Application of Physical Attacks

Transcription

1 Application of Physical Attacks to Real World Systems Workshop Provable Security against Physical Attacks Lorentz Center, Leiden February 17, 2010 Christof Paar Timo Kasper Embedded Security Group Horst Görtz Institute for IT Security Ruhr University Bochum

2 Acknowledgement Thomas Eisenbarth Markus Kasper Timo Kasper Amir Moradi David Oswald

3 Agenda RemoteAccess Control with KeeLoq Contactless Smartcards with 3DES Contactless Payments with Mifare Classic Positive Applications of SCA: Watermarking Conclusions & Auxiliary Stuff 3

4 Remote Access Control with KeeLoq 4

5 KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase1 Analysis & Frustration Phase2 Breakthrough & Euphoria Phase 3 Optimization & Routine 7

6 KeeLoq IntroductiontoRemote to Keyless Entry (RKE) Systems Phase1 Analysis & Frustration Phase2 Breakthrough & Euphorie Phase 3 Optimization & Routine 8

7 Remote Keyless Entry Systems 9

8 Modern Keyless Entry Systems advancedtheftcontrol: control: rolling code code = e k (n i ) rolling code (or hopping code) protects against replay attacks: 1. code = e k (n) 2. code = e k (n+1) 3. code = e k (n+2). e k () is often a block cipher 11

9 Popular Remote Keyless Entry Cipher: KeeLoq KeeLoq is used in rolling code mode or in a challenge-response protocol widely used for garage doors in US & Europe Wikipedia (?): Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Jaguar,... Q: How secure is KeeLoq? 13

10 KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase 1 Analysis & Frustration Phase2 Breakthrough & Euphoria Phase 3 Optimization & Routine 20

11 KeeLoq + Side Channel Attacks Our thoughts ht ca (mostly correct) Great target for real world ld attack 23 Old cipher Implementation probably also 10+ years old SCA countermeasures very unlikely Running DPA or SPA should be a piece of cake (a few weeks)

12 Power Analysis of a Remote Control? secret tkey of remote control (HCS XXX Chip)! 26

13 Performing the Side Channel Attack 1. Find a suited predictable intermediate value in the cipher 2. Measure thepower consumption 3. Align and reduce size of acquired data 4. Correlate measurements with model 29

14 KeeLoq Algorithm State Register, y NLF XOR Key Register, k bit key, 32 bit block length NLFSR comprising a 5x1 non linear function Simple key management: key is rotated in every clock cycle 528 rounds, each round one key bit is read Lightweight cipher cheap and efficient in hardware

15 KeeLoq Attack State Register, y NLF XOR Key Register, k knowing the state directly reveals one key bit per clock cycle

17 Measuring the Power Consumption Digital oscilloscope (max. 1 GS/s sample rate) Measure electric current or electromagnetic field 35

18 Power Trace of a remote control: Finding the KEELOQ Encryption write EEPROM KEELOQ send hopping code press button 36

20 Performing the Side Channel Attack Recovery Key Correlatereal l power consumption I i with predicted value D = f (X i, K h ) Divide and conquer approach Best matching key candidates survive Correlation round 40

21 KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase1 Analysis & Frustration Phase 2 Breakthrough & Euphoria Phase 3 Optimization & Routine 42

22 15 months later 43

23 Side Channel Attack Results for KeeLoq A) Hardware implementation ti ( car key ) Total attack time (for known device family): 5 30 traces, minutes 44 B) Software implementation ( car door ) Total attack time (for known device family): traces, hours reveals Manufacturer Key for ALL key derivation modes

24 So what can we do now (1)? 1. If we have access to a remote: Recover Device Key and clone the remote 2. If we have access to a receiver: Recover Manufacturer Key & generate new remotes 46

25 So what can we do now (2)? 3. After step 2 ( i.e., possessing the Manufacturer Key): Remotely eavesdrop on 1-2 communications & clone remote! #ser, KeeLoq(n+1) 49 works for all key derivation schemes instantly tl for key derivation from serial number otherwise use PC (short seed) or COPACOBANA (long seed)

26 KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase 1 Analysis& Frustration Phase 2 Breakthrough & Euphoria Phase 3 Optimization & Routine

27 After the Attack 3 reactions from industry 1. Companies ignore us (many) 2. Companies hate us (also (l popular) 3. Companies want to improve their products with us (few) 56

28 Since 2008 We analyze several KeeLoq products All are breakable But efforts for manufacturing key recovery varies from hours weeks We gain much experience and start to improve 57

29 Software DPA: needs 1000s of Measurements Correlation for DPA decreases with #rounds (bad) Durationof one round seems to be dependent on input Duration of one round seems to be dependent on input good for SPA!

