sign in sign up
<<
Home , Timing attack

Side-Channel Attacks

Aleksei Ivanov 26th November 2005

1 Introduction and patches the result with all 0's.This results in small, constant time when compared to complete Side-channel attacks are described in [5] as follows. multiplication. Timing side channel information Side-channel attacks are attacks that are based on can be obtained either by precisely measuring the side channel information. Side channel Information time taken by one or by averaging the that can be retrieved from the encryption device time taken over several [4]. that is neither plain text to be encrypted nor the cipher text resulting from the encryption process. There are several kind of side-channel attacks, in 2.2 Power Consumption Attacks the [2] timing attack is referred to as the most Devices consume power and the power dissipated common one. Then There is one kind of informa- by a device is an other side channel. Dierential tion leakage referred to in [1] as power consumption (DPA) is a power consumption side leakage, that is a big help to the timing attacks. It channel attack that divides the encryption into a is even harder to protect a system against the power number of time slots and measures power in each consumption attacks when attacker has direct ac- slot for dierent plain text input. A small number cess to the encryption device. of the power measurements correlate with each bit The purpose of this paper is to get an overview of the interval stage during encryption [4]. of attacks on encryption systems where an attacker This attack requires little knowledge of the device is using other ways to obtain the encryption and is dicult to hide the channel information if than breaking the mathematical algorithm. For in- the attacker has direct contact to the device. stance the attacker can measure the time of com- putation to determine the complexity of the oper- ation. Thus having some information about the 2.3 Error Message Attacks encryption algorithm the attacker can guess what It is important to be careful with sending out in- operations might have occurred. For instance there formation about operation failures. Because an is a an operation that takes less time to compute attacker can use it to compute decryption of any when given certain input. This type of attack is cypher text by using the device as an oracle as re- called timing attack. There are more ways to nd ferred to in [1]. The attack is theoretically pos- out the key with help of some information leakage sible against RSA encryption standard PKCS#1. from devices. Attacker sends well chosen "cipher texts" to the device and using it as an oracle to know if the cor- 2 Side Channel Attacks responding plain text is in the right format. The attack is reliable if the dierent failures can be sep- 2.1 Timing Attacks arated.

This type of attacks are based on time it takes to 2.3.1 Fault Attacks do an operation. Attacker can passively listen on the channel and record every input, output and the Results output by a faulty implementation is an- consumed time. In some implementations multipli- other side channel. Fault-based side channel at- cation by zero bypasses the multiplication process tacks are based on the observation that errors de-

1 liberately introduced into a device and the result- comparing the faulty result with the correct one to ing faulty computations leak information about the obtain the round key. They found the round key implemented algorithm [4]. of last round rst, and then the round key of the Boneh, DeMillo and Lipton [6] presented the rst round before last, and so on. Biham and Shamir fault-based side channel attack against devices im- extended their fault model to show that DFA can plementing public key . They showed uncover the structure of an unknown that faults could be introduced at a random bit lo- implemented in the encryption device [4]. cation in one of the registers in the encryption de- vice by exposing it to ionizing and microwave radi- 2.4 Frequency-based Side Channel ations. They showed how information leaking from such a fault-based side channel could be exploited Attack to factor the modulus of an RSA implementation. In [3] chapter 4 there is an experiment with an When attacker has physical access to a crypto- ARM Integrator/C7TDMI core. In this experiment graphic device the attacker may try to make the the researcher tries to measure power consumption device malfunction. This kind of attack is based and electromagnetic emanation. Since the core is on obtaining about the message or the secret key assumed to consume little power and have small from the output of erroneous computations. The size, it is frequently used in embedded devices such following descriptions are based on [1]. as pagers, wireless handsets, and personal digital There are several ways to make an error occur in assistants (PDA). the device. Here are some non-invasive methods:

• spike attacks work by applying more power to 2.4.1 Experiment Set-up the device than the device can handle. The experiment set-up is described as follows. A • glitch attacks target the clock contact in the digital oscilloscope, an EM probe connected to a similar way to spike attacks pre-amplier, a Multi-ICE debugger, a personal computer, and a inductive probe are used to ac- • optical attacks work by applying light to the quire both EM and power traces from the ARM device in order to alter some bits. Integrator/C7TDMI core module. See Figure 1. Depending on where attacker is able to do the attack models are divided into categories:

