 International Public License. A copy of this may be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode This license sets out your rights and the restrictions that apply to your access to the thesis so it is important you read this before proceeding. Take down policy Some pages of this thesis may have been removed for copyright restrictions prior to having it been deposited in Explore Bristol Research. However, if you have discovered material within the thesis that you consider to be unlawful e.g. breaches of copyright (either yours or that of a third party) or any other law, including but not limited to those relating to patent, trademark, confidentiality, data protection, obscenity, defamation, libel, then please contact [email protected] and include the following information in your message: •Your contact details •Bibliographic details for the item, including a URL •An outline nature of the complaint Your claim will be investigated and, where appropriate, the item in question will be removed from public view as soon as possible. This electronic thesis or dissertation has been downloaded from Explore Bristol Research, http://research-information.bristol.ac.uk Author: Yan, Yan Title: Side Channel Attacks on IoT Applications General rights Access to the thesis is subject to the Creative Commons Attribution - NonCommercial-No Derivatives 4.0 International Public License. A copy of this may be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode This license sets out your rights and the restrictions that apply to your access to the thesis so it is important you read this before proceeding. Take down policy Some pages of this thesis may have been removed for copyright restrictions prior to having it been deposited in Explore Bristol Research. However, if you have discovered material within the thesis that you consider to be unlawful e.g. breaches of copyright (either yours or that of a third party) or any other law, including but not limited to those relating to patent, trademark, confidentiality, data protection, obscenity, defamation, libel, then please contact [email protected] and include the following information in your message: •Your contact details •Bibliographic details for the item, including a URL •An outline nature of the complaint Your claim will be investigated and, where appropriate, the item in question will be removed from public view as soon as possible. Side Channel Attacks on IoT Applications By Yan Yan Department of Computer Science University of Bristol A dissertation submitted to the University of Bristol in ac- cordance with the requirements of the degree of Doctor of Philosophy in the Faculty of Engineering. January 2019 Word count: 39931 Abstract The Internet of Things (IoT) has become a reality: small connected devices feature in everyday objects including childrens' toys, TVs, fridges, heating control units, etc. Supply chains feature sensors throughout, and significant investments go into researching next-generation healthcare, where sensors monitor wellbeing. A future in which sensors and other (small) devices interact to create sophisticated applications seems just around the corner. All of these applications have a fundamental need for security and privacy and thus cryptography is deployed as part of an attempt to secure them. This thesis explores a particular type of security threat against IoT devices, namely side channel attacks (SCA), that has been proven only more powerful over the years. In brief, a side channel attack targets the implementation of security measures and recovers secret data by exploiting execution related information. For instance, secret keys can be recovered by statistically analysing the timing or power consumption of the execution of cryptographic algorithms, or sometimes results of faulty executions; data protected in encrypted packets can be revealed by the length of packets and timing of responses. Three vulnerabilities in IoT applications have been identified in this work including a flawed Random Number Generator (RNG) design, an effective application of Differential Power Analysis (DPA) and the practicability of Traffic Analysis (TA). These vulnerabilities commonly exist in many IoT scenarios and thus should be taken into account when designing new applications. i Acknowledgements The research could never be done without help of many others. Firstly I would like to thank my primary supervisor Elisabeth Oswald for her continued guidance and support through the research, especially her offer to me to take part in the LADA project. I would thank my second supervisor Theo Tryfonas