82 research outputs found
Timing attacks and local timing attacks against Barrett’s modular multiplication algorithm
Montgomery’s and Barrett’s modular multiplication algorithms are widely used in modular exponentiation algorithms, e.g. to compute RSA or ECC operations. While Montgomery’s multiplication algorithm has been studied extensively in the literature and many side-channel attacks have been detected, to our best knowledge no thorough analysis exists for Barrett’s multiplication algorithm. This article closes this gap. For both Montgomery’s and Barrett’s multiplication algorithm, differences of the execution times are caused by conditional integer subtractions, so-called extra reductions. Barrett’s multiplication algorithm allows even two extra reductions, and this feature increases the mathematical difficulties significantly.
We formulate and analyse a two-dimensional Markov process, from which we deduce relevant stochastic properties of Barrett’s multiplication algorithm within modular exponentiation algorithms. This allows to transfer the timing attacks and local timing attacks (where a second side-channel attack exhibits the execution times of the particular modular squarings and multiplications) on Montgomery’s multiplication algorithm to attacks on Barrett’s algorithm. However, there are also differences. Barrett’s multiplication algorithm requires additional attack substeps, and the attack efficiency is much more sensitive to variations of the parameters. We treat timing attacks on RSA with CRT, on RSA without CRT, and on Diffie-Hellman, as well as local timing attacks against these algorithms in the presence of basis blinding. Experiments confirm our theoretical results
Boolean Exponent Splitting
A typical countermeasure against side-channel attacks consists of masking intermediate values with a random number. In symmetric cryptographic algorithms, Boolean shares of the secret are typically used, whereas in asymmetric algorithms the secret exponent/scalar is typically masked using algebraic properties. This paper presents a new exponent splitting technique with minimal impact on performance based on Boolean shares. More precisely, it is shown how an exponent can be efficiently split into two shares, where the exponent is the XOR sum of the two shares, typically requiring only an extra register and a few register copies per bit. Our novel exponentiation and scalar multiplication algorithms can be randomized for every execution and combined with other blinding techniques. In this way, both the exponent and the intermediate values can be protected against various types of side-channel attacks. We perform a security evaluation of our algorithms using the mutual information framework and provide proofs that they are secure against first-order side-channel attacks. The side-channel resistance of the proposed algorithms is also practically verified with test vector leakage assessment performed on Xilinx\u27s Zynq zc702 evaluation board
New Single-Trace Side-Channel Attacks on a Specific Class of Elgamal Cryptosystem
In 2005, Yen et al. proposed the first attack on the modular exponentiation algorithms such as BRIP and square-and-multiply-always methods. This attack makes use of the ciphertext as a distinguisher of low order to obtain a strong relation between side-channel leakages and secret exponent. The so-called attack is one of the most important order-2 element attacks, as it requires a non-adaptive chosen ciphertext which is considered as a more realistic attack model compared to adaptive chosen ciphertext scenario. To protect the implementation against attack, several literatures propose the simplest solution, i.e. \textquotedblleft block the special message . In this paper, we conduct an in-depth research on the attack based on the square-and-multiply-always (SMA) and Montgomery Ladder (ML) algorithms. We show that despite the unaccepted ciphertext countermeasure, other types of attacks is applicable to specific classes of Elgamal cryptosystems. We propose new chosen-message power-analysis attacks with order-4 elements which utilize a chosen ciphertext such that where is the prime number used as a modulus in Elgamal. Such a ciphertext can be found simply when . We demonstrate that ML and SMA algorithms are subjected to our new -type attack by utilizing a different ciphertext. We implement the proposed attacks on the TARGET Board of the ChipWhisperer CW1173 and our experiments validate the feasibility and effectiveness of the attacks by using only a single power trace
Security Analysis of Phasor Measurement Units in Smart Grid Communication Infrastructures
Phasor Measurement Units (PMUs), or synchrophasors, are rapidly being deployed in the smart grid with the goal of measuring phasor quantities concurrently from wide area distribution substations. By utilizing GPS receivers, PMUs can take a wide area snapshot of power systems. Thus, the possibility of blackouts in the smart grid, the next generation power grid, will be reduced. As the main enabler of Wide Area Measurement Systems (WAMS), PMUs transmit measured values to Phasor Data Concentrators (PDCs) by the synchrophasor standard IEEE C37.118. IEC 61850 and IEC 62351 are the communication protocols for the substation automation system and the security standard for the communication protocol of IEC 61850, respectively. According to the aforementioned communication and security protocols, as well as the implementation constraints of different platforms, HMAC-SHA1 was suggested by the TC 57 WG group in October 2009. The hash-based Message Authentication Code (MAC) is an algorithm for verifying both message integrity and authentication by using an iterative hash function and a supplied secret key. There are a variety of security attacks on the PMU communications infrastructure. Timing Side Channel Attack (SCA) is one of these possible attacks. In this thesis, timing side channel vulnerability against execution time of the HMAC-SHA1 authentication algorithm is studied. Both linear and negative binomial regression are used to model some security features of the stored key, e.g., its length and Hamming weight. The goal is to reveal secret-related information based on leakage models. The results would mitigate the cryptanalysis process of an attacker.