• control on the fault location; • control on the fault occurrence time • control on the number of faulty bits induced • the fault model

2.3.2 Dierential Fault Analysis (DFA) at- tacks Biham and Shamir [7] presented a fault-based side channel of DES called Dierential Fault Analysis (DFA). They showed how DFA can nd the last DES round key using less than 200 ci- Figure 1: Power and EM Measurement Set-up on pher texts by assuming that one bit of data in one ARM Integrator/C7TDMI of the 16 rounds is ipped with a uniform prob- ability. Floyd, Fu and Sun [8] presented a simi- To measure EM and power traces, a trigger signal lar DFA attack on RC5 by introducing the regis- is needed to notify the oscilloscope when to start ter faults that aect the current round and then recording a trace. In the experiments on the ARM

2 core module, the trigger signal is sent in the form of Step three. Statistical analysis is run on raw EM a software interrupt from the core module to the os- data with MATLAB program. The analysis pro- cilloscope. For all traces measured for the ARM ex- gram is written according to DFA attack method- periments, the HiRes acquisition mode is used. In ology to produce a correct key guess after running HiRes mode, the instrument creates a record point through all possible keys. by averaging all samples taken during an acquisi- tion interval. It results in a higher resolution, less 2.4.3 Results noise, and lower bandwidth waveform. To elimi- nate noise, averaging of at least several hundred of Simple electromagnetic analysis (SEMA) can show frames is required. The number of data points in some information about operations the device is each trace is specied by the record length and the performing or key material. Figure 2 shows the number of traces is specied by the frame count. scope capture of an AES encryption with 192-bit Each frame is captured when a valid trigger occurs. key length of a single EM frame. For instance, an AES encryption algorithm is too long to t into one frame. In most cases, the adver- sary is only interested in a small section of the Rijn- dael encryption algorithm, particularly the output of the S-Box in 1 round of AES. Therefore, it is preferable to pinpoint the attack point by zooming into the section of interest using the delay mode on the oscilloscope. The delay mode allows the os- cilloscope to start displaying waveform by a user- specied period after the start of the trigger signal. For instance, if the specied delay period is 1 ms, the scope will display a waveform 1 ms after the start of the trigger signal. As a result, the attacker can pinpoint the exact section that contains the load instruction at the output of the S-Box. Hence, this allows the attacker to increase the frame reso- lution and capture only the desired section into a single frame. Figure 2: SEMA on PDA for AES 192-bit 2.4.2 Experiment methodology There is clearly shown 12 AES transformations. The experiment is carried out in three steps. Step Thus an attacker can determine the key length by one, Loading the AES Encryption Program to the inspecting the number of rounds being executed ARM Evaluation Board. Step two, Capturing EM during AES encryption. or Power Traces. And step three, Statistical Analy- sis with MATLAB. Step one. The experiment is conducted on AES 3 Preventing Side-Channel At- encryption with 128 bit key length. The test Pro- tacks gram runs the encryption many times with random plain text input. the input is kept for statistical 3.1 Countermeasures Against Tim- analysis. ing Attacks Step two. The EM probe is placed on top of the core processor before running the encryption algo- A counter measure against timing attack, that rithm. Then the oscilloscope is set up the way in- takes in consideration the property of multiplica- structed in 2.4.1 and then the encryption algorithm tion by 0 being faster than other multiplication op- is run. After the process the data from oscilloscope erations, is proposed in [4] to make the time con- is exported into MATLAB. sumed by any operation independent of the input.

3 A other counter measure would be modify the on the round level (shown on gure 4) and on the computation to blind the attacker from the de- operational level (shown on gure 5). tails of the modication. In elliptic-curve pub- lic key cryptography computing a multiple K of a curve point P is a common operation that can be blinded from the attacker by pre-selecting a random curve point , pre-computing K × Q and comput- ing K × P as K × (P + Q) − K × Q.

