DPA : Attaques et Contre-mesures

Transcription

1 SECURE DPA : Attaques et Contre-mesures Shivam BHASIN, Taoufik CHOUTA, Guillaume DUC, Jean-Luc DANGER, Aziz EL AABID, Florent FLAMENT, Philippe HOOGVORST, Tarik GRABA, Sylvain GUILLEY, Houssem MAGHR EBI, Olivier MEYNARD, Maxime NASSAR, Renaud PACALET, Laurent SAUVAGE, Nidhal SELMANE and Youssef SOUISSI. Institut TELECOM / TELECOM-ParisTech CNRS LTCI (UMR 5141) SECURE GDR SoC-SiP 14:00 14:45 AMPHI SAPHIR, TELECOM ParisTech, PARIS. 1/42

2 Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives 2/42

3 Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives 3/42

4 SECURE Adversary s goal Secrets extraction. Protection Conceal the secrets in a device (ASIC) or in the bitstream of an FPGA. Representativity of the study Most problems come down to this... Example: Fetching a data in an encrypted memory decrypt the memory, attack the CPU, use side-channel attacks = SCA (for instance). 4/42

5 SECURE There are other applications of SCA SCARE: secret cryptography. Test (virtual oscilloscope). Subliminal channel for IPs watermarking. 5/42

6 Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Side-Channels Side-Channels Acquisitions Attack Algorithms 6/42

7 Typical side-channels Side-Channels Side-Channels Acquisitions Attack Algorithms EMA SPA, DPA, templates, etc. Timing Attacks [5]. TA Attacked circuit Time Power Analysis Attacks [6]. Electro-magnetic Attacks [1]. 7/42

8 Are SCAs intrusive? Side-Channels Side-Channels Acquisitions Attack Algorithms (SCA) versus Fault Injection Attacks (FIA) SCA: passive FIA: active But what about the experimental setup? Non-intrusive Intrusive Deportable IC (smartcard) Timing, power, EM Soldered IC or BGA (FPGA) Timing, EM power The know-how in measurements is capital. The 3rd version ( ) of the DPA contest ( will have an acquisition competition, based on SASEBO GII. 8/42

9 Side-Channels Side-Channels Acquisitions Attack Algorithms ALTERA Excalibur evaluation board customized for DPA 9/42

10 Side-Channels Side-Channels Acquisitions Attack Algorithms Parallax ALTERA Stratix board customized for DPA [3] Serial port Pads and board supply (5.0 V) FPGA Side-channel measurement Core supply (1.5 V) 10/42

11 Side-Channels Side-Channels Acquisitions Attack Algorithms XCV800 home-made board suitable for global EMA Antenna Acquisition setup Pictures are courtesy of ESAT, Katholieke Universiteit Leuven, Belgium, (Elke De Mulder [7]). 11/42

12 Side-Channels Side-Channels Acquisitions Attack Algorithms In-house ALTERA Stratix as is suitable for local EMA [9,8] 12/42

13 Side-Channels Side-Channels Acquisitions Attack Algorithms XILINX Virtex-5 evaluation board customized for EMA Metallic cover FPGA chip FF324 (18 2 pins) socket XC5VLX50 evaluation board 13/42

14 Side-Channels Side-Channels Acquisitions Attack Algorithms ALTERA Stratix with chemical preparation for EMA 14/42

15 Modus operandi Side-Channels Side-Channels Acquisitions Attack Algorithms Information known/unknown by the attacker Known: Observations O; Known: (usually) either the plaintext or the ciphertext. Unknown: the encryption key (case of symmetric encryption). Strategy: divide-and-conquer Partition observations according to a sensitive variable S: depends on the secret K, not too many bits of K, since attack = exhaustive search, is computable from the plaintext / ciphertext. Therefore: attacks target the first or the last round (in general), MixColumns in AES hard to invert attack the last round. 15/42

16 Side-Channels Side-Channels Acquisitions Attack Algorithms Use the traces O to distinguishing between the correct partitioning from wrong ones Distinguishers use a model M(S) is the physical syndrome related to the manipulation of the secret S. It is called the leakage model. Examples of distinguishers E(O M(S) = 0) E(O M(S) = 1) :...DoM E S ((O M(S) EO M(S))(M(S) EM(S))):... Covariance ρ s (O S = s; M(s)):...CPA E s H (O M(S) = M(s)) or I(O; M(S)):...MIA 16/42

