A Top View of Side Channel Attacks

Adi Shamir Computer Science Dept The Weizmann Institute Israel

The Goal of this talk:

To give a high level survey of the field

To describe some recent developments in side channel attacks

To draw some general conclusions and propose how we should proceed

The SCA FAQ

In this part of the talk I will address some broad questions related to side channel attacks: Power (simple, differential, ) EM (wires in chips, whole PCs, ) Timing (in programs, across networks, ) Fault (power glitch, time jitter, ) Visual (CRTs, router LEDs, ) Acoustic (PCs, keyboards, ) Cache (on RSA, AES, )

Are side channel attacks new?

Academic

researchers started working on SCA between 1996-1999 as a war between cryptographers and cryptanalysts Tzu, The Art of War: In war, avoid what is strong and attack what is weak

Crypto

Sun

Are side channel attacks new? There is nothing new under the sun

Spy letters with invisible ink identified by torn fibers Secret notes torn from a writing pad read from page below Tempest attack on phone lines during WW1 Finding spy receivers in London during 1950s Breaking Egyptian rotor machines with acoustic attack Trojaned equipment: sold Enigmas after WW2, CRYPTO AG

Are side channel attacks new?

Foreign embassies vs smart cards: Common themes

Externally supplied power and communication links Vulnerable to probing with microwave radiation EM and acoustic and eavesdropping attacks Vulnerable to fault attacks (bribes, blackmail) Many SCAs invented and perfected in this environment

Are side channel attacks new?

A few weeks ago, the NSA released the table of contents of its top secret internal technical journal from the years 1956-1980

It covers many topics related to the design and analysis of cryptosystems Side channel attacks (especially tempest) is extensively covered Surprisingly, there is absolutely no mention of public key cryptography in any of the titles

First page of the released document:

A typical collection of papers on cryptanalysis:

Did SCAs have any impact on the theoretical foundations of crypto?

The standard model of cryptography:

A cryptosystem is a mathematical function Its security is a mathematical theorem Protocols are interacting Turing Machines A dishonest party can do anything, but an honest party does ONLY what it is supposed to do

The difference between theory and practice:

Is this model still relevant?

The standard model of cryptography is increasingly problematic due to the existence of SCAs Many scenarios today do not fit our assumptions However, there is little theoretical analysis of SCAs in academic research papers

How did SCAs affect RSA? A personal perspective

For 20 years I have studied the provable properties of the RSA function: Bit security, relationship to factoring, reductions, RSA vs Rabin, provably secure applications RSA seemed to be very robust and well understood In 1996: Boneh Demillo and Lipton proved that in RSACRT, making any single computational mistake completely breaks the scheme by factoring the public key This exposes the incredible fragility of cryptosystems

Is there a systematic approach to SCAs?

Unfortunately, the situation is similar to airport security:

Each attack utilized a completely different approach Each countermeasure works only against a specific attack We have no way to predict the next attack and protecting against all conceivable attacks is impossible

Is there a systematic approach to SCAs?

This is very different than the classical cryptanalytic problem of block ciphers in which:

We do not know all the possible attacks, but the number of completely different ideas seems to be very limited New attacks are often only of theoretical interest Most of the attacks can be overcome in principle by the common strategy of having sufficiently many rounds, and having large margins of safety against known attacks

Should we change the way we design new cryptosystems?

SCAs puts in doubt our main philosophy:
Lets

choose a good cryptosystem such as AES which resist all the classical cryptanalytic attacks let us implement them in a way that avoids the known side channel attacks Implementors often do not know the choice of platform, or it can change over time, but the countermeasures (e.g., against timing or cache attacks) can depend on the microprocessor

Separately,

Problem:

Should we change the way we design new cryptosystems?

Many of the techniques we use to protect block ciphers against classical attacks are actually counterproductive against SCAs:

Longer keys are more vulnerable to timing attacks Larger s-boxes are more vulnerable to cache attacks A large variety of different types of operations makes it easier to apply simple power analysis

Should we change the way we design new cryptosystems?

SCAs even put in doubt our main construction tool:

To build a strong block cipher, compose a large number of weak steps. This ignores the fact that intermediate values may leak out, and weak steps are easy to analyze

Should we change the way we design new cryptosystems?

Perhaps we should:

Use only large chunks of key and data (e.g., 64 bits) to make it harder to exploit Hamming weight info and to exhaustively search for explanations for partially exposed intermediate values Use in a better way the inherent parallelism of modern microprocessors Ask Intel to add a dedicated security coprocessor to implement AES/RSA in its future microprocessors

Which SCA has a lot of untapped potential?

Timing attacks provide only a few bits of data, and are the easiest to avoid Probing attacks on smart cards typically record few wires Differential power analysis ignores most of the data, looking just for differences in behavior between averages Simple power analysis provides a huge amount of data, but we do not currently know how to exploit it. I expect a lot of progress in this area in the next few years

Which area is likely to be least affected by SCAs?

Hash functions have no secrets Collisions are not likely to be known by anyone

Which area is likely to be most affected by SCAs?

Quantum cryptography Its main claim for fame is its perfect provable security At least two attacks described so far, and others are likely:
Acoustic attack Light pulse attack

If found, they can make this expensive and cumbersome solution unattractive

What are the latest trends in SCAs?

