Application of Physical Attacks to Real World Systems Workshop Provable Security against Physical Attacks Lorentz Center, Leiden February 17, 2010 Christof Paar Timo Kasper Embedded Security Group Horst Görtz Institute for IT Security Ruhr University Bochum
Acknowledgement Thomas Eisenbarth Markus Kasper Timo Kasper Amir Moradi David Oswald
Agenda RemoteAccess Control with KeeLoq Contactless Smartcards with 3DES Contactless Payments with Mifare Classic Positive Applications of SCA: Watermarking Conclusions & Auxiliary Stuff 3
Remote Access Control with KeeLoq 4
KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase1 Analysis & Frustration Phase2 Breakthrough & Euphoria Phase 3 Optimization & Routine 7
KeeLoq IntroductiontoRemote to Keyless Entry (RKE) Systems Phase1 Analysis & Frustration Phase2 Breakthrough & Euphorie Phase 3 Optimization & Routine 8
Remote Keyless Entry Systems 9
Modern Keyless Entry Systems advancedtheftcontrol: control: rolling code code = e k (n i ) rolling code (or hopping code) protects against replay attacks: 1. code = e k (n) 2. code = e k (n+1) 3. code = e k (n+2). e k () is often a block cipher 11
Popular Remote Keyless Entry Cipher: KeeLoq KeeLoq is used in rolling code mode or in a challenge-response protocol widely used for garage doors in US & Europe Wikipedia (?): Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Jaguar,... Q: How secure is KeeLoq? 13
KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase 1 Analysis & Frustration Phase2 Breakthrough & Euphoria Phase 3 Optimization & Routine 20
KeeLoq + Side Channel Attacks Our thoughts ht ca. 2006 (mostly correct) Great target for real world ld attack 23 Old cipher Implementation probably also 10+ years old SCA countermeasures very unlikely Running DPA or SPA should be a piece of cake (a few weeks)
Power Analysis of a Remote Control? secret tkey of remote control (HCS XXX Chip)! 26
Performing the Side Channel Attack 1. Find a suited predictable intermediate value in the cipher 2. Measure thepower consumption 3. Align and reduce size of acquired data 4. Correlate measurements with model 29
KeeLoq Algorithm State Register, y 3 2 42 0 1 1 0 1 7 0 NLF XOR Key Register, k 7 5 4 3 2 1 0 6 0 30 64 bit key, 32 bit block length NLFSR comprising a 5x1 non linear function Simple key management: key is rotated in every clock cycle 528 rounds, each round one key bit is read Lightweight cipher cheap and efficient in hardware
KeeLoq Attack State Register, y 3 2 4 2 0 1 1 0 1 7 0 NLF XOR Key Register, k 7 6 5 4 3 2 1 0 0 33 knowing the state directly reveals one key bit per clock cycle
Performing the Side Channel Attack 1. Find a suited predictable intermediate value in the cipher 2. Measure thepower consumption 3. Align and reduce size of acquired data 4. Correlate measurements with model 34
Measuring the Power Consumption Digital oscilloscope (max. 1 GS/s sample rate) Measure electric current or electromagnetic field 35
Power Trace of a remote control: Finding the KEELOQ Encryption write EEPROM KEELOQ send hopping code press button 36
Performing the Side Channel Attack 1. Find a suited predictable intermediate value in the cipher 2. Measure thepower consumption 3. Align and reduce size of acquired data 4. Correlate measurements with model 39
Performing the Side Channel Attack Recovery Key Correlatereal l power consumption I i with predicted value D = f (X i, K h ) Divide and conquer approach Best matching key candidates survive Correlation 1 0.8 0.6 0.4 0.2 0 0 10 20 30 40 50 60 70 80 90 round 40
KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase1 Analysis & Frustration Phase 2 Breakthrough & Euphoria Phase 3 Optimization & Routine 42
15 months later 43
Side Channel Attack Results for KeeLoq A) Hardware implementation ti ( car key ) Total attack time (for known device family): 5 30 traces, minutes 44 B) Software implementation ( car door ) Total attack time (for known device family): 1000 5000 traces, hours reveals Manufacturer Key for ALL key derivation modes
So what can we do now (1)? 1. If we have access to a remote: Recover Device Key and clone the remote 2. If we have access to a receiver: Recover Manufacturer Key & generate new remotes 46
So what can we do now (2)? 3. After step 2 ( i.e., possessing the Manufacturer Key): Remotely eavesdrop on 1-2 communications & clone remote! #ser, KeeLoq(n+1) 49 works for all key derivation schemes instantly tl for key derivation from serial number otherwise use PC (short seed) or COPACOBANA (long seed) www.copacobana.org
KeeLoq Introduction to Remote Keyless Entry (RKE) Systems Phase 1 Analysis& Frustration Phase 2 Breakthrough & Euphoria Phase 3 Optimization & Routine
After the Attack 3 reactions from industry 1. Companies ignore us (many) 2. Companies hate us (also (l popular) 3. Companies want to improve their products with us (few) 56
Since 2008 We analyze several KeeLoq products All are breakable But efforts for manufacturing key recovery varies from hours weeks We gain much experience and start to improve 57
Software DPA: needs 1000s of Measurements Correlation for DPA decreases with #rounds (bad) Durationof one round seems to be dependent on input Duration of one round seems to be dependent on input good for SPA!