17 Side-Channels Side-Channels Acquisitions Attack Algorithms Models M(S) (classification by [10]) Partition-based: If unprotected: M(s) = s ; Hamming weight; Bus cleared in SW M(s) = s R ; Hamming weight; Bus precharged in SW M(s) = s s 1 ; Hamming distance; typical of HW M(s) = s s 1 + (1 δ) s s 1 ; Idem, but in near-field EMA If protected: M(s) = s. Warning: 2 n values! Difficult to be more inventive if the countermeasure is sound... but we ll see Comparison-based: M(S) = E(O S); (profiled attacks) templates 17/42

18 Side-Channels Side-Channels Acquisitions Attack Algorithms Various leakage models for DES (iterative architecture) Attack on the first round of DES Attack on the last round of DES t = 0 L0 R0 L15 R15 t = 15 model C K1 model A K16 model A Feistel function: f model D model D Feistel function: f model B model B model C t = 1 L1 R1 L16 R16 t = Caption: black = known values; red = unknown sensitive values 18/42

19 Side-Channels Side-Channels Acquisitions Attack Algorithms Finding the best leakage models is not obvious Success rate Success rate Traces for profiling Traces for profiling Traces for online attack Traces for online attack Success rate for model A. Success rate for model B Success rate Success rate Traces for profiling Traces for profiling 2500 Traces for online attack Traces for online attack Success rate for model C. Success rate for model D. 19/42

20 So, shall we conclude the Hamming distance (HD) model D is the ultimate model for HW? Average power trace Covariance result (same scale as the average power trace) Voltage [mv] Voltage [mv] Time [clock periods] Time [clock periods] SecMat v1[asic]: Typical trace: 92 mv Typical DPA: 3.0 mv Side-channel leakage: 3.3 % See [4] Voltage [mv] Covariance result (zoomed) Time [clock periods]

21 Combined attacks! Side-Channels Side-Channels Acquisitions Attack Algorithms 1 Various distinguishers for a same partitioning; 2 One distinguisher can be evaluated on various partitionings; 3 The diversity can also come from the multiplicity of timing samples usually garnered during an acquisition campaign; 4 It can also arise from multi-modal acquisitions; 5 There can be situations where the most suitable partitioning can evolve from sample to sample in a side-channel capture. 21/42

22 Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Protocol-Level Register Transfer Level Netlist Level 22/42

23 Protocol-Level Register Transfer Level Netlist Level Targeted strategies Protocol-level: Most wanted since provable Register-Transfer Level: Masking. Easiest to implement; Boolean or algorithmic. Encrypted leakage Glitch-full circuits Netlist or implementation level: Hiding (= DPL, Dual-rail with Precharge Logic) Degenerated counter-measures / Make difficult strategies DPL w/o precharge Noise generator, Dummy instructions, Varying clock, etc. And as for attacks, countermeasures can be combined. 23/42

24 Protocol level: Protocol-Level Register Transfer Level Netlist Level if 1 bit is leaked per 100 encryptions... Alice: AES k0 Bob: AES 1 k k 0 k 0 hash hash k 1 AES k1 k 1 AES 1 k k 1 k 1 hash hash k 2 k 2 24/42

25 Masking Protocol-Level Register Transfer Level Netlist Level Principle Every variable s, potentially sensible, is represented as a share {s 0, s 1,, s n 1 } To reconstruct s, all the s i are required. Example: n = 2, s. = s 0 s 1. Leakage resistant since variables are never used plain; Attractive but works only fine for registers. Efforts done to protect also the combinational logic. 25/42

26 Encrypted Leakage Protocol-Level Register Transfer Level Netlist Level FPGA x ASIC (tamper-proof) x Encrypted bitstream kb kc Masked DES Masked DFF Side-channel: EMA, power Trusted Platform Module Masked DES Masked DFF kc Side-channel: EMA, power ki personalization NVM ki y = DES(x, kc) y = DES(x, kc) 26/42

27 Glitch-full circuits Protocol-Level Register Transfer Level Netlist Level (a) (b) input 8 FP FP 64 IP MUX 4 1 MUX PC1 FP 8 1 Parity bits LS MUX IF LR CD 56 output 8 Round 1: Round 2:... Round 15: Round 16: Round logic Round logic Key schedule Key schedule Round logic Round logic Key schedule Key schedule purely combinatorial logic (1) (2) Normal IP representation 27/42

