251 research outputs found
Persistent Fault Analysis With Few Encryptions
Persistent fault analysis (PFA) consists in guessing block
cipher secret keys by biasing their substitution box. This paper improves
the original attack of Zhang et al. on AES-128 presented at CHES
2018. By a thorough analysis, the exact probability distribution of the
ciphertext (under a uniformly distributed plaintext) is derived, and the
maximum likelihood key recovery estimator is computed exactly. Its
expression is turned into an attack algorithm, which is shown to be
twice more efficient in terms of number of required encryptions than
the original attack of Zhang et al. This algorithm is also optimized
from a computational complexity standpoint. In addition, our optimal
attack is naturally amenable to key enumeration, which expedites full 16-
bytes key extraction. Various tradeoffs between data and computational
complexities are investigated
POPE: Partial Order Preserving Encoding
Recently there has been much interest in performing search queries over
encrypted data to enable functionality while protecting sensitive data. One
particularly efficient mechanism for executing such queries is order-preserving
encryption/encoding (OPE) which results in ciphertexts that preserve the
relative order of the underlying plaintexts thus allowing range and comparison
queries to be performed directly on ciphertexts. In this paper, we propose an
alternative approach to range queries over encrypted data that is optimized to
support insert-heavy workloads as are common in "big data" applications while
still maintaining search functionality and achieving stronger security.
Specifically, we propose a new primitive called partial order preserving
encoding (POPE) that achieves ideal OPE security with frequency hiding and also
leaves a sizable fraction of the data pairwise incomparable. Using only O(1)
persistent and non-persistent client storage for
, our POPE scheme provides extremely fast batch insertion
consisting of a single round, and efficient search with O(1) amortized cost for
up to search queries. This improved security and
performance makes our scheme better suited for today's insert-heavy databases.Comment: Appears in ACM CCS 2016 Proceeding
One Fault is All it Needs: Breaking Higher-Order Masking with Persistent Fault Analysis
Persistent fault analysis (PFA) was proposed at CHES 2018 as a novel fault analysis technique. It was shown to completely defeat standard redundancy based countermeasure against fault analysis. In this work, we investigate the security of masking schemes against PFA. We show that with only one fault injection, masking countermeasures can be broken at any masking order. The study is performed on publicly available implementations of masking
On The Deployment of Tweak-in-Plaintext Protection Against Differential Fault Analysis
In an article from HOST 2018, which appears in extended form in the Cryptology ePrint Archive, Baksi, Bhasin, Breier, Khairallah, and Peyrin proposed the tweak-in-plaintext method to protect block ciphers against a differential fault analysis (DFA). We argue that this method lacks existential motivation as neither of its two envisioned use cases, i.e., the electronic codebook (ECB) and the cipher block chaining (CBC) modes of operation, is competitive. Furthermore, in a variant of the method where nonces are generated using a linear-feedback shift register (LFSR), several security problems have not been anticipated for. Finally, we analyze the security level against a brute-force DFA more rigorously than in the original work
Cryptographically Secure Information Flow Control on Key-Value Stores
We present Clio, an information flow control (IFC) system that transparently
incorporates cryptography to enforce confidentiality and integrity policies on
untrusted storage. Clio insulates developers from explicitly manipulating keys
and cryptographic primitives by leveraging the policy language of the IFC
system to automatically use the appropriate keys and correct cryptographic
operations. We prove that Clio is secure with a novel proof technique that is
based on a proof style from cryptography together with standard programming
languages results. We present a prototype Clio implementation and a case study
that demonstrates Clio's practicality.Comment: Full version of conference paper appearing in CCS 201
Physical Fault Injection and Side-Channel Attacks on Mobile Devices:A Comprehensive Analysis
Today's mobile devices contain densely packaged system-on-chips (SoCs) with
multi-core, high-frequency CPUs and complex pipelines. In parallel,
sophisticated SoC-assisted security mechanisms have become commonplace for
protecting device data, such as trusted execution environments, full-disk and
file-based encryption. Both advancements have dramatically complicated the use
of conventional physical attacks, requiring the development of specialised
attacks. In this survey, we consolidate recent developments in physical fault
injections and side-channel attacks on modern mobile devices. In total, we
comprehensively survey over 50 fault injection and side-channel attack papers
published between 2009-2021. We evaluate the prevailing methods, compare
existing attacks using a common set of criteria, identify several challenges
and shortcomings, and suggest future directions of research
SMoTherSpectre: exploiting speculative execution through port contention
Spectre, Meltdown, and related attacks have demonstrated that kernels,
hypervisors, trusted execution environments, and browsers are prone to
information disclosure through micro-architectural weaknesses. However, it
remains unclear as to what extent other applications, in particular those that
do not load attacker-provided code, may be impacted. It also remains unclear as
to what extent these attacks are reliant on cache-based side channels.
We introduce SMoTherSpectre, a speculative code-reuse attack that leverages
port-contention in simultaneously multi-threaded processors (SMoTher) as a side
channel to leak information from a victim process. SMoTher is a fine-grained
side channel that detects contention based on a single victim instruction. To
discover real-world gadgets, we describe a methodology and build a tool that
locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we
found hundreds of gadgets that can be used to leak information. Finally, we
demonstrate proof-of-concept attacks against the OpenSSH server, creating
oracles for determining four host key bits, and against an application
performing encryption using the OpenSSL library, creating an oracle which can
differentiate a bit of the plaintext through gadgets in libcrypto and glibc
Lightweight protection of cryptographic hardware accelerators against differential fault analysis
© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes,creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Hardware acceleration circuits for cryptographic algorithms are largely deployed in a wide range of products. The HW implementations of such algorithms often suffer from a number of vulnerabilities that expose systems to several attacks, e.g., differential fault analysis (DFA). The challenge for designers is to protect cryptographic accelerators in a cost-effective and power-efficient way. In this paper, we propose a lightweight technique for protecting hardware accelerators implementing AES and SHA-2 (which are two widely used NIST standards) against DFA. The proposed technique exploits partial redundancy to first detect the occurrence of a fault and then to react to the attack by obfuscating the output values. An experimental campaign demonstrated that the overhead introduced is 8.32% for AES and 3.88% for SHA-2 in terms of area, 0.81% for AES and 12.31% for SHA-2 in terms of power with no working frequency reduction. Moreover, a comparative analysis showed that our proposal outperforms the most recent related countermeasures.Peer ReviewedPostprint (author's final draft
- âŠ