Practical Electromagnetic Template Attack on HMAC

The original publication is available at www.springerlink.comInternational audienceIn this paper, we show that HMAC can be attacked using a very efficient side channel attack which reveals the Hamming distance of some registers. After a profiling phase which requires access to a similar device that can be configured by the adversary, the attack recovers the secret key on one recorded execution of HMAC-SHA-1 for example, on an embedded device. We perform experimentations using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. Besides the high efficiency of this attack, $2^32\cdot 3^k$ where $k$ is the number of 32-bit words of the key, that we tested with experimentations, our results also shed some light on the on the requirements in term of side channel attack for the future SHA-3 function. Finally, we show that our attack can also be used to break the confidentiality of network protocols usually implemented on embedded devices. We have performed experiments using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. We hope that our results shed some light on the requirements in term of side channel attack for the future SHA-3 function

Side Channel Attack on Low Power FPGA Platform

In today's advanced electronic age, people have become accustomed to using electronic devices to store and process their information. There is a general belief that the information is safe, due to the use of mathematically proven cryptographic systems in critical devices. However, in recent years, various side channel attacks have been used to break the security of systems that were thought to be completely safe. Side channel attacks are based on information gained through the physical implementation of a cryptosystem, rather than its mathematical construction. In this thesis work, an investigation is carried out to examine the susceptibility of the Hash-based Message Authentication Code standard based on the Secure Hash Algorithm (HMAC-SHA256) cryptosystem to a known correlation power analysis attack. For the purpose of this investigation, the cryptosystem was implemented on a low power Xilinx Field-Programmable Gate Array (FPGA) on the Side Channel Attack Standard Evaluation Board (SASEBO) platform. A secondary objective of the research work was to explore whether the SASEBO platform used may be easily modified to run side channel attacks on different cryptosystems. Four different side channel attacks were carried out on the HMAC-SHA256 implementation on the Xilinx Virtex-5 FPGA; two were based on power consumption measurements and two on electromagnetic (EM) emanation above the FPGA chip. This thesis has shown that SAESBO platform can be used as a testbed for examining the power side channel analysis of different cryptosystems with a small percentage of FPGA overhead. Although the EM emanations from SAESBO are not viable for side channel analysis, power from the on-chip core can be utilized. In addition the previously researched carry-propagate and pre-averaging techniques have been verified and found to be useful on this low power FPGA chip, requiring approximately 43776 traces for the guess of the correct secret intermediate values to reach among the top 5 ranked guesses

FPGA-Based Testbed for Fault Injection on SHA-256

In real world applications, cryptographic algorithms are implemented in hardware or software on specific devices. An active attacker may inject faults during the computation process and careful analysis of faulty results can potentially leak secret information. These kinds of attacks known as fault injection attacks may have devastating effects in the field of hardware and embedded cryptography. This research proposes a partial implementation of SHA-256 along with an onboard fault injection circuit implemented on an FPGA. The proposed fault injection circuit is used to generate glitches in the clock to induce a setup time violation in the circuit and thereby produce error(s) in the output. The main objective of this research is to study the viability of fault injection using the clock glitches on the SHA-256