SPA Attack against KeeLoq State Register, y 7 3 2 42 0 1 1 0 1 0 NLF XOR Key Register, k 7 6 5 4 3 2 1 0 0 knowing the state directly reveals one key bit per clock cycle Analyzing variations of the state t will reveal the secret key
KeeLoq Decryption Program Code Data dependent code Data dependent code in red
SPA by CrossCorrelation CrossCorrelation Reference Pattern
KeeLoq and SPA: What can we do now? Manufacturing key recovery with 1 single power trace No need to profile the leakage (unlike template attacks) Countermeasure: fix execution time of rounds But: Better alignment of traces will make DPA easier Further details: our Africacrypt `09 paper Important lesson Do not educate your attacker, i.e., build rock solid systems from the beginning 63
Contactless Payments with Mifare Classic 66
Case Study contactless payments: Let s investigate one large scale system! contactless employee ID card, e.g., of a large corporate enterprise more than 1 million users according to the manufacturer payments (max. 150 ), access control, recording of working time, Based on Mifare Classic 1K chip 68
Mifare Classic and its Security 69
MifareClassic 1K more than1 billion cards used worldwide, e.g, for public transport basically a (contactless) memory card with encryption, cheap ( 0,50 ) each card contains a factory programmed, read only Unique Identifier (UID) access to each sector can be secured with two cryptographic keys A and B UID Key A, sector 0 Key B, sector 0 Key A, sector 15 Key B, sector 15 70
Security Issues of Mifare Classic 1. Weak Cipher proprietary stream cipher CRYPTO1 kept secret until 2007 reverse engineering small cipher state, weak non linear functions cipher published on the Internet (CRAPTO1) researchers instantly reveal severe flaws 72
Security Issues of Mifare Classic 2. Weak Random Number Generator generates 32 bit nonces n X and responses a X for the authentication entropy: obviously only 16 bit instead of possible 32 bit randomness dependsonlyon d thetime elapsed since power up! AUTH (sector) n C n R a R a C 73
Security Issues of Mifare Classic 3. Weak Implementation / Protocol bad practice: keystream bits reused paritycalculated l over plaintextinstead li i d of actually transmitted ddata bug/feature: cardreplieswith replies 4 encryptedbits (NACK = 0x05), if the parity bits for the encrypted n R a R are correct, but a R is wrong * can be used as covert channel to recover parts of the keystream 74 *) guess parity bits: 1 out of 2 8 tries will be successful
Analyzing a Real World Contactless Payment System 77
Special RFID Tools Special Reader: Precisecontrolof control of the timing (accuracy: 75 ns) FIX the the card s random nonce to exactly one value! Fake Tag: Can completely emulate any ISO14443 transponder (e.g., Mifare cards) including an arbitrary UID 78
Our Combined Attack 79 1. differential attack to extract tthe 1 st secret key 2. nested authentication attack for the remaining keys! card nonce fixed to exactly one value! crack all keys of a Mifare 1K card in < 10 Min
Analysis of the ID Card 1/2 test our attack on one ID Card extraction of all secret keys try ID Card of another employee card contains the same keys try ID Card of a third employee card contains the same keys... Surprising discovery: All ID Cards have identical keys! 80
Analysis of the ID Card 2/2 1. one time extraction of the secret keysofany y ID Card duration: < 10 minutes 2. reverse engineer engineer the card s content (repeated pay and compare and ) card number: integrity ensured with XOR checksum(uid&card number) credit balance: in plain w/o any protection other data: date of card issuance, last payment terminal, 3. knowing the above: wireless manipulating of all cards in the sstem system from 10 25 cm (depending on antenna) duration: milliseconds (!) 81
Impersonation: Duplicate an ID Card read out relevant data in 100 milliseconds from a distance copy content of victim s ID Card to blank Mifare Classic (ebay: < 0,50 ) card number and credit balance remain unchanged* pay with a duplicate of a card that is known to the system 82 *) note: funny XOR checkbyte has to be adapted
Impersonation: Increase Credit Balance + top up the credit balance of the cloned card or: restore previous content when money is used up financial losses for the payment institution (money is used that has never been paid into the system) 83
