TOWARDS EFFICIENT PRACTICAL SIDE-CHANNEL CRYPTANALYSIS Improved Implementations, Novel Methods, Applications, and Real-world Attacks DISSERTATION zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultat¨ fur¨ Elektrotechnik und Informationstechnik an der Ruhr-Universitat¨ Bochum Timo Bartkewitz Bochum, September 2016 Copyright © 2016 by Timo Bartkewitz. All rights reserved. Printed in Germany. To my parents Claudia and Ralf, and Miriam my wife Timo Bartkewitz Place of birth: Bochum, Germany Author’s contact information: [email protected] www.rub.de Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr University Bochum, Germany Secondary Referees: Prof. Dr.-Ing. Kerstin Lemke-Rust Bonn-Rhine-Sieg University of Applied Sciences, Germany Prof. Dr. rer. nat. J¨org Schwenk Ruhr University Bochum, Germany Thesis submitted: September 23, 2016 Thesis defense: June 9, 2017 Last revision: July 22, 2017 v [As HAL does not open the pod bay doors] Dave: What’s the problem? HAL: I think you know what the problem is just as well as I do. Dave: What are you talking about, HAL? HAL: This mission is too important for me to allow you to jeopardize it. Dave: I don’t know what you’re talking about, HAL. HAL: I know that you and Frank were planning to disconnect me, and I’m afraid that’s something I cannot allow to happen. Dave: Where the hell did you get that idea, HAL? HAL: Dave, although you took very thorough precautions in the pod against my hearing you, I could see your lips move. HAL 9000 and Commander Dr. David Bowman in 2001: A Space Odyssey (1968). vii Abstract ryptography — the art of keeping the written word secret — is one of the most integral C parts in the world whose existence is indispensable for economy and political interaction. Cryptography is applied to protect assets which are, of course, manifold. Beginning with the military document over financial transactions up to the citizen’s electronic identity, their need of protection involve confidentiality, integrity, and authenticity, amongst others. Circumventing cryptography is therefore one the primary goals in all disciplines; a business, however, which is also afforded secretly. From the mathematically point of view approved cryptography is strong, from the technical however weak. What makes the difference? It is the technical implementation of the mathe- matical construct that makes cryptography applicable in the first place. The implementation however relies on some information processing system which is concurrently the weak point. But why? For one thing the paradox with confidentiality maintaining cryptography is the circum- stance that itself relies on the secrecy of a key. For another thing such information processing systems absorb, preserve, and emit information with the aid of many intentional but also imma- nent unintentional channels; and so the systems do with the key. What is cryptography good for when everybody can get the key? Nothing. It might sound strange but with the implemen- tation one primarily aims at the protection of the cryptography, not the assets. Ideally, the implementation is tailor-made, such that it prevents the emission of information through the system’s unintentional channels — the side-channels. In practice the threat of side-channels is well known and many applications are made subject to a thorough assessment, e.g., Common Criteria for Information Technology Security Evalua- tion (CC). Sounds good? Not really. Commercial products — and Information Technology (IT) security applications are no exception — are driven by competition, increasingly faster time-to- market, and ultimately by profit. Of course, this also applies to the assessment of such products; or does every German citizen really believe that they electronic passport is the safest document on this planet? The side-channel cryptanalysis which is the scientific field of research behind the IT security assessment must be continuously taken forward in order to identify potential weaknesses in an early stage of the product. In the course of this, time is one of the key aspects. It is seriously limited and should hence be efficiently used. In this thesis we place importance on the efficiency of side-channel cryptanalysis. Firstly, we demonstrate how to severely speed-up the runtime of important side-channel analysis prim- itives, namely Correlation Power Analysis (CPA) and profiled side-channel analysis or better known as Template Attacks (TAs) by means of the low-cost parallel computing platform CUDA. Surprisingly, only little effort has been spent on high-efficiency tools in the scientific community, although there is an urgent need in the practice. With Part II of this thesis we aim to fill this gap and evaluate our proposed implementations whereby runtimes can be reduced from several hours to a few seconds. Secondly, we