30 SPA Attack against KeeLoq State Register, y NLF XOR Key Register, k knowing the state directly reveals one key bit per clock cycle Analyzing variations of the state t will reveal the secret key

31 KeeLoq Decryption Program Code Data dependent code Data dependent code in red

32 SPA by CrossCorrelation CrossCorrelation Reference Pattern

33 KeeLoq and SPA: What can we do now? Manufacturing key recovery with 1 single power trace No need to profile the leakage (unlike template attacks) Countermeasure: fix execution time of rounds But: Better alignment of traces will make DPA easier Further details: our Africacrypt `09 paper Important lesson Do not educate your attacker, i.e., build rock solid systems from the beginning 63

34 Contactless Payments with Mifare Classic 66

35 Case Study contactless payments: Let s investigate one large scale system! contactless employee ID card, e.g., of a large corporate enterprise more than 1 million users according to the manufacturer payments (max. 150 ), access control, recording of working time, Based on Mifare Classic 1K chip 68

36 Mifare Classic and its Security 69

37 MifareClassic 1K more than1 billion cards used worldwide, e.g, for public transport basically a (contactless) memory card with encryption, cheap ( 0,50 ) each card contains a factory programmed, read only Unique Identifier (UID) access to each sector can be secured with two cryptographic keys A and B UID Key A, sector 0 Key B, sector 0 Key A, sector 15 Key B, sector 15 70

38 Security Issues of Mifare Classic 1. Weak Cipher proprietary stream cipher CRYPTO1 kept secret until 2007 reverse engineering small cipher state, weak non linear functions cipher published on the Internet (CRAPTO1) researchers instantly reveal severe flaws 72

39 Security Issues of Mifare Classic 2. Weak Random Number Generator generates 32 bit nonces n X and responses a X for the authentication entropy: obviously only 16 bit instead of possible 32 bit randomness dependsonlyon d thetime elapsed since power up! AUTH (sector) n C n R a R a C 73

40 Security Issues of Mifare Classic 3. Weak Implementation / Protocol bad practice: keystream bits reused paritycalculated l over plaintextinstead li i d of actually transmitted ddata bug/feature: cardreplieswith replies 4 encryptedbits (NACK = 0x05), if the parity bits for the encrypted n R a R are correct, but a R is wrong * can be used as covert channel to recover parts of the keystream 74 *) guess parity bits: 1 out of 2 8 tries will be successful

41 Analyzing a Real World Contactless Payment System 77

42 Special RFID Tools Special Reader: Precisecontrolof control of the timing (accuracy: 75 ns) FIX the the card s random nonce to exactly one value! Fake Tag: Can completely emulate any ISO14443 transponder (e.g., Mifare cards) including an arbitrary UID 78

43 Our Combined Attack differential attack to extract tthe 1 st secret key 2. nested authentication attack for the remaining keys! card nonce fixed to exactly one value! crack all keys of a Mifare 1K card in < 10 Min

44 Analysis of the ID Card 1/2 test our attack on one ID Card extraction of all secret keys try ID Card of another employee card contains the same keys try ID Card of a third employee card contains the same keys... Surprising discovery: All ID Cards have identical keys! 80

45 Analysis of the ID Card 2/2 1. one time extraction of the secret keysofany y ID Card duration: < 10 minutes 2. reverse engineer engineer the card s content (repeated pay and compare and ) card number: integrity ensured with XOR checksum(uid&card number) credit balance: in plain w/o any protection other data: date of card issuance, last payment terminal, 3. knowing the above: wireless manipulating of all cards in the sstem system from cm (depending on antenna) duration: milliseconds (!) 81

46 Impersonation: Duplicate an ID Card read out relevant data in 100 milliseconds from a distance copy content of victim s ID Card to blank Mifare Classic (ebay: < 0,50 ) card number and credit balance remain unchanged* pay with a duplicate of a card that is known to the system 82 *) note: funny XOR checkbyte has to be adapted