28 Glitch-full circuits Protocol-Level Register Transfer Level Netlist Level (a) (b) input 8 FP FP 64 IP MUX 4 1 MUX PC1 FP 8 1 Parity bits LS MUX IF LR CD 56 output 8 Round 1: Round 2:... Round 15: Round 16: Round logic Round logic Key schedule Key schedule Round logic Round logic Key schedule Key schedule purely combinatorial logic (1) (2) Normal IP representation 27/42

29 Protocol-Level Register Transfer Level Netlist Level (a) (b) Average +/- standard deviation [mv] Round # Time [ns] (a) (b) Round #2 Round #3 Round #4 11 ns Round #5 Round #6 Round #7 Round #8... Average +/- standard deviation [mv] ns <1 ns >2 ns All 16 rounds Time [ns] Sequential iterative DES encryption signature, with the average variation margin, for statistics collected on 10k measurements. Average combinatorial DES encryption signature, with the average variation margin, for statistics collected on 100k measurements. 28/42

30 Protocol-Level Register Transfer Level Netlist Level Hiding: Placement and Routing of Xilinx WDDL+ Netlists. P&R tools naturally separate true and false paths Example with AES substitution box SUBBYTES with and without placement constraints (2 2 LuT4 per slice) Unconstrained placement Constrained placement 29/42

31 Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Attack on Information Masking Attack on Information Hiding 30/42

32 Attack on Information Masking Attack on Information Hiding Message ki IP IP Left masked data (Li) Left mask (MLi) Feistel function f m m P S E S(x kc) xm P m S E Right mask (MRi) Right masked data (Ri) kc FP Ciphertext 31/42

33 Attack on Information Masking Attack on Information Hiding Message ki IP IP Left masked data (Li) Left mask (MLi) Feistel function f Right mask (MRi) Right masked data (Ri) P m S m E P S(x kc) m S xm E kc FP Ciphertext 32/42

34 Attack on Information Masking Attack on Information Hiding Attacks on masking (1/2) p(l=0)=1/16 p(l=1)=4/16 p(l=2)=6/16 p(l=3)=4/16 p(l=4)=1/16 Correct key (i.e. physical L) O L=0 O L=1 O L=2 O L=3 O L= H(O L=0)=0 H(O L=1)=0 H(O L=3)=0 H(O L=3)=0 H(O L=4)=0 H(O L)=0 bit Incorrect key (i.e. random L) O L= O L= O L= O L= O L= H(O L=0)=2.03 H(O L=1)=2.03 H(O L=2)=2.03 H(O L=3)=2.03 H(O L=4)=2.03 H(O L)=2.03 bit 33/42

35 Attack on Information Masking Attack on Information Hiding Attacks on masking (2/2) p(l=0)=1/16 p(l=1)=4/16 p(l=2)=6/16 p(l=3)=4/16 p(l=4)=1/16 O L=0 O L=1 O L=2 O L=3 O L=4 Correct key (i.e. physical L) H(O L=0)=2.03 H(O L=1)=1.81 H(O L=3)=1.5 H(O L=3)=1 H(O L=4)=0 H(O L)=1.39 bit Incorrect key (i.e. random L) O L= O L= O L= O L= O L= H(O L=0)=2.54 H(O L=1)=2.54 H(O L=2)=2.54 H(O L=3)=2.54 H(O L=4)=2.54 H(O L)=2.54 bit 34/42

36 Attack on Information Masking Attack on Information Hiding Models M(S) (classification by [10]) Partition-based: If unprotected: M(s) = s ; Hamming weight; Bus cleared in SW M(s) = s R ; Hamming weight; Bus precharged in SW M(s) = s s 1 ; Hamming distance; typical of HW M(s) = i s s 1 + (1 δ)s s 1 ; Idem, but in near-field EMA If protected: M(s) = s. WARNING: 2 n values! Difficult to be more inventive if the countermeasure is sound... M(S) = S 1 + S 2 ; Zero-offset M(S) = (S 1,S 2 ) ; Multi-variate MIA (MMIA [2]) Comparison-based: M(S) = E(O S); (profiled attacks) templates 35/42

37 Attacks on DPL Attack on Information Masking Attack on Information Hiding AES WDDL no EE AES WDDL EE Evaluation Round 9 MUTUAL INFORMATION Precharge Round 9 Evaluation Round 10 Precharge Round 10 0 sensitive not sensitive SAMPLES 36/42

38 Presentation Outline 1 2 Side-Channels Side-Channels Acquisitions Attack Algorithms 3 Protocol-Level Register Transfer Level Netlist Level 4 Attack on Information Masking Attack on Information Hiding 5 Conclusions Perspectives Conclusions Perspectives 37/42

39 Conclusions Perspectives Formal practice-oriented framework [11] Attacks metric Leakage metric Reduction function 38/42

40 Conclusions Perspectives Counter-Measures are still ad hoc 1 Multiplicative masking of AES (M.-L. Akkar and Ch. Giraud, CHES 2001) Zero Attack (Jovan Dj. Golic, Christophe Tymen, CHES 2002) 2 Provable secure S-Box implementation based on FFT (E. Prouff et al, CHES 2006) Bias of the mask attack (S. Coron, CHES 2008) 3 MDPL (Th. Popp and S. Mangard, CHES 2005) Folding attack (P. Schaumont and K. Tiri, CHES 2007), Subset attack (E. de Mulder et al, WIFS 2009) 4 DRSL (Z. Chen and Y. Zhou, CHES 2006) Glitch on precharge (M. Nassar, DATE 2009) 39/42

41 Call for Further Researches Conclusions Perspectives Open Issues Need for formal proofs of security Can be at protocol level (work in progress). Could also be at implementation level (new research area). Devise countermeasures globally taking into account all possible weaknesses: Observation. Perturbation. Manipulation. 40/42

42 Conclusions Perspectives [1] Karine Gandolfi, Christophe Mourtel, and Francis Olivier. Electromagnetic Analysis: Concrete Results. In CHES, volume 2162 of LNCS, pages Springer, May Paris, France. [2] Benedikt Gierlichs, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede. Revisiting Higher-Order DPA Attacks: Multivariate Mutual Information Analysis. In CT-RSA, volume 5985 of LNCS, pages Springer, March San Francisco, CA, USA. [3] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Tarik Graba, and Yves Mathieu. Evaluation of Power-Constant Dual-Rail Logic as a Protection of Cryptographic Applications in FPGAs. In SSIRI, pages 16 23, Yokohama, Japan, jul IEEE Computer Society. DOI: /SSIRI , [4] Sylvain Guilley, Laurent Sauvage, Jean-Luc Danger, Nidhal Selmane, and Renaud Pacalet. Silicon-level solutions to counteract passive and active attacks. In FDTC, 5th Workshop on Fault Detection and Tolerance in Cryptography, IEEE-CS, pages 3 17, Washington DC, USA, aug (Up-to-date version on [5] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proceedings of CRYPTO 96, volume 1109 of LNCS, pages Springer-Verlag, ( [6] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power Analysis. In Proceedings of CRYPTO 99, volume 1666 of LNCS, pages Springer-Verlag, (PDF). 41/42

43 Conclusions Perspectives [7] Elke De Mulder, Pieter Buysschaert, Sıddıka Berna Örs, Peter Delmotte, Bart Preneel, Guy Vandenbosch, and Ingrid Verbauwhede. Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem. In IEEE International Conference on Computer as a tool ( pages , November Belgrade, Serbia & Montenegro. [8] Laurent Sauvage, Sylvain Guilley, Jean-Luc Danger, Yves Mathieu, and Maxime Nassar. Successful Attack on an FPGA-based Automatically Placed and Routed WDDL+ Crypto Processor. In DATE, track A4 (Secure embedded implementations), April Nice, France. Electronic version: [9] Laurent Sauvage, Sylvain Guilley, and Yves Mathieu. ElectroMagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack of a Cryptographic Module. ACM Trans. Reconfigurable Technol. Syst., 2(1):1 24, March Full text inhttp://hal.archives-ouvertes.fr/hal /en/. [10] François-Xavier Standaert, Benedikt Gierlichs, and Ingrid Verbauwhede. Partition vs. Comparison Side-Channel Distinguishers: An Empirical Evaluation of Statistical Tests for Univariate against Two Unprotected CMOS Devices. In ICISC, volume 5461 of LNCS, pages Springer, December Seoul, Korea. [11] François-Xavier Standaert, Tal Malkin, and Moti Yung. A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. In EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages Springer, April Cologne, Germany. 42/42