300 research outputs found
Towards Automated Detection of Single-Trace Side-Channel Vulnerabilities in Constant-Time Cryptographic Code
Although cryptographic algorithms may be mathematically secure, it is often
possible to leak secret information from the implementation of the algorithms.
Timing and power side-channel vulnerabilities are some of the most widely
considered threats to cryptographic algorithm implementations. Timing
vulnerabilities may be easier to detect and exploit, and all high-quality
cryptographic code today should be written in constant-time style. However,
this does not prevent power side-channels from existing. With constant time
code, potential attackers can resort to power side-channel attacks to try
leaking secrets. Detecting potential power side-channel vulnerabilities is a
tedious task, as it requires analyzing code at the assembly level and needs
reasoning about which instructions could be leaking information based on their
operands and their values. To help make the process of detecting potential
power side-channel vulnerabilities easier for cryptographers, this work
presents Pascal: Power Analysis Side Channel Attack Locator, a tool that
introduces novel symbolic register analysis techniques for binary analysis of
constant-time cryptographic algorithms, and verifies locations of potential
power side-channel vulnerabilities with high precision. Pascal is evaluated on
a number of implementations of post-quantum cryptographic algorithms, and it is
able to find dozens of previously reported single-trace power side-channel
vulnerabilities in these algorithms, all in an automated manner
Security is an Architectural Design Constraint
In state-of-the-art design paradigm, time, space and power efficiency are considered the primary design constraints. Quite often, this approach adversely impacts the security of the overall system, especially when security is adopted as a countermeasure after some vulnerability is identified. In this position paper, we motivate the idea that security should also be considered as an architectural design constraint in addition to time, space and power. We show that security and efficiency objectives along the three design axes of time, space and power are in fact tightly coupled while identifying that security stands in direct contrast with them across all layers of architectural design. We attempt to prove our case utilizing a
proof-by-evidence approach wherein we refer to various works across literature that explicitly imply the eternal conflict between security and efficiency. Thus, security has to be treated as a design constraint from the very beginning. Additionally, we advocate a security-aware design flow starting from the choice of cryptographic primitives, protocols and system design
ANCHOR: logically-centralized security for Software-Defined Networks
While the centralization of SDN brought advantages such as a faster pace of
innovation, it also disrupted some of the natural defenses of traditional
architectures against different threats. The literature on SDN has mostly been
concerned with the functional side, despite some specific works concerning
non-functional properties like 'security' or 'dependability'. Though addressing
the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to
efficiency and effectiveness problems. We claim that the enforcement of
non-functional properties as a pillar of SDN robustness calls for a systemic
approach. As a general concept, we propose ANCHOR, a subsystem architecture
that promotes the logical centralization of non-functional properties. To show
the effectiveness of the concept, we focus on 'security' in this paper: we
identify the current security gaps in SDNs and we populate the architecture
middleware with the appropriate security mechanisms, in a global and consistent
manner. Essential security mechanisms provided by anchor include reliable
entropy and resilient pseudo-random generators, and protocols for secure
registration and association of SDN devices. We claim and justify in the paper
that centralizing such mechanisms is key for their effectiveness, by allowing
us to: define and enforce global policies for those properties; reduce the
complexity of controllers and forwarding devices; ensure higher levels of
robustness for critical services; foster interoperability of the non-functional
property enforcement mechanisms; and promote the security and resilience of the
architecture itself. We discuss design and implementation aspects, and we prove
and evaluate our algorithms and mechanisms, including the formalisation of the
main protocols and the verification of their core security properties using the
Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference
Single-Trace Side-Channel Attacks on the Toom-Cook: The Case Study of Saber
