ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs

We present the first physical side-channel attack on elliptic curve cryptography running on a PC. The attack targets the ECDH public-key encryption algorithm, as implemented in the latest version of GnuPG\u27s Libgcrypt. By measuring the target\u27s electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall. The attack utilizes a single carefully chosen ciphertext, and tailored time-frequency signal analysis techniques, to achieve full key extraction

May the fourth be with you: a microarchitectural side channel attack on several real-world applications of Curve25519

Session D3: Logical Side ChannelsIn recent years, applications increasingly adopt security primitives designed with better countermeasures against side channel attacks. A concrete example is Libgcrypt’s implementation of ECDH encryption with Curve25519. The implementation employs the Montgomery ladder scalar-by-point multiplication, uses the unified, branchless Montgomery double-and-add formula and implements a constant-time argument swap within the ladder. However, Libgcrypt’s field arithmetic operations are not implemented in a constant-time side-channel-resistant fashion. Based on the secure design of Curve25519, users of the curve are advised that there is no need to perform validation of input points. In this work we demonstrate that when this recommendation is followed, the mathematical structure of Curve25519 facilitates the exploitation of side-channel weaknesses. We demonstrate the effect of this vulnerability on three software applications—encrypted git, email and messaging—that use Libgcrypt. In each case, we show how to craft malicious OpenPGP files that use the Curve25519 point of order 4 as a chosen ciphertext to the ECDH encryption scheme. We find that the resulting interactions of the point at infinity, order-2, and order-4 elements in the Montgomery ladder scalar-by-point multiplication routine create side channel leakage that allows us to recover the private key in as few as 11 attempts to access such malicious files.Daniel Genkin, Luke Valenta, Yuval Yaro

Drive-by Key-Extraction Cache Attacks from Portable Code

We show how malicious web content can extract cryptographic secret keys from the user\u27s computer. The attack uses portable scripting languages supported by modern browsers to induce contention for CPU cache resources, and thereby gleans information about the memory accesses of other programs running on the user\u27s computer. We show how this side-channel attack can be realized in both WebAssembly and PNaCl; how to attain very fine-grained measurements; and how to use these to extract ElGamal, ECDH and RSA decryption keys from various cryptographic libraries. The attack does not rely on bugs in the browser\u27s nominal sandboxing mechanisms, or on fooling users. It applies even to locked-down platforms with strong confinement mechanisms and browser-only functionality, such as Chromebook devices. Moreover, on browser-based platforms the attacked software too may be written in portable JavaScript; and we show that in this case even implementations of supposedly-secure constant-time algorithms, such as Curve25519\u27s, are vulnerable to our attack

New Single-Trace Side-Channel Attacks on a Specific Class of Elgamal Cryptosystem

In 2005, Yen et al. proposed the first $N-1$ attack on the modular exponentiation algorithms such as BRIP and square-and-multiply-always methods. This attack makes use of the ciphertext $N-1$ as a distinguisher of low order to obtain a strong relation between side-channel leakages and secret exponent. The so-called $N-1$ attack is one of the most important order-2 element attacks, as it requires a non-adaptive chosen ciphertext which is considered as a more realistic attack model compared to adaptive chosen ciphertext scenario. To protect the implementation against $N-1$ attack, several literatures propose the simplest solution, i.e. \textquotedblleft block the special message $N-1$ . In this paper, we conduct an in-depth research on the $N-1$ attack based on the square-and-multiply-always (SMA) and Montgomery Ladder (ML) algorithms. We show that despite the unaccepted ciphertext $N-1$ countermeasure, other types of $N-1$ attacks is applicable to specific classes of Elgamal cryptosystems. We propose new chosen-message power-analysis attacks with order-4 elements which utilize a chosen ciphertext $c$ such that $c^2= -1 \bmod p$ where $p$ is the prime number used as a modulus in Elgamal. Such a ciphertext can be found simply when $p\equiv 1\mod 4$. We demonstrate that ML and SMA algorithms are subjected to our new $N-1$-type attack by utilizing a different ciphertext. We implement the proposed attacks on the TARGET Board of the ChipWhisperer CW1173 and our experiments validate the feasibility and effectiveness of the attacks by using only a single power trace

EM Side Channel Analysis on Complex SoC architectures

The EM side channel analysis is a very effective technique to attack cryptographic systems due to its non invasive nature and capability to launch an attack even with limited resources. The EM leakage from devices can give information about computations on the processor, which can in turn reveal the internal state of the algorithm. For security sensitive algorithms, these EM radiations can be exploited by the adversary to extract secret key dependent operations hence EM side channel must be studied for evaluating the security of these algorithms. Modern embedded devices composed of System-on-Chip architectures are considered hard targets for EM side channel analysis mainly due to their complex architecture. This thesis explores the viability of EM side channel attacks on such targets. There is a comprehensive literature overview of EM side channel analysis followed by a practical side channel attack on a SoC device using well know cryptographic library OpenSSL. The attack successfully extracts the secret key dependent operation which can be used to retrieve the private key in security protocols such as TLS and SSH. The thesis concludes, with practical single trace attacks, that cryptographic implementations can still be broken using EM side channel analysis, and a complex nature of the device have no significant effect when combined with signal processing methods for extracting side channel information, hence the cryptographic software implementations must address these issues

Simulation-based verification of EM side-channel attack resilience of embedded cryptographic systems

Electromagnetic (EM) fields emanated due to switching currents in crypto-blocks can be an effective non-invasive channel for extracting secret keys. Accurate design-time simulation tools are needed to predict vulnerabilities and improve resilience of embedded systems to EM side-channel analysis attacks. Modeling such attacks is challenging, however, as it requires a multitude of expensive simulations across multiple circuit abstraction levels together with EM simulations. In this work, a simulation ow is developed to study the differential EM analysis (DEMA) attack on the Advanced Encryption System (AES) block cipher. The proposed ow enables design-time evaluation of realistic DEMA attacks for the first time. The major challenge is accurately computing signals received by a nearby probe at various positions above the chip surface for a large number of AES encryptions. This requires rapidly generating spatial distribution and transient EM radiation of on-chip current waveforms. Commercial CAD tools are used to generate space-time samples of these waveforms and a custom EM simulator to radiate them. The computations are sped up by focusing on information-leaking time windows, performing hybrid gate- and transistor-level simulations, radiating only the currents on top metallization layers, and generating traces for different encryptions in parallel. These methods reduce simulation time to a manageable ~ 20 hrs wall-clock time/attack allowing a previously impossible level of vulnerability analysis. The proposed ow also allows pinpointing critical regions on the chip most susceptible to EM attacks. We demonstrate that exploiting the spatial profile of circuit elements can reveal cryptographic keys with significantly fewer number of traces than DPA , guiding designers to the most critical areas of the layout. This enables targeted deployment of counter-measures to the highest information-leaking design componentsElectrical and Computer Engineerin