Adviser: Yi Qia
Remote Attacks on FPGA Hardware
Immer mehr Computersysteme sind weltweit miteinander verbunden und über das Internet zugänglich, was auch die Sicherheitsanforderungen an diese erhöht. Eine neuere Technologie, die zunehmend als Rechenbeschleuniger sowohl für eingebettete Systeme als auch in der Cloud verwendet wird, sind Field-Programmable Gate Arrays (FPGAs). Sie sind sehr flexible Mikrochips, die per Software konfiguriert und programmiert werden können, um beliebige digitale Schaltungen zu implementieren. Wie auch andere integrierte Schaltkreise basieren FPGAs auf modernen Halbleitertechnologien, die von Fertigungstoleranzen und verschiedenen Laufzeitschwankungen betroffen sind. Es ist bereits bekannt, dass diese Variationen die Zuverlässigkeit eines Systems beeinflussen, aber ihre Auswirkungen auf die Sicherheit wurden nicht umfassend untersucht.
Diese Doktorarbeit befasst sich mit einem Querschnitt dieser Themen: Sicherheitsprobleme die dadurch entstehen wenn FPGAs von mehreren Benutzern benutzt werden, oder über das Internet zugänglich sind, in Kombination mit physikalischen Schwankungen in modernen Halbleitertechnologien. Der erste Beitrag in dieser Arbeit identifiziert transiente Spannungsschwankungen als eine der stärksten Auswirkungen auf die FPGA-Leistung und analysiert experimentell wie sich verschiedene Arbeitslasten des FPGAs darauf auswirken. In der restlichen Arbeit werden dann die Auswirkungen dieser Spannungsschwankungen auf die Sicherheit untersucht. Die Arbeit zeigt, dass verschiedene Angriffe möglich sind, von denen früher angenommen wurde, dass sie physischen Zugriff auf den Chip und die Verwendung spezieller und teurer Test- und Messgeräte erfordern. Dies zeigt, dass bekannte Isolationsmaßnahmen innerhalb FPGAs von böswilligen Benutzern umgangen werden können, um andere Benutzer im selben FPGA oder sogar das gesamte System anzugreifen.
Unter Verwendung von Schaltkreisen zur Beeinflussung der Spannung innerhalb eines FPGAs zeigt diese Arbeit aktive Angriffe, die Fehler (Faults) in anderen Teilen des Systems verursachen können. Auf diese Weise sind Denial-of-Service Angriffe möglich, als auch Fault-Angriffe um geheime Schlüsselinformationen aus dem System zu extrahieren. Darüber hinaus werden passive Angriffe gezeigt, die indirekt die Spannungsschwankungen auf dem Chip messen. Diese Messungen reichen aus, um geheime Schlüsselinformationen durch Power Analysis Seitenkanalangriffe zu extrahieren. In einer weiteren Eskalationsstufe können sich diese Angriffe auch auf andere Chips auswirken die an dasselbe Netzteil angeschlossen sind wie der FPGA. Um zu beweisen, dass vergleichbare Angriffe nicht nur innerhalb FPGAs möglich sind, wird gezeigt, dass auch kleine IoT-Geräte anfällig für Angriffe sind welche die gemeinsame Spannungsversorgung innerhalb eines Chips ausnutzen.
Insgesamt zeigt diese Arbeit, dass grundlegende physikalische Variationen in integrierten Schaltkreisen die Sicherheit eines gesamten Systems untergraben können, selbst wenn der Angreifer keinen direkten Zugriff auf das Gerät hat. Für FPGAs in ihrer aktuellen Form müssen diese Probleme zuerst gelöst werden, bevor man sie mit mehreren Benutzern oder mit Zugriff von Drittanbietern sicher verwenden kann. In Veröffentlichungen die nicht Teil dieser Arbeit sind wurden bereits einige erste Gegenmaßnahmen untersucht
Public keys quality
Dissertação de mestrado em Matemática e ComputaçãoThe RSA cryptosystem, invented by Ron Rivest, Adi Shamir and Len Adleman ([Rivest et al.,
1978]) is the most commonly used cryptosystem for providing privacy and ensuring authenticity
of digital data. RSA is usually used in contexts where security of digital data is priority. RSA
is used worldwide by web servers and browsers to secure web traffic, to ensure privacy and
authenticity of e-mail, to secure remote login sessions and to provide secure electronic creditcard
payment systems.