The original SCA attacks concentrated on small systems such as smart cards or peripherals

There is new emphasis now on larger systems such as PCs There is some initial interest in tiny systems such as RFID tags

Example: How can we apply a lunchtime power analysis attack to desktop PCs ?
The attacker cannot easily cut the power cord or open the box

A possible solution: the USB connector It supplies both power and data to external devices Many security programs control the USB connection

The Spectrum of USB power

The spectrum of USB power with power cutoff

The real-time signal of USB power at 294 KHz during OPENSSL decryption

Cache Attacks:
A new family of side-channel attacks, developed simultaneously in 2005/6 by: Bernstein (basic idea, partial AES key recovery) Percival (attack on RSA) Osvik Shamir and Tromer (full attack on AES)

Cache Attacks:

Pure software attacks Very efficient

(e.g., full AES key extraction from Linux encrypted file system in 65 ms; require only the ability to run code in parallel on the target machine) NSA Compromise otherwise well-secured systems US Pa t (e.g., VPNs using AES) 6,922 ent ,774

Can be used to attack virtualized machines (e.g., jail(), Xen, UML, Virtual PC, VMware) using untrusted code (e.g., ActiveX, Java applets, managed .NET, JavaScript)

Basic cache technology

Main memory
(7-9% latency decrease per year) Typical latency: 50-150ns

CPU

CPU cache memory

Typical latency: 0.3ns

CPU core
(60% speed increase per year)

memory block (64 bytes)

et es) s he e lin c ca ach c (4

DRAM

cache line cache (64 bytes)

A typical software implementation of AES

char p[16], k[16]; // plaintext and key int32 T0[256],T1[256],T2[256],T3[256]; // lookup tables int32 Col[4]; // intermediate state ... /* Round 1 */ Col[0] T0[p[ 0]k[ 0]] T1[p[ 5]k[ 5]] T2[p[10]k[10]] T3[p[15]k[15]]; Col[1] T0[p[ 4]k[ 4]] T1[p[ 9]k[ 9]] T2[p[14]k[14]] T3[p[ 3]k[ 3]]; Col[2] T0[p[ 8]k[ 8]] T1[p[13]k[13]] T2[p[ 2]k[ 2]] T3[p[ 7]k[ 7]]; Col[3] T0[p[12]k[12]] T1[p[ 1]k[ 1]] T2[p[ 6]k[ 6]] T3[p[11]k[11]];

lookup index = plaintext key

(and the parameters are favorable to the attack)

Measuring the effect of the encryption on the cache:

Attac k memor er y
T0

cache

DRAM

Programs compete for cache locations:

Attac k memor er y
T0

cache

DRAM

Measurement via effect of encryption on cache

Attac k memor er y

1. Completely evict tables from cache

T0

cache

DRAM

Measurement via effect of encryption on cache

Attac k memor er y

1. Completely evict tables from cache 2. Trigger a single encryption DRAM cache

T0

Measurement via effect of encryption on cache

Attac k memor er y

1. Completely evict tables from cache 2. Trigger a single encryption 3. Access attacker memory again and see which cache sets are slow DRAM cache

T0

Experimental example

Measuring a Linux 2.6.11 dm-crypt encrypted filesystem with ECB AES on Athlon 64, using 30,000 samples. Horizontal axis: evicted cache set Vertical axis: p[0] Brightness: encryption time (normalized) Left: raw. Right: after subtracting cache set average.

Power Analysis of RFID Tags

An

RFID tag is a very simple computer, usually associate with a physical object Tags communicate with a powerful reader over a wireless link EPC tags: passive tags, radiatively coupled, 900MHz, read/write memory

Components of the EPC RFID System

The

reader has a powerful antenna and an external power supply The reader surrounds itself with an electromagnetic field The tag is illuminated by this field

Tag

Reader

ReaderTag Data Exchange

The

reader sends commands to the tag via pulse amplitude modulation The tag sends responses to the reader via backscatter modulation

Tag

Reader

The lab setup

Summary of the attack:

The

RF power reflected by an RFID tag is dependent on its internal power consumption This property allows power analysis attacks to be performed over a distance in a completely passive way In the short term, it can be used to extract the kill or access passwords of EPC tags

Cracking passwords with power analysis

We

send the password to a secure device bit by bit The first wrong bit is very exciting Allows password to be recovered in linear time

Existence of parasitic backscatter (1)

Trace

shows the signal reflected from a Generation 1 tag during a kill command Tag is supposed to be completely silent Is it? Lets zoom in

Power Time

Existence of parasitic backscatter (2)

The

distinctive saw-tooth pattern is added by the tag to the clean reader signal Probably caused by tags power extraction circuit We can show that thirsty tags reflect more power

Reflection from tag

Power Time

Original signal from reader

Extracting one password bit

In both cases, tag gets 0000 0000

Here, the tag is expecting 1111 1111

Here, it is expecting 0000 0001

Power Time

Countermeasure: Double-buffered power supply

Decouple

power supply from consumers Compatible with current RF front ends Often used in embassies

Power Extraction

Tag Logic

Summary:
New

types of side channel attacks are found and published every few months. Recent discoveries of side channel attacks far outnumber those of classical cryptanalytic attacks are much more practically significant than classical attacks, but they are receiving less attention, especially by the theoretical and academic communities should completely rethink the issues of how to develop and implement new crypto applications

SCAs

We

Thank you!