Impersonation: Wireless Pickpocketing + attacker in addition lowers the credit on the victim s card advantage: difficult to detect (no additional money in the system) losses only on the side of the victims, fraud not noticed dby the payment institution 84
Selling Pre Charged Cards dump the content of a valid ID Card to a PC generate new card number and write to new (blank) card optionally: modify credit balance sell thecards (or top up service: pay 1 get 3 ) 85 poor issuing institution, rich criminal
Denial Of Service cards can be manipulated unnoticed by the owners disguised reader, e.g., neara a waiting line at the cashdesk automatically sets credit of any card in its proximity to 0 (in 40 ms) financial losses for the concerned customers ; no direct damage but image loss and cost for customer service for the issuing institution 86
Distributed All You Can Eat disguised reader, this time charges cards of victims will you complain about a 100 voucher? in court: can you be sued for s.o. else charging your card? very high losses for the issuing institution / happy customer 87
Emulate an arbitrary ID Card 88 NFC mobile ID Card may stay in wallet when paying electronic emulation of an arbitrary card is possible generate a new UID, card number, and credit balance for each payment detection/countermeasures difficult (blacklisting i impossible) ibl high losses for the issuing institution
Real World Tests with the ID Card Contactless Payment System Clone ID Cards (note: duplicates, except for the UID) can payments be carried out with clones?! UID not checked! Modify the credit balances of the clones are payments with counterfeit money possible?! If shadow accounts exist, they are not used! Production of new cards (new card number etc.) can we pay with arbitrary generated cards? obviously bi no effective measures in the back end! 91
Summary of the Analyses most efficient practical card only attack on Mifare to date successful attacks on a real world system: wirelessly manipulate any ID Card in milliseconds! worstrealization realization of a contactless payment system ever unfortunately this is not a single occurence realization on the system level does matter, mistakes can become very painful for the issuing institution system integrators: please check your systems, ask any cryptographer for help 92
Intermezzo Aha. Mifare Classic is insecure. I ve heard about these 3DES contactless cards! let s exchange the cards of our payment system & make the same errors (identical keys ) Good idea? 98
SCA on secure Contactless Smartcards using 3DES 99
RFID Side Channel Measurement: Mutual Authentication Protocol Measure EMemanation? Reader: Send protocol value X Smartcard: Encrypt X with 3DES Strong EM field of RFID hinders straightforward DEMA 103
Measurement Setup 104
Measurement Setup ISO14443 compatible Freely Programmable Low Cost (< 40 ) 105
Measurement Setup 1 GS/s, 128 MB Memory ± 100 mv USB 2.0 Interface 106
Measurement Setup Aim: Reduce Carrier Wave Influence vs. EM leakage Reader of smartcard 107
Side Channel Analysis Step 1: Raw measurements 110
EM Trace (without analogue filter) 111
EM Trace (without analogue filter) 112
EM Trace (without analogue filter)? 113 Christof Paar, 17.02.2010
Side Channel Analysis Step 2: Analogue filter 114
Carrier Dampening from contactless tl card after subtraction from reader s oscillator 115
EM Trace (with analogue filter) 116
EM Trace (with analogue filter) 117
EM Trace (with analogue filter)? 118
Side Channel Analysis Step 3: Digital Demodulation 119
Digital Demodulation Digital Demodulator Rectifier Digital Filter 120
Digital Demodulation 121
Digital Demodulation?! 122 Christof Paar, 17.02.2010
Side Channel Analysis Step 4: Alignment 123
Alignment Pick Reference Pattern 124
Alignment Pick Reference Pattern 125
Alignment 126
Alignment Varies for identical Plaintext 127
Side Channel Analysis Step 5: Location of 3DES (Profiling with ihfixed, known key) 128
Data Bus Locate Plain & Ciphertext Transfer 129
Data Bus DPA: Plaintext 8 Bit Hamming Weight (5000 traces) 130
Data Bus DPA: Ciphertext 8 Bit Hamming Weight (5000 traces) 131
Trace Overview... Other processing Plaintext 3DES Ciphertext 132
Assumptions?! C 3DES?! 133
Side Channel Analysis Step 6: Attack 134