Атака методом анализа сбоев на алгоритмы выработки имитовставок HMAC и NMAC

One of the important problems arising in designing and practical implementation of cryptosystems is provide countermeasures against side-channel attacks. When implemented on a specific physical device, the algorithms, strength of which from the purely mathematical point of view is without great doubt, often employ weaknesses to such attacks.A fault analysis attack is one of the options of the side-channel attack on a cryptosystem. Its essence is that the attacker has an active influence on a physical device that provides computation (for example, a smart card). Faults caused by influence are then analysed in order to restore security information that is stored inside the device. These attacks are often significantly more efficient than passive side-channel attacks.The fault analysis attacks were proposed over 20 years ago. Since then, attacks have been successfully built owing to implementation of a number of symmetric and asymmetric crypto-algorithms. Also, a number of different methods for active influence on computation have been proposed, using specific physical effects and characteristics of the computing environment. Approaches to counteracting such types of attacks are also actively developing. For this, both physical and purely mathematical methods are used. However, it should be noted that cryptographic hash functions, and more complex crypto-schemes containing them as components (for example, some message authentication codes and digital signatures), are slightly presented in these papers.It is important to note that practical implementation of a specific attack requires that a combination of the following factors is available: a possibility of a specific physical impact on computation, an adequate mathematical model of such physical impact and a purely mathematical component of the attack that is a specific algorithms for introducing faults and further analysis of the results. At the same time, the solution of each of these problems separately is of independent theoretical value.The paper results do not involve the physical component of attack, aiming only at mathematics. In other words, a proposal is to present the specific algorithms for introducing faults and further analysis of the results. In this case, a specific fault model is considered known and specified. Several such models have been considered, based on the similar ones previously proposed for other algorithms.As an object of study, two standards to form message authentication codes have been selected: HMAC and NMAC. These standards can be based on any cryptographic hash function that provides the required level of security. The paper examines four examples of widely used hashes: MD5, MD4, SHA-1, SHA-0.The main results of the paper are as follows:- built specific algorithms for introducing faults in computation and their further analysis, allowing to discover secret information (secret keys);- finding and validation of estimates of such attacks (in terms of the number of introduced faults and the work factor of further analysis) for various combinations of parameters (algorithms and fault models); - shown that attacks timing can be reasonable.Одной из важных проблем, возникающих при проектировании и практической реализации криптосистем, является противодействие атакам по побочным каналам. Нередко алгоритмы, стойкость которых с чисто математической точки зрения не вызывает больших сомнений, оказываются уязвимыми к таким атакам при их реализации на конкретном физическом устройстве.Атака методом анализа сбоев является одним из вариантов атаки на криптосистему по побочным каналам. Суть ее состоит в активном воздействии атакующим на физическое устройство, осуществляющее процесс вычислений (например, смарт-карту). Получаемые в результате воздействия искажения затем анализируются с целью восстановить секретную информацию, хранимую внутри устройства. Подобные атаки зачастую оказываются значительно эффективнее пассивных атак по побочным каналам.Атаки методом анализа сбоев были предложены в более 20 лет назад. С тех пор были успешно построены атаки на реализации целого ряда симметричных и асимметричных криптоалгоритмов. Также был предложен ряд различных методов осуществления активного воздействия на процесс вычислений, с использованием конкретных физических эффектов и особенностей вычислительной среды. Также активно развиваются и подходы к противодействию такого рода атакам. Для этого используются как физические, так и чисто математические методы. Однако следует отметить, что криптографические хэш-функции, и более сложные криптосхемы, содержащие их в качестве компонент (например, некоторые имитовставки и цифровые подписи), в рамках этих работ представлены незначительно.Важно отметить, что для практического применения конкретной атаки необходимо сочетание следующих факторов: наличия возможности конкретного физического воздействия на вычислительный процесс, адекватной математической модели данного физического воздействия и чисто математического компонента атаки --конкретного алгоритма внесения искажений и последующего анализа результатов. При этом решение каждой из этих задач по отдельности представляет самостоятельную теоретическую ценность.Результаты настоящей работы не затрагивают физическую составляющую атаки, ограничиваясь лишь математикой. Иными словами, предложены конкретные алгоритмы внесения искажений и последующего анализа результатов. При этом конкретная модель сбоев считается известной и заданной. Рассмотрено несколько таких моделей, которые базируются на аналогах, ранее предложенных для других алгоритмов.В качестве объекта исследований выбраны два стандарта формирования имитовставок: HMAC и NMAC. Указанные стандарты могут базироваться на любой криптографической хэш-функции, обеспечивающей нужный уровень стойкости. В данной работе исследованы четыре примера широкораспространенных хэшей: MD5, MD4, SHA-1, SHA-0.Основными результатами данной работы являются следующие:-     построены конкретные алгоритмы внесения искажений в вычислительный процесс, и их дальнейшего анализа, позволяющие извлечь секретную информацию (секретные ключи);-     найдены и обоснованы оценки сложности таких атак (в терминах числа вносимых сбоев и трудоемкости последуюшего анализа) для различных сочетаний параметров(алгоритмов и моделей сбоев);-     показано, что атаки могут быть проведены за разумное время