47 Impersonation: Increase Credit Balance + top up the credit balance of the cloned card or: restore previous content when money is used up financial losses for the payment institution (money is used that has never been paid into the system) 83

48 Impersonation: Wireless Pickpocketing + attacker in addition lowers the credit on the victim s card advantage: difficult to detect (no additional money in the system) losses only on the side of the victims, fraud not noticed dby the payment institution 84

49 Selling Pre Charged Cards dump the content of a valid ID Card to a PC generate new card number and write to new (blank) card optionally: modify credit balance sell thecards (or top up service: pay 1 get 3 ) 85 poor issuing institution, rich criminal

50 Denial Of Service cards can be manipulated unnoticed by the owners disguised reader, e.g., neara a waiting line at the cashdesk automatically sets credit of any card in its proximity to 0 (in 40 ms) financial losses for the concerned customers ; no direct damage but image loss and cost for customer service for the issuing institution 86

51 Distributed All You Can Eat disguised reader, this time charges cards of victims will you complain about a 100 voucher? in court: can you be sued for s.o. else charging your card? very high losses for the issuing institution / happy customer 87

52 Emulate an arbitrary ID Card 88 NFC mobile ID Card may stay in wallet when paying electronic emulation of an arbitrary card is possible generate a new UID, card number, and credit balance for each payment detection/countermeasures difficult (blacklisting i impossible) ibl high losses for the issuing institution

53 Real World Tests with the ID Card Contactless Payment System Clone ID Cards (note: duplicates, except for the UID) can payments be carried out with clones?! UID not checked! Modify the credit balances of the clones are payments with counterfeit money possible?! If shadow accounts exist, they are not used! Production of new cards (new card number etc.) can we pay with arbitrary generated cards? obviously bi no effective measures in the back end! 91

54 Summary of the Analyses most efficient practical card only attack on Mifare to date successful attacks on a real world system: wirelessly manipulate any ID Card in milliseconds! worstrealization realization of a contactless payment system ever unfortunately this is not a single occurence realization on the system level does matter, mistakes can become very painful for the issuing institution system integrators: please check your systems, ask any cryptographer for help 92

55 Intermezzo Aha. Mifare Classic is insecure. I ve heard about these 3DES contactless cards! let s exchange the cards of our payment system & make the same errors (identical keys ) Good idea? 98

56 SCA on secure Contactless Smartcards using 3DES 99

57 RFID Side Channel Measurement: Mutual Authentication Protocol Measure EMemanation? Reader: Send protocol value X Smartcard: Encrypt X with 3DES Strong EM field of RFID hinders straightforward DEMA 103

