5. RSA recap
ā¢ RSA is based on exponentiation (C = Mk)
ā¢ Binary exponentiation:
ā C := 1
ā For each key bit ki do:
ā¢ C := C * C
ā¢ If ki = 1, then C := M*C
ā¢ Number operations performed by numerical co-processor (multi-bit)
ā¢ Algorithm execution is sequence of square and/or multiply operations, e.g.
S M S S S M S M S S M ā
1 0 0 1 1 0 1
7. Problem analysis
ā¢ Problem discovered in a card produced in 2004
ā¢ Basic countermeasure would do square and always multiply:
ā C := 1
ā For each key bit ki do:
ā¢ C := C * C
ā¢ D := M*C
ā¢ if ki = 1, then C := D
ā¢ else D := C // dummy statement executed in same time
ā¢ Algorithm execution is sequence of square and multiply operations:
S M S M S M S M S M ā
? ? ? ? ?
ā¢ But that costs time and memory
Restricted 7
8. Perspectives on the side channel issue
Cost
Restricted 8
Applications
Technology
Maturity
9. Maturity
ā¢ Players come and go
ā Developers
new people re-introduce old errorsā¦
ā Manufacturers
Emerging countries face same challengesā¦
ā¢ Countermeasures
ā āDefendersā solve vulnerabilities
ā āAttackersā extend and improve exploits
ā¢ Example: DFA on RSA-CRT, an ongoing battle
Restricted 9
10. Fault injection mechanisms
The aim of the manipulations is to change a value read from
memory to another value
ā¢Voltage glitching
ā¢Clock glitching
ā¢Optical glitching
10
11. Differential Fault Analysis
ā¢ Force computational error in few cryptographic operations
ā¢ Monitor correct and faulty encryption results
ā¢ Extract secret key by analysis and comparison of correct and faulty results
ā¢ Notorious example: RSA in CRT mode: only one faulty message is
enough!
Input message
RSA-
CRT
signing
Corrupt signature
Private key
Public key
Fault injected Mathematical
analysis
Private key
11
12. CRT implementation of RSA
Efficient signing implementation splits exponentiation
precompute
dp = d mod (p-1)
dq = d mod (q-1)
K = p-1 mod q
exponentiation
Sp = M
dp mod p
Sq = M
dq mod q
recombination
S = ( ( (Sq - Sp)*K ) mod q ) * p + Sp
12
13. Bellcore attack: DFA on CRT
Inject a fault during CRT that corrupts Sq:
Sāq is a corrupted result of Sq computation
Sā = ( ( (Sāq - Sp)*K ) mod q ) * p + Sp
Subtract Sā from S :
S - Sā = (((Sq - Sp)*K) mod q)*p - (((Sāq - Sp)*K) mod q)*p
= (x1-x2)*p mod N = x*p mod N
compute Gcd( S-Sā, n ) = Gcd( x*p, p*q ) = p
compute q = n / p
RSA-CRT broken when primes known
13
14. First defense against DFA on RSA-CRT
ā¢ DFA generally requires multiple encryptions of the
same text
ā¢ Crypto-protocols have been (re)designed such that
messages are padded with random data before signing
ā¢ Randomness results in āuniqueā input for each
encryption, and DFA no longer possible
ā¢ Until a new attack was developedā¦
Restricted 14
15. DFA on CRT improvement
ā¢ Original BellCore attack requires one good and one faulty signature
ā¢ Improved single signature attack needs only a faulty signature
S - Sā = x*p mod N
M = Se mod N = (Sā+x*p)e mod N =
M - Sāe = p*x*k
Gcd( M - Sāe , n ) = Gcd( p*x*k, p*q ) = p
Only message, faulty signature and public key is enough!
Single signature DFA attack breaks RSA-CRT again
( ) ( ) ( ) nxpksnxps
i
e
xpsnxps
i
e eiie
e
i
eiie
e
i
mod'mod''mod'
