Introduction to Physical Attacks Arnaud Tisserand CNRS, Lab-STICC 25th October 2018 Summary • Introduction • Side Channel Attacks • Fault Injection Attacks • Conclusion and References Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 2/24 Applications with Security Needs Applications: smart cards, computers, Internet, telecommunications, set-top boxes, data storage, RFID tags, WSN, smart grids. Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 3/24 timing analysis power analysis EMR analysis observation perturbation theoretical invasive fault injection advanced algorithms probing reverse engineering optimized programming EMR = Electromagnetic radiation Attacks attack Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 4/24 timing analysis power analysis EMR analysis theoretical fault injection advanced algorithms probing reverse engineering optimized programming EMR = Electromagnetic radiation Attacks observation attack perturbation invasive Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 4/24 theoretical advanced algorithms optimized programming Attacks timing analysis power analysis EMR analysis observation attack perturbation invasive fault injection probing reverse engineering EMR = Electromagnetic radiation Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 4/24 advanced algorithms optimized programming Attacks timing analysis power analysis EMR analysis observation attack perturbation theoretical invasive fault injection probing reverse engineering EMR = Electromagnetic radiation Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 4/24 Attacks timing analysis power analysis EMR analysis observation attack perturbation theoretical invasive fault injection advanced algorithms probing reverse engineering optimized programming EMR = Electromagnetic radiation Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 4/24 \Old style" side channel attacks: + clic good value clac bad value Side Channel Attacks (SCAs) (1/2) Attack: attempt to find, without any knowledge about the secret: • the message (or parts of the message) • informations on the message • the secret (or parts of the secret) Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 5/24 Side Channel Attacks (SCAs) (1/2) Attack: attempt to find, without any knowledge about the secret: • the message (or parts of the message) • informations on the message • the secret (or parts of the secret) \Old style" side channel attacks: + clic good value clac bad value Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 5/24 measure attack E k, M??? Side Channel Attacks (SCAs) (2/2) E D Ek (M) M A B Dk (Ek (M)) = M k k General principle: measure external parameter(s) on running device in order to deduce internal informations Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 6/24 Side Channel Attacks (SCAs) (2/2) E D Ek (M) M A B Dk (Ek (M)) = M k k measure attack E k, M??? General principle: measure external parameter(s) on running device in order to deduce internal informations Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 6/24 What Should be Measured? Answer: everything that can \enter" and/or \get out" in/from the device • power consumption • electromagnetic radiation • temperature • sound • computation time • number of cache misses • number and type of error messages • ... The measured parameters may provide informations on: • global behavior (temperature, power, sound...) • local behavior (EMR, # cache misses...) Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 7/24 Power Consumption Analysis General principle: 1. measure the current i(t) in the cryptosystem 2. use those measurements to \deduce" secret informations crypto. secret key = 962571. i(t) R VDD Crypto/server-dell traces Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 8/24 has a current signature and a time signature T t T+T× I t I+ I× i 1 2 3 4 5 6 7 8 ai 0 1 1 0 1 0 0 1 Differences & External Signature An algorithm : r = c0 for i from 1 to n do if ai = 0 then r = r+c1 else r = r×c2 Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 9/24 and a time signature T t T+T× Differences & External Signature An algorithm has a current signature : r = c0 for i from 1 to n do if ai = 0 then r = r+c1 else r = r×c2 I t I+ I× i 1 2 3 4 5 6 7 8 ai 0 1 1 0 1 0 0 1 Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 9/24 Differences & External Signature An algorithm has a current signature and a time signature: r = c0 for i from 1 to n do if ai = 0 then r = r+c1 else r = r×c2 T t T+T× I t I+ I× i 1 2 3 4 5 6 7 8 ai 0 1 1 0 1 0 0 1 Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 9/24 Simple Power Analysis (SPA) Source: [2] Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 10/24 Simple Power Analysis (SPA) Source: [2] Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 10/24 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. attacks SPA on ECC encryption signature etc protocol level [k]P curve level Scalar multiplication operation ADD(P; Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P; Q) P = DBL(P) x±y x×y ... field level Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 11/24 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. attacks SPA on ECC encryption signature etc protocol level [k]P curve level Scalar multiplication operation ADD(P; Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P; Q) P = DBL(P) x±y x×y ... field level Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 11/24 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. attacks SPA on ECC DBL DBL DBL DBL DBL DBL encryption signature etc protocol level [k]P curve level Scalar multiplication operation ADD(P; Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P; Q) P = DBL(P) x±y x×y ... field level Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 11/24 • simple power analysis (& variants) • differential power analysis (& variants) • horizontal/vertical/templates/. attacks SPA on ECC DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc protocol level [k]P curve level Scalar multiplication operation ADD(P; Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P; Q) P = DBL(P) x±y x×y ... field level Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 11/24 • differential power analysis (& variants) • horizontal/vertical/templates/. attacks SPA on ECC DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc protocol level 0 0 0 1 1 0 [k]P curve level Scalar multiplication operation ADD(P; Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P; Q) P = DBL(P) • simple power analysis (& variants) x±y x×y ... field level Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 11/24 SPA on ECC DBL DBL DBL ADD DBL ADD DBL DBL encryption signature etc protocol level 0 0 0 1 1 0 [k]P curve level Scalar multiplication operation ADD(P; Q) DBL(P) for i from 0 to t − 1 do if ki = 1 then Q = ADD(P; Q) P = DBL(P) • simple power analysis (& variants) x±y x×y ... • differential power analysis (& variants) field level • horizontal/vertical/templates/. attacks Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 11/24 1111111111111111 0000000000000001 Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question: what can be done when differences are too small? Answer: use statistics over several traces Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 12/24 Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question: what can be done when differences are too small? Answer: use statistics over several traces Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 1111111111111111 0000000000000001 Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 12/24 Answer: use statistics over several traces Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 1111111111111111 0000000000000001 Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question: what can be done when differences are too small? Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 12/24 Limits of the SPA Example of behavior difference: (activity into a register) t 0000000000000000 0000000000000000 t + 1 1111111111111111 0000000000000001 Important: a small difference may be evaluated has a noise during the measurement traces cannot be distinguished Question: what can be done when differences are too small? Answer: use statistics over several traces Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 12/24 internal state implementation select bit b to attack power model measures b = 1 power(Hb=1) comparison b = 0 power(Hb=0) correct hypothesis Differential Power Analysis (DPA) cryptosystem Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 13/24 implementation select bit b to attack power model measures b = 1 power(Hb=1) comparison b = 0 power(Hb=0) correct hypothesis Differential Power Analysis (DPA) cryptosystem internal state Arnaud Tisserand. CNRS { Lab-STICC. Introduction to Physical Attacks 13/24 implementation power model measures power(Hb=1) comparison power(Hb=0) correct hypothesis Differential Power Analysis (DPA) cryptosystem internal state select bit b to attack b = 1 b = 0 Arnaud Tisserand.