Given its importance in the protection of digital data, vulnerabilities of RSA have been
analysed by many researchers. The researches made so far led to a number of fascinating
attacks. Although the attacks helped to improve the security of this cryptosystem, showing that
securely implementing RSA is a nontrivial task, none of them was devastating.
This master thesis discusses the RSA cryptosystem and some of its vulnerabilities as well
as the description of some attacks, both recent and old, together with the description of the
underlying mathematical tools they use. Although many types of attacks exist, in this master
thesis only a few examples were analysed. The ultimate attack, based in the batch-GCD
algorithm, was implemented and tested in the RSA keys produced by a certificated Hardware
Security Modules Luna SA and the results were commented.
The random and pseudorandom numbers are fundamental to many cryptographic applications,
including the RSA cryptosystems. In fact, the produced keys must be generated in a
specific random way. The National Institute of Standards and Technology, responsible entity for
specifying safety standards, provides a package named "A Statistical Test Suit for Random and
Pseudorandom Number Generators for Cryptography Applications" which was used in this work
to test the randomness of the Luna SA generated numbers. All the statistical tests were tested
in different bit sizes number and the results commented.
The main purpose of this thesis is to study the previous subjects and create an applications
capable to test the Luna SA generated numbers randomness, a well as evaluate the security of
the RSA.
This work was developed in partnership with University of Minho and Multicert.O RSA, criado por Ron Rivest, Adi Shamir e Len Adleman ([Rivest et al., 1978]) é o
sistema criptográfico mais utilizado para providenciar segurança e assegurar a autenticação de
dados utilizados no mundo digital. O RSA é usualmente usado em contextos onde a segurança
é a grande prioridade. Hoje em dia, este sistema criptográfico é utilizado mundialmente por
servidores web e por browsers, por forma a assegurar um tráfego seguro através da Internet. É o
sistema criptográfico mais utilizado na autenticação de e-mails, nos inÃcios de sessões remotos,
na utilização de pagamentos através de cartões multibanco, garantindo segurança na utilização
destes serviços.
Dada a importância que este sistema assume na proteção da informação digital, as suas
vulnerabilidades têm sido alvo de várias investigações. Estas investigações resultaram em vários
ataques ao RSA. Embora nenhum destes ataques seja efetivamente eficaz, todos contribuÃram
para um aumento da segurança do RSA, uma vez que as implementações de referência deste
algoritmo passaram a precaver-se contra os ataques descobertos.
Esta tese de mestrado aborda o sistema criptográfico RSA, discutindo algumas das suas
vulnerabilidades, assim como alguns ataques efetuados a este sistema, estudando todos os
métodos matemáticos por estes usados. Embora existam diversos ataques, apenas alguns serão
abordados nesta tese de mestrado. O último ataque, baseado no algoritmo batch-GCD foi
implementado e foram feitos testes em chaves RSA produzidas por um Hardware Security Module
Luna SA certificado e os resultados obtidos foram discutidos.
Os números aleatórios e pseudoaleatórios são fundamentais a todas as aplicações criptográficas,
incluindo, portanto, o sistema criptográfico RSA. De facto, as chaves produzidas deverão
ser geradas com alguma aleatoriedade intrÃnseca ao sistema. O Instituto Nacional de Standards
e Tecnologia, entidade responsável pela especificação dos standards de segurança, disponibiliza
um pacote de testes estatÃsticos, denominado por "A Statistical Test Suit for Random and
Pseudorandom Number Generators for Cryptography Applications". Estes testes estatÃsticos
foram aplicados a números gerados pelo Luna SA e os resultados foram, também, comentados.
O objetivo desta tese de mestrado é desenvolver capacidade de compreensão sobre os assuntos
descritos anteriormente e criar uma aplicação capaz de testar a aleatoriedade dos números
gerados pelo Luna SA, assim como avaliar a segurança do sistema criptográfico RSA.