investigate new approaches with respect to profiled side-channel analysis. This kind of analysis is certainly the most powerful since it works on real instead of modeled data. The scientific branch of machine learning can be adopted for large improvements but has been little examined so far. In Part III of this thesis we present two novel approaches which share some similarities but also possess differences that make them complement each other well in some assessment scenarios. In detail, one approach facilitates separating profiling information whilst disregarding counterproductive information at the same time. The other approach makes optimal use of the profiling information by means of reducing its uncertainty to a minimum. Both approaches have in common that they provide an inherent dimensionality reduction which is of uttermost importance in profiled side-channel analysis. In Part IV of this thesis we propose an application of side-channel analysis to protect Intellectual Property (IP). Surely, this is not yet a subject of security assessments, however there is a growing need of tools that are able to reveal counterfeits of IT security applications. Finally, in Part V we go into practical side-channel cryptanalysis when we demonstrate a complete key recovery of the DES and AES co-processor implemented within a hardened security Microcontroller (µC) that finds application in a widely spread Electronic Cash (EC) card in Germany. Keywords. AES, Correlation Power Analysis, Cryptography, CUDA, DES, EC Cards, Graphics Cards, IP Protection, Leakage Prototype Learning, Machine Learning, NIR Backside Microscopy, Real- world Key Recovery, Side-channel Analysis, Support Vector Machines, Template Attacks. x Kurzfassung Uber¨ Effiziente Praktische Seitenkanal-Kryptanalyse Verbesserte Implementierungen, Neue Methoden, Anwendungen und Praxisrelevante Angriffe ryptographie — die Kunst das geschriebene Wort zu verbergen — ist einer der integralen K Bestandteile auf der Welt, der unerl¨asslich fur¨ die Wirtschaft und das politische Zusam- menwirken ist. Kryptographie wird auf schutzenswerte¨ Guter¨ angewandt, die naturlicherweise¨ in verschiedensten Auspr¨agungen vorliegen. Angefangen vom milit¨arischen Dokument uber¨ Fi- nanztransaktionen bis hin zu der elektronischen Identit¨at eines jeden Burgers,¨ beinhaltet deren Schutzbedarf unter anderem Vetraulichkeit, Integrit¨at und Authentizit¨at. Das Aushebeln der Kryptographie ist daher eines der obersten Ziele in allen Bereichen; ein Gesch¨aft, welches auch im Verborgenen ausgeubt¨ wird. Aus mathematischer Sicht ist erprobte Kryptographie stark, aus technischer jedoch schwach. Worin liegt der Unterschied? Es ist die technische Implementierung, die Kryptographie uberhaupt¨ erst nutzbar macht. Die Implementierung jedoch ist auf ein Informationsverarbeitungssystem angewiesen, das gleichzeitig einen Schwachpunkt darstellt. Aber warum? Einserseits ist es die Paradoxie vertraulichkeitswahrender Kryptographie, die selbst auf die Vertraulichkeit eines Schlussels¨ angewiesen ist. Andereseits absorbiert, verwahrt und emittiert solch ein Informa- tionsverarbeitungssystem die Information uber¨ viele nutzbare Kan¨ale, aber auch immanente unbeabsichtigte Kan¨ale; und so verf¨ahrt das System auch mit dem Schlussel.¨ Was nutzt¨ Kryp- tographie wenn jeder den Schlussel¨ erhalten kann? Nichts. Es mag merkwurdig¨ klingen, aber mit der Implementierung steht in erster Linie der Schutz der Kryptographie im Vordergrund, nicht der der Guter.¨ Idealerweise ist die Implementierung maßgeschneidert, sodass keine Infor- mationen uber¨ die unbeabsichtigten Kan¨ale — die Seitenkan¨ale — preisgegeben werden. In der Praxis ist die Gef¨ahrdung durch Seitenkan¨ale wohlbekannt und viele Anwendungen werden umfangreichen Prufungen¨ unterzogen, z.B. Common Criteria for Information Techno- logy Security Evaluation (CC). H¨ort sich gut an? Nicht wirklich. Kommerzielle Produkte — und IT Sicherheitsprodukte stellen keine Ausnahme dar — sind getrieben von Wettbewerb, im- mer kurzer¨ werdenden Entwicklungszeiten und letztendlich durch die Rendite. Naturlich¨ gilt dies auch fur¨ die Prufungen¨ solcher Produkte; oder glaubt etwa jeder deutsche Burger,¨ dass sein elektronischer Ausweis das sicherste Dokument auf diesem Planeten ist? Die Seitenkanal- Kryptanalyse, die als Forschungsgebiet hinter den Prufungen¨ steht, muss kontinuierlich voran- getrieben werden, um Schwachstellen bereits in einer fruhen¨ Phase identifizieren zu k¨onnen. Dabei ist die Zeit ein Schlusselaspekt.¨ Sie ist stark limitiert und sollte daher effizient genutzt werden. In dieser Arbeit legen wir besonderes Gewicht auf die Effizienz der Seitenkanal-Kryptanalyse. Zuerst demonstrieren wir wie die Laufzeit der wichtigsten Analysewerkzeuge,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages197 Page
-
File Size-