The Toom-Cook method is a well-known strategy for building algorithms to multiply polynomials efficiently. Along with NTT-based polynomial multiplication, Toom-Cook-based or Karatsuba-based polynomial multiplication algorithms still have regained attention since the start of the NIST’s post-quantum standardization procedure. Compared to the comprehensive analysis done for NTT, the leakage characteristics of Toom-Cook have not been discussed. We analyze the vulnerabilities of Toom-Cook in the reference implementation of Saber, a third round finalist of NIST’s post-quantum standardization process. In this work, we present the first single-trace attack based on the soft-analytical side-channel attack (SASCA) targeting the Toom-Cook. The deep learning-based power analysis is combined with SASCA to decrease the number of templates since there are a large number of similar operations in the Toom-Cook. Moreover, we describe the optimized factor graph and improved belief propagation to make the attack more practical. The feasibility of the attack is verified by evaluation experiments. We also discuss the possible countermeasures to prevent the attack
Decryption Failure Attacks on Post-Quantum Cryptography
This dissertation discusses mainly new cryptanalytical results related to issues of securely implementing the next generation of asymmetric cryptography, or Public-Key Cryptography (PKC).PKC, as it has been deployed until today, depends heavily on the integer factorization and the discrete logarithm problems.Unfortunately, it has been well-known since the mid-90s, that these mathematical problems can be solved due to Peter Shor's algorithm for quantum computers, which achieves the answers in polynomial time.The recently accelerated pace of R&D towards quantum computers, eventually of sufficient size and power to threaten cryptography, has led the crypto research community towards a major shift of focus.A project towards standardization of Post-quantum Cryptography (PQC) was launched by the US-based standardization organization, NIST. PQC is the name given to algorithms designed for running on classical hardware/software whilst being resistant to attacks from quantum computers.PQC is well suited for replacing the current asymmetric schemes.A primary motivation for the project is to guide publicly available research toward the singular goal of finding weaknesses in the proposed next generation of PKC.For public key encryption (PKE) or digital signature (DS) schemes to be considered secure they must be shown to rely heavily on well-known mathematical problems with theoretical proofs of security under established models, such as indistinguishability under chosen ciphertext attack (IND-CCA).Also, they must withstand serious attack attempts by well-renowned cryptographers both concerning theoretical security and the actual software/hardware instantiations.It is well-known that security models, such as IND-CCA, are not designed to capture the intricacies of inner-state leakages.Such leakages are named side-channels, which is currently a major topic of interest in the NIST PQC project.This dissertation focuses on two things, in general:1) how does the low but non-zero probability of decryption failures affect the cryptanalysis of these new PQC candidates?And 2) how might side-channel vulnerabilities inadvertently be introduced when going from theory to the practice of software/hardware implementations?Of main concern are PQC algorithms based on lattice theory and coding theory.The primary contributions are the discovery of novel decryption failure side-channel attacks, improvements on existing attacks, an alternative implementation to a part of a PQC scheme, and some more theoretical cryptanalytical results
Contributions to Securing Software Updates in IoT
The Internet of Things (IoT) is a large network of connected devices. In IoT, devices can communicate with each other or back-end systems to transfer data or perform assigned tasks. Communication protocols used in IoT depend on target applications but usually require low bandwidth. On the other hand, IoT devices are constrained, having limited resources, including memory, power, and computational resources. Considering these limitations in IoT environments, it is difficult to implement best security practices. Consequently, network attacks can threaten devices or the data they transfer. Thus it is crucial to react quickly to emerging vulnerabilities. These vulnerabilities should be mitigated by firmware updates or other necessary updates securely. Since IoT devices usually connect to the network wirelessly, such updates can be performed Over-The-Air (OTA). This dissertation presents contributions to enable secure OTA software updates in IoT. In order to perform secure updates, vulnerabilities must first be identified and assessed. In this dissertation, first, we present our contribution to designing a maturity model for vulnerability handling. Next, we analyze and compare common communication protocols and security practices regarding energy consumption. Finally, we describe our designed lightweight protocol for OTA updates targeting constrained IoT devices. IoT devices and back-end systems often use incompatible protocols that are unable to interoperate securely. This dissertation also includes our contribution to designing a secure protocol translator for IoT. This translation is performed