for sharing his valuable visions from the aspect of cyber security which greatly contributed to the theme of my research. The support of my family to my decision of pursuing the PhD was also among the most important factor in completing this research. Great contributions came from my colleagues and co-authors Srivinas Vivek Vanketah and Arnab Roy in my research on the ARX ciphers and generic distingsuiers. I sincerely appreciate the comments from Dan Page and Dritan Kaleshi during my internal PhD progress reviews. I would thank George Oikonomou for introducing me to Contiki OS as well various IoT devices, and Carolyn Whitnall for her patience in answering my frequent questions related to statistics as well as helping me in writing this thesis. Si Gao helped me set up the experiments for power analysis, Jake Longo for taught me the basis of signal processing and David McCann offered great help with ELMO. Joey Green, Marco Martinoli and James Howe also provided precious advises during my writing of this thesis. And finally, my many thanks to the cryptography research group of University of Brisol, especially to the people of the side channel research group. iii Declaration I declare that the work in this dissertation was carried out in accordance with the requirements of the University's Regulations and Code of Practice for Research Degree Programmes and that it has not been submitted for any other academic award. Except where indicated by specific reference in the text, the work is the candidate's own work. Work done in collaboration with, or with the assistance of, others, is indicated as such. Any views expressed in the dissertation are those of the author. SIGNED: ............................................................. DATE:.......................... v Contents Nomenclature xv 1 Introduction 1 1.1 Research Motivation . .3 1.2 Research Contributions . .4 1.3 Thesis Outline . .4 1.4 Publications . .5 2 Preliminaries 8 2.1 Basic Statistics and Information Theory . .8 2.1.1 Cumulative Distribution Function . .8 2.1.2 Probability Density Function . .9 2.1.3 Pearson Correlation Coefficient . .9 2.1.4 Shannon's Entropy . 10 2.1.5 Mutual Information . 10 2.1.6 Kolmogorov{Smirnov Test . 10 2.1.7 Signal-to-Noise Ratio . 11 2.2 Contiki OS . 11 2.3 CC2538 and TelosB . 12 2.4 SCALE Board . 12 2.5 Side Channel Attacks . 14 2.6 Power Analysis Attacks . 14 vii 2.6.1 Univariate vs Multivariate . 16 2.6.2 Side Channel Distinguishers . 17 2.7 Traffic Analysis . 21 2.8 Lightweight Cryptography . 22 2.8.1 ARX Ciphers . 25 3 Flawed Designs: Cryptographic Randomness on CC2538 30 3.1 Introduction . 30 3.2 Preliminaries . 31 3.2.1 Random Number Generators . 31 3.2.2 Randomness Validation . 33 3.3 Related Work . 34 3.4 RF Noise as TRNG . 34 3.4.1 Reverse Engineering the TRNG Design . 35 3.4.2 Biasing the RF Signal in Practice . 39 3.5 LFSR as PRNG . 45 3.6 Contiki RNG Driver Issues for CC2538 . 49 3.7 Security Impact: Breaking DTLS . 49 3.8 Other RNG implementations in Contiki . 52 3.9 Patching the PRNG . 53 3.10 Summary . 53 4 DPA on ARX Ciphers 55 4.1 Introduction . 55 4.2 Preliminaries . 56 4.2.1 Notations . 56 4.2.2 SPARX Round Function and Generalised ARX-Box . 57 4.3 Observations on Modular Addition as a DPA Target . 60 4.3.1 Equivalent Keys . 60 4.3.2 Ineffective Single Bit DPA . 65 viii 4.3.3 The Enumeration Space and Divide-and-conquer . 65 4.3.4 Weak Non-linearity . 66 4.4 Correlation Attacks Against Modular Addition . 67 4.5 A Chosen Message DPA Against Modular Addition . 71 4.5.1 Formalisation of Attack . 72 4.5.2 Solving the Hidden Sum Problem . 73 4.5.3 Complete Solution to HSP . 80 4.5.4 Solving HAP . 81 4.5.5 Progressing to Noisy Leakage . 82 4.5.6 Word Extension . 83 4.5.7 Compatible Power Leakage Models . 84 4.5.8 Requirement of Chosen Inputs . 84 4.5.9 Experiments . 85 4.6 CPA Against Rotation and XOR . 86 4.7 Summary . 90 5 A Novel Type of Generic Distinguisher { Ordinal 91 5.1 Introduction . 91 5.2 Preliminaries . 92 5.2.1 Notations . 92 5.2.2 Generic Distinguishers . 93 5.2.3 The Bit Dropping Trick . 94 5.3 Ordering of Leakage . 94 5.4 Ordering-based Distinguishers . 99 5.4.1 Ordinal-Entropy . 100 5.4.2 Ordinal-Variance-of-Positions . 103 5.5 Real Trace Experiments . 105 5.6 Simulations . 106 5.6.1 Non-uniform Target Intermediate . 109 5.7 Summary . 114 ix 6 Exploiting Package Feature 115 6.1 Introduction . 115 6.2 Preliminaries . 117 6.2.1 A Typical IoT Protocol Stack . 117 6.2.2 Our Experimental Network . 118 6.3 Exploiting Packet Length Information . 119 6.3.1 Distinguishing ICMP Messages . 119 6.3.2 Distinguishing Different Devices .