3.2 Countermeasures Against Power Analysis Attacks A counter measure against DPA is masking the side channel power information by performing ran- Figure 3: Rijndael encryption with algorithm-level dom calculations so as to increase the measurement CED noise. However this random noise is easy to remove, as it tends to average out over time. Another solution is to add complementary cir- cuits to mirror the real encryption calculations in the device. For instance, if the real circuit is mul- tiplying by the binary number 101, then the com- plimentary circuit multiplies by 010. This smooths out the over all power consumption since the power consumed by both parts together is approximately constant. Still, since mirroring is not perfect, it is unclear whether all information can be blocked by this solution [4]. A third solution is to vary the order of the oper- Figure 4: Rijndael encryption with round-level ations to make it more dicult for the attacker to CED identify patterns in power consumption [4].

3.3 Countermeasures Against Fault Message Attacks 3.3.1 Fault-based side channel cryptanaly- sis tolerant architectures A possible solution against DFA is to do the encryp- tion twice and output the results only if the two outputs are identical. The problem with this ap- proach is, that it doubles the computation time. In addition the probability of a fault occurring twice Figure 5: Rijndael encryption with operation-level is not suciently small [5]. CED [4] introduces encryption architectures that can tolerate fault-based side channel analysis. These architectures are called Concurrent Error Detection 4 Conclusion (CED). The idea is to do encryption and decryp- tion at the same time and check the result before There is little research done on side channel infor- sending it to output. The architecture allows to mation leakage. The results imply that it is pos- do this on the algorithm level (shown on gure 3), sible to obtain encryption keys without breaking

4 the mathematical algorithm. But results also imply www.discretix.com/PDF/Introduction% that there have been little publications on attacks 20to%20Side%20Channel%20Attacks.pdf on servers or PC-s. Smart card and other simple mobile solutions have the biggest risk of being at- [6] D. Boneh, R. DeMillo, and R. Lipton, "On tacked via side channel. Their simple infrastructure the importance of checking cryptographic and easy physical access make them easy target for protocols for faults",Proceedings of Euro- an attacker. crypt, Lecture Notes in Computer Science, Physically isolated systems, like on-line servers, Vol. 1233, Springer-Verlag, pp. 37-51, 1997. are usually prone only to timing attacks. This kind [7] E. Biham, A. Shamir, "Dierential Fault of attack is easily shielded with adding delays or al- Analysis of Secret Key ", tering the algorithm to do its operations in constant Proceedings of Crypto'97, 1997. time. It may take some additional resource but it is possible to minimize the risk of leaking signicant [8] J. J. Floyd, K.E. Fu, P. Sun, MIT, side channel information from the device. "6.857 Computer & Network Se- Finding countermeasures for side channel attacks curity Final Project: Dierential should be a high priority issue in smart card design Fault Analysis", December 1996. in the future. People are using smart cards in their http://web.mit.edu/jered/www/ everyday life and their well-being is depending on publications/-dfa-paper.ps them. Hence the implementations have to be safe. In this case mathematical algorithm alone is not sucient. Additional countermeasures have to be taken into considerations. There does not seem to be a perfect solution yet since smart cards are not safe from complex dierentiated attacks.

References

[1] URL: https://www.cosic.esat. kuleuven.be/nessie/Bookv015.pdf Pages 344-354 [2] Niels Ferguson, Bruce Schneier, Practical Cryptography. 2003 pages 150-151 and 288- 290 [3] Chin Chi Tiu, A New Frequency-Based Side Channel Attack for Embedded Systems. URL: http://optimal.vlsi.uwaterloo. ca/NEW/thesis_AgnesTiu.pdf See Chap- ter 4 [4] Ramesh Karri, Kaijie Wu, Piyush Mishra Yongkook Kim. Fault-Based Side-Channel Cryptanalysis Tolerant Rijndael Symmetric Ar- chitecture. URL: http://www.ece.mtu. edu/ee/faculty/mishra/Publications/ DFT2002/DFT2002_Paper.pdf [5] Hagai Bar-El, Whitepaper on Introduction to Side Channel Attacks. See also http://

5