inside a Trusted Execution Environment (TEE) with TLS interception. This dissertation also contains our contribution to key management and key distribution in IoT networks. In performing secure software updates, the IoT devices can be grouped since the updates target a large number of devices. Thus, prior to deploying updates, a group key needs to be established among group members. In this dissertation, we present our designed secure group key establishment scheme. Symmetric key cryptography can help to save IoT device resources at the cost of increased key management complexity. This trade-off can be improved by integrating IoT networks with cloud computing and Software Defined Networking (SDN).In this dissertation, we use SDN in cloud networks to provision symmetric keys efficiently and securely. These pieces together help software developers and maintainers identify vulnerabilities, provision secret keys, and perform lightweight secure OTA updates. Furthermore, they help devices and systems with incompatible protocols to be able to interoperate
Efficiency and Implementation Security of Code-based Cryptosystems
This thesis studies efficiency and security problems of implementations of code-based
cryptosystems. These cryptosystems, though not currently used in the field, are of great
scientific interest, since no quantum algorithm is known that breaks them essentially
faster than any known classical algorithm. This qualifies them as cryptographic schemes
for the quantum-computer era, where the currently used cryptographic schemes are
rendered insecure.
Concerning the efficiency of these schemes, we propose a solution for the handling of
the public keys, which are, compared to the currently used schemes, of an enormous size.
Here, the focus lies on resource-constrained devices, which are not capable of storing a
code-based public key of communication partner in their volatile memory. Furthermore,
we show a solution for the decryption without the parity check matrix with a passable
speed penalty. This is also of great importance, since this matrix is of a size that is
comparable to that of the public key. Thus, the employment of this matrix on memory-constrained devices
is not possible or incurs a large cost.
Subsequently, we present an analysis of improvements to the generally most
time-consuming part of the decryption operation, which is the determination of the roots of
the error locator polynomial. We compare a number of known algorithmic variants and
new combinations thereof in terms of running time and memory demands. Though the
speed of pure software implementations must be seen as one of the strong sides of code-based schemes,
the optimisation of their running time on resource-constrained devices
and servers is of great relevance.
The second essential part of the thesis studies the side channel security of these
schemes. A side channel vulnerability is given when an attacker is able to retrieve
information about the secrets involved in a cryptographic operation by measuring physical
quantities such as the running time or the power consumption during that operation.
Specifically, we consider attacks on the decryption operation, which either target the
message or the secret key. In most cases, concrete countermeasures are proposed and
evaluated. In this context, we show a number of timing vulnerabilities that are linked to
the algorithmic variants for the root-finding of the error locator polynomial mentioned
above. Furthermore, we show a timing attack against a vulnerability in the Extended
Euclidean Algorithm that is used to solve the so-called key equation during the decryption
operation, which aims at the recovery of the message. We also present a related
practical power analysis attack. Concluding, we present a practical timing attack that
targets the secret key, which is based on the combination of three vulnerabilities, located
within the syndrome inversion, a further suboperation of the decryption, and the already
mentioned solving of the key equation.
We compare the attacks that aim at the recovery of the message with the analogous
attacks against the RSA cryptosystem and derive a general methodology for the discovery
of the underlying vulnerabilities in cryptosystems with specific properties.
Furthermore, we present two implementations of the code-based McEliece cryptosystem:
a smart card implementation and flexible implementation, which is based on a
previous open-source implementation. The previously existing open-source implementation
was extended to be platform independent and optimised for resource-constrained
devices. In addition, we added all algorithmic variants presented in this thesis, and
we present all relevant performance data such as running time, code size and memory
consumption for these variants on an embedded platform. Moreover, we implemented
all side channel countermeasures developed in this work.
Concluding, we present open research questions, which will become relevant once
efficient and secure implementations of code-based cryptosystems are evaluated by the
industry for an actual application
- …