Este foi um trabalho desenvolvido em parceria com a Universidade do Minho e com a Multicert
Fast Authentication from Aggregate Signatures with Improved Security
An attempt to derive signer-efficient digital signatures from aggregate signatures was made in a signature scheme referred to as Structure-free Compact Rapid Authentication (SCRA) (IEEE TIFS 2017). In this paper, we first mount a practical universal forgery attack against the NTRU instantiation of SCRA by observing only 8161 signatures. Second, we propose a new signature scheme (FAAS), which transforms any single-signer aggregate signature scheme into a signer-efficient scheme. We show two efficient instantiations of FAAS, namely, FAAS-NTRU and FAAS-RSA, both of which achieve high computational efficiency. Our experiments confirmed that FAAS schemes achieve up to 100x faster signature generation compared to their underlying schemes. Moreover, FAAS schemes eliminate some of the costly operations such as Gaussian sampling, rejection sampling, and exponentiation at the signature generation that are shown to be susceptible to side-channel attacks. This enables FAAS schemes to enhance the security and efficiency of their underlying schemes. Finally, we prove that FAAS schemes are secure (in random oracle model), and open-source both our attack and FAAS implementations for public testing purposes
Side-Channel Analysis and Cryptography Engineering : Getting OpenSSL Closer to Constant-Time
As side-channel attacks reached general purpose PCs and started to be more practical for attackers to exploit, OpenSSL adopted in 2005 a flagging mechanism to protect against SCA. The opt-in mechanism allows to flag secret values, such as keys, with the BN_FLG_CONSTTIME flag. Whenever a flag is checked and detected, the library changes its execution flow to SCA-secure functions that are slower but safer, protecting these secret values from being leaked. This mechanism favors performance over security, it is error-prone, and is obscure for most library developers, increasing the potential for side-channel vulnerabilities. This dissertation presents an extensive side-channel analysis of OpenSSL and criticizes its fragile flagging mechanism. This analysis reveals several flaws affecting the library resulting in multiple side-channel attacks, improved cache-timing attack techniques, and a new side channel vector. The first part of this dissertation introduces the main topic and the necessary related work, including the microarchitecture, the cache hierarchy, and attack techniques; then it presents a brief troubled history of side-channel attacks and defenses in OpenSSL, setting the stage for the related publications. This dissertation includes seven original publications contributing to the area of side-channel analysis, microarchitecture timing attacks, and applied cryptography. From an SCA perspective, the results identify several vulnerabilities and flaws enabling protocol-level attacks on RSA, DSA, and ECDSA, in addition to full SCA of the SM2 cryptosystem. With respect to microarchitecture timing attacks, the dissertation presents a new side-channel vector due to port contention in the CPU execution units. And finally, on the applied cryptography front, OpenSSL now enjoys a revamped code base securing several cryptosystems against SCA, favoring a secure-by-default protection against side-channel attacks, instead of the insecure opt-in flagging mechanism provided by the fragile BN_FLG_CONSTTIME flag
A Network-based Asynchronous Architecture for Cryptographic Devices
Institute for Computing Systems ArchitectureThe traditional model of cryptography examines the security of the cipher as a
mathematical function. However, ciphers that are secure when specified as mathematical
functions are not necessarily secure in real-world implementations. The physical
implementations of ciphers can be extremely difficult to control and often leak socalled
side-channel information. Side-channel cryptanalysis attacks have shown to
be especially effective as a practical means for attacking implementations of cryptographic
algorithms on simple hardware platforms, such as smart-cards. Adversaries
can obtain sensitive information from side-channels, such as the timing of operations,
power consumption and electromagnetic emissions. Some of the attack techniques
require surprisingly little side-channel information to break some of the best known
ciphers. In constrained devices, such as smart-cards, straightforward implementations
of cryptographic algorithms can be broken with minimal work. Preventing these attacks
has become an active and a challenging area of research.
Power analysis is a successful cryptanalytic technique that extracts secret information
from cryptographic devices by analysing the power consumed during their operation.
A particularly dangerous class of power analysis, differential power analysis
(DPA), relies on the correlation of power consumption measurements. It has been proposed
that adding non-determinism to the execution of the cryptographic device would
reduce the danger of these attacks. It has also been demonstrated that asynchronous
logic has advantages for security-sensitive applications. This thesis investigates the
security and performance advantages of using a network-based asynchronous architecture,
in which the functional units of the datapath form a network. Non-deterministic
execution is achieved by exploiting concurrent execution of instructions both with and
without data-dependencies; and by forwarding register values between instructions
with data-dependencies using randomised routing over the network. The executions of
cryptographic algorithms on different architectural configurations are simulated, and
the obtained power traces are subjected to DPA attacks. The results show that the
proposed architecture introduces a level of non-determinism in the execution that significantly
raises the threshold for DPA attacks to succeed. In addition, the performance
analysis shows that the improved security does not degrade performance
- …