3DES Engine DPA But: Only for S Box 1 & 3 136
3DES Engine DPA: Peak Extraction 137
3DES Engine DPA: Peak Extraction 138
3DES Engine DPA: Binwise 139
3DES Engine DPA: Binwise Apply DPA binwise 140
DES Full Key Recovery 143
Summary Measurement Setup built Profiling done Dt Data Bus revealed ld Full 3DES key revealed 144
Conclusion Aha. Mifare Classic is insecure. I ve heard about these 3DES contactless cards! let s exchange the cards of our payment system & make the same errors (identical keys ) Good idea? NO. 145
SCA is so destructive. Can t we find some positive use? 147
Side Channel based Watermarks for IP Protection 150
Motivation: IP Cores (Intellectual Property) 152 Hardware blocksfor certain functions (e.g., CPUs, coders ) Increased re use of previous implementations Partsof the development can be bought from another party Faster and cheaper hardware design
Motivation: IP Cores+ Security? Copyright violations of IP cores IP cores may have embedded Trojans 153
The question we want to solve: Is our IP core in there? (Did they pay the $0,10 royality?) 154
Watermarks Classical watermark Digital watermark Goal: Impossible to forge Goal: Impossible to remove 155
Watermarking for IP protection Goals of IP watermarking: 1. Detectability: The owner can detect whether or not his code is used in an IC. 2. Non repudiation: The owner can prove towards a third party that his code was used in an IC. Possible attacks on IP watermarking: 1. Removing attack: The attacker removes the watermark from his IC design. 2. Impersonation attack: The attacker tries to detect a watermark in a foreign design and claims that this watermark is his own. 156
A side channel based watermark Main idea of a side channel based watermark: Insertan artificial side channel into the IP core This side channel leaks out a unique ID IP owner can check ICs for their unique ID IP owner can proof copyright violations Our spread spectrum based watermark, based on side channel hardware Trojan from CHES 2009 157
Spread spectrum based watermarks Two Components that are added to the IP core: 1. A PRNG that generates a pseudo-random bit sequence 2. A Leakage Circuit (LC) that is attached to the PRNG and that leaks out the bitstream 158
Detecting a spread spectrum based watermark 1. Measure a single long power trace ofthe targeted device 2. From this power trace derive exactly one power value p i for each of the n measured clock cycles. (e.g. by averaging the points of one clock cycle) 3. Compute the expected watermarking bit stream B=b 1,,b n 4. Generate different Hypotheses H i by shifting the bit stream B: H 1 =b 1,,b n H 2 =b 2,,b n,b 1 5. Correlate the Hypotheses H i with the power values P=p 1,,p n 6. If the un shifted bit stream (H 1 ) generates a significant correlation peak, the watermark is embedded in the targeted device. 159
Practical results Implemented: A 1 st order DPA resistant it taes implementation with an embedded spread spectrum watermark. Device: Xilinx Virtex 2 PRO XC2VP7 5 FPGA @ 24MHz 160
Practical results The used PRNG: A 32 bit LFSR with X 32 +X 22 +X 2 +X 1 and a fixed initial state. The used Leakage Circuit: 16 bit Shift Register initialized with 0xAAAA shifted only if output of the PRNG is 1 161
Measurements Correlation for 500.000 clock cycles while the AES implementation was idle. Correlation for 500.000 clock cycles while the AES implementation was constantly running. 162
Conclusions & Auxiliary Stuff 163
Conclusions Experience from real world ld attacks are veryvaluable for the scientific community Real world impact of (physical) attacks sometimes hard to assess Evolution of physical attacks are an interesting (and scary) phenomenon Is there a metric for measuring the hardness of physical attacks?
Related Workshops SECSI Secure Component and Systems Identification April 2010, Cologne, Germany CHES Cryptographic Hardware and Embedded Systems August 2010, UCSB escar Embedded Security in Cars November 2010
Post Doc Position in Embedded Security Group @ U Bochum Work on theoreticalti and/or practical aspect s of physical attacks 1+ year position Full scientific position, great working atmosphere Please contact Christof Paar, cpaar@crypto.rub.de
and yet another textbook on Cryptography Hopefully helpful for people without PhD`s in mathematics Quite comprehensive www.crypto-textbook.com