On Making U2F Protocol Leakage-Resilient via Re-keying

The Universal 2nd Factor (U2F) protocol is an open authentication standard to strengthen the two-factor authentication process. It augments the existing password based infrastructure by using a specialized USB, termed as the U2F authenticator, as the 2nd factor. The U2F authenticator is assigned two fixed keys at the time of manufacture, namely the device secret key and the attestation private key. These secret keys are later used by the U2F authenticator during the Registration phase to encrypt and digitally sign data that will help in proper validation of the user and the web server. However, the use of fixed keys for the above processing leaks information through side channel about both the secrets. In this work we show why the U2F protocol is not secure against side channel attacks (SCA). We then present a countermeasure for the SCA based on re-keying technique to prevent the repeated use of the device secret key for encryption and signing. We also recommend a modification in the existing U2F protocol to minimise the effect of signing with the fixed attestation private key. Incorporating our proposed countermeasure and recommended modification, we then present a new variant of the U2F protocol that has improved security guarantees. We also briefly explain how the side channel attacks on the U2F protocol and the corresponding proposed countermeasures are similarly applicable to Universal Authentication Framework (UAF) protocol

Provably Secure Countermeasures against Side-channel Attacks

Side-channel attacks exploit the fact that the implementations of cryptographic algorithms leak information about the secret key. In power analysis attacks, the observable leakage is the power consumption of the device, which is dependent on the processed data and the performed operations.\ignore{While Simple Power Analysis (SPA) attacks try to recover the secret value by directly interpreting the power measurements with the corresponding operations, Differential Power Analysis (DPA) attacks are more sophisticated and aim to recover the secret value by applying statistical techniques on multiple measurements from the same operation.} Masking is a widely used countermeasure to thwart the powerful Differential Power Analysis (DPA) attacks. It uses random variables called masks to reduce the correlation between the secret key and the obtained leakage. The advantage with masking countermeasure is that one can formally prove its security under reasonable assumptions on the device leakage model. This thesis proposes several new masking schemes along with the analysis and improvement of few existing masking schemes. The first part of the thesis addresses the problem of converting between Boolean and arithmetic masking. To protect a cryptographic algorithm which contains a mixture of Boolean and arithmetic operations, one uses both Boolean and arithmetic masking. Consequently, these masks need to be converted between the two forms based on the sequence of operations. The existing conversion schemes are secure against first-order DPA attacks only. This thesis proposes first solution to switch between Boolean and arithmetic masking that is secure against attacks of any order. Secondly, new solutions are proposed for first-order secure conversion with logarithmic complexity (${\cal O}(\log k)$ for $k$-bit operands) compared to the existing solutions with linear complexity (${\cal O}(k)$). It is shown that this new technique also improves the complexity of the higher-order conversion algorithms from ${\cal O}(n^2 k)$ to ${\cal O}(n^2 \log k)$ secure against attacks of order $d$, where $n = 2d+1$. Thirdly, for the special case of second-order masking, the running times of the algorithms are further improved by employing lookup tables. The second part of the thesis analyzes the security of two existing Boolean masking schemes. Firstly, it is shown that a higher-order masking scheme claimed to be secure against attacks of order $d$ can be broken with an attack of order $d/2+1$. An improved scheme is proposed to fix the flaw. Secondly, a new issue concerning the problem of converting the security proofs from one leakage model to another is examined. It is shown that a second-order masking scheme secure in the Hamming weight model can be broken with a first-order attack on a device leaking in the Hamming distance model. This result underlines the importance of re-evaluating the security proofs for devices leaking in different models

Adaptive compiler strategies for mitigating timing side channel attacks

Existing compiler techniques can transform code to make its timing behavior independent of sensitive values to prevent information leakage through time side channels. Those techniques are hampered, however, by