1
10
+=ļ£·
ļ£·
ļ£ø
ļ£¶
ļ£¬
ļ£¬
ļ£
ļ£«
ļ£·ļ£·
ļ£ø
ļ£¶
ļ£¬ļ£¬
ļ£
ļ£«
+=ļ£·
ļ£·
ļ£ø
ļ£¶
ļ£¬
ļ£¬
ļ£
ļ£«
ļ£·ļ£·
ļ£ø
ļ£¶
ļ£¬ļ£¬
ļ£
ļ£« āā
=
ā
=
āā
15
16. Second defense against DFA on RSA-CRT
ā¢ Single signature DFA on RSA-CRT requires
knowledge of plaintext
ā¢ Crypto-protocols improved by keeping random
padding secret
ā¢ Unknown plaintext renders single signature DFA
impossible
ā¢ Until a new attack is developedā¦
Restricted 16
17. Partial input recovery
ā¢ Lattice is mathematical
structure describing relations
between sets of vectors
ā¢ Lattices can be used to find
partially unknown data in
vector set by solving the
Closest Vector Problem
ā¢ Multiple different partially
unknown messages are
modeled as a lattice
ā¢ It is now possible to solve these for limited āgapsā
17
18. DFA on RSA-CRT made possible again?
ā¢ āBellcoreā attack countered twice by including secret
random data in the signature
ā Message is unique
ā Message is partially unknown
ā Key should be protected even when fault injection successful
ā¢ Partial input recovery can already determine secret
data up to 6 bytes
ā¢ Attack may break many crypto applications without
hardware protection against fault injection
18
19. Perspectives on the side channel issue
Cost
Restricted 19
Applications
Technology
Maturity
22. ECDSA
ā¢ private key d and a public key Q (where Q = d*G)
ā¢ To sign a message m:
ā¢ Calculate z = left most bits of HASH(m)
ā¢ Select a random integer k
ā¢ Calculate r = x-coordinate of kG
ā¢ Calculate s = k ā 1(z + r*d)(mod n)
ā¢ The signature is the pair (r,s)
Restricted 22
Attack with DPA
23. Big Number multiplication
Big numbers multiplication of r and d is split in smaller parts
Bytes of r r2 r1 r0
Bytes of d d2 d1 d0
------------------------------------------------------------------------- *
Intermediates r2 * d0 r1 * d0 r0 * d0
Intermediates r2 * d1 r1 * d1 r0 * d1
Intermediates r2 * d2 r1 * d2 r0 * d2
------------------------------------------------------------------------- +
ā¢ Parts of private key d are multiplied with known parts of r
ā¢ Hypothetical values of di can be tested by correlating traces
Restricted 23
24. 24
Differential Power Analysis
ā¢ Differential trace proves difference due to processing different data
ā¢ S/N ratio can be improved by:
ā¢ Averaging multiple traces before subtraction
ā¢ Compute correlation with Hamming weight rather than bit value
25. Correlation for intermediate values
ā¢ Peaks of correlation traces are sorted for hypothetical di values
ā¢ Highest peak reveals correct di value
ā¢ Repeat for all key parts
ā¢ Key revealed!
Restricted 25
26. Perspectives on the side channel issue
Cost
Restricted 26
Applications
Technology
Maturity
27. Technology
New inventions may help defenders and/or attackers
Example: fast improvement of fault injection tools
Restricted 27
43. Real time multi glitching process
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { ā¦ } // PIN ok
} else { ā¦ } // PIN not ok at first check
Find end with smart triggering
43
44. Real time multi glitching process
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { ā¦ } // PIN ok
} else { ā¦ } // PIN not ok at first check
Glitch condition
44
45. Real time multi glitching process
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { ā¦ } // PIN ok
} else { ā¦ } // PIN not ok at first check
Find begin with smart triggering
and force power down
45
46. Real time multi glitching process
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { ā¦ } // PIN ok
} else { ā¦ } // PIN not ok at first check
Glitch condition
46
47. Real time multi glitching process
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { ā¦ } // PIN ok
} else { ā¦ } // PIN not ok at first check
Find end with smart triggering
47
48. Real time multi glitching process
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { ā¦ } // PIN ok
} else { ā¦ } // PIN not ok at first check
Glitch condition
48
49. Real time multi glitching process
Short pin_check(byte* buffer) {
if(pin_ctr > 0) {
random_delay();
if(pin_ctr <= 0) suicide();
pin_ctr--;
if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check
random_delay();
if(array_compare(pin,buffer,4) != 0) suicide();
else { ā¦ } // PIN ok
} else { ā¦ } // PIN not ok at first check
Find begin with smart triggering
and force power down
49
51. Conclusion
ā¢ Side Channel attacks exist for more than a decade
ā¢ Analysed developments for four perspectives
ā Cost
ā Maturity
ā Applications
ā Technology
ā¢ All perspectives show that threat remains
ā¢ Attacks have become mainstream
51
52. 52
Questions & Discussion
Marc Witteman
witteman@riscure.com
Riscure B.V.
Frontier Building
Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 (0)15 251 4090
www.riscure.com
Thank you