58 Measurement Setup 104

59 Measurement Setup ISO14443 compatible Freely Programmable Low Cost (< 40 ) 105

60 Measurement Setup 1 GS/s, 128 MB Memory ± 100 mv USB 2.0 Interface 106

61 Measurement Setup Aim: Reduce Carrier Wave Influence vs. EM leakage Reader of smartcard 107

62 Side Channel Analysis Step 1: Raw measurements 110

63 EM Trace (without analogue filter) 111

64 EM Trace (without analogue filter) 112

65 EM Trace (without analogue filter)? 113 Christof Paar,

66 Side Channel Analysis Step 2: Analogue filter 114

67 Carrier Dampening from contactless tl card after subtraction from reader s oscillator 115

68 EM Trace (with analogue filter) 116

69 EM Trace (with analogue filter) 117

70 EM Trace (with analogue filter)? 118

71 Side Channel Analysis Step 3: Digital Demodulation 119

72 Digital Demodulation Digital Demodulator Rectifier Digital Filter 120

73 Digital Demodulation 121

74 Digital Demodulation?! 122 Christof Paar,

75 Side Channel Analysis Step 4: Alignment 123

76 Alignment Pick Reference Pattern 124

77 Alignment Pick Reference Pattern 125

78 Alignment 126

79 Alignment Varies for identical Plaintext 127

80 Side Channel Analysis Step 5: Location of 3DES (Profiling with ihfixed, known key) 128

81 Data Bus Locate Plain & Ciphertext Transfer 129

82 Data Bus DPA: Plaintext 8 Bit Hamming Weight (5000 traces) 130

83 Data Bus DPA: Ciphertext 8 Bit Hamming Weight (5000 traces) 131

84 Trace Overview... Other processing Plaintext 3DES Ciphertext 132

85 Assumptions?! C 3DES?! 133

86 Side Channel Analysis Step 6: Attack 134

87 3DES Engine DPA But: Only for S Box 1 & 3 136

88 3DES Engine DPA: Peak Extraction 137

89 3DES Engine DPA: Peak Extraction 138

90 3DES Engine DPA: Binwise 139

91 3DES Engine DPA: Binwise Apply DPA binwise 140

92 DES Full Key Recovery 143

93 Summary Measurement Setup built Profiling done Dt Data Bus revealed ld Full 3DES key revealed 144

94 Conclusion Aha. Mifare Classic is insecure. I ve heard about these 3DES contactless cards! let s exchange the cards of our payment system & make the same errors (identical keys ) Good idea? NO. 145

95 SCA is so destructive. Can t we find some positive use? 147

96 Side Channel based Watermarks for IP Protection 150

97 Motivation: IP Cores (Intellectual Property) 152 Hardware blocksfor certain functions (e.g., CPUs, coders ) Increased re use of previous implementations Partsof the development can be bought from another party Faster and cheaper hardware design

98 Motivation: IP Cores+ Security? Copyright violations of IP cores IP cores may have embedded Trojans 153

99 The question we want to solve: Is our IP core in there? (Did they pay the $0,10 royality?) 154

100 Watermarks Classical watermark Digital watermark Goal: Impossible to forge Goal: Impossible to remove 155

101 Watermarking for IP protection Goals of IP watermarking: 1. Detectability: The owner can detect whether or not his code is used in an IC. 2. Non repudiation: The owner can prove towards a third party that his code was used in an IC. Possible attacks on IP watermarking: 1. Removing attack: The attacker removes the watermark from his IC design. 2. Impersonation attack: The attacker tries to detect a watermark in a foreign design and claims that this watermark is his own. 156

102 A side channel based watermark Main idea of a side channel based watermark: Insertan artificial side channel into the IP core This side channel leaks out a unique ID IP owner can check ICs for their unique ID IP owner can proof copyright violations Our spread spectrum based watermark, based on side channel hardware Trojan from CHES

103 Spread spectrum based watermarks Two Components that are added to the IP core: 1. A PRNG that generates a pseudo-random bit sequence 2. A Leakage Circuit (LC) that is attached to the PRNG and that leaks out the bitstream 158

104 Detecting a spread spectrum based watermark 1. Measure a single long power trace ofthe targeted device 2. From this power trace derive exactly one power value p i for each of the n measured clock cycles. (e.g. by averaging the points of one clock cycle) 3. Compute the expected watermarking bit stream B=b 1,,b n 4. Generate different Hypotheses H i by shifting the bit stream B: H 1 =b 1,,b n H 2 =b 2,,b n,b 1 5. Correlate the Hypotheses H i with the power values P=p 1,,p n 6. If the un shifted bit stream (H 1 ) generates a significant correlation peak, the watermark is embedded in the targeted device. 159

105 Practical results Implemented: A 1 st order DPA resistant it taes implementation with an embedded spread spectrum watermark. Device: Xilinx Virtex 2 PRO XC2VP7 5 24MHz 160

106 Practical results The used PRNG: A 32 bit LFSR with X 32 +X 22 +X 2 +X 1 and a fixed initial state. The used Leakage Circuit: 16 bit Shift Register initialized with 0xAAAA shifted only if output of the PRNG is 1 161

107 Measurements Correlation for clock cycles while the AES implementation was idle. Correlation for clock cycles while the AES implementation was constantly running. 162

108 Conclusions & Auxiliary Stuff 163

109 Conclusions Experience from real world ld attacks are veryvaluable for the scientific community Real world impact of (physical) attacks sometimes hard to assess Evolution of physical attacks are an interesting (and scary) phenomenon Is there a metric for measuring the hardness of physical attacks?

110 Related Workshops SECSI Secure Component and Systems Identification April 2010, Cologne, Germany CHES Cryptographic Hardware and Embedded Systems August 2010, UCSB escar Embedded Security in Cars November 2010

111 Post Doc Position in Embedded Security U Bochum Work on theoreticalti and/or practical aspect s of physical attacks 1+ year position Full scientific position, great working atmosphere Please contact Christof Paar, [email protected]

112 and yet another textbook on Cryptography Hopefully helpful for people without PhD`s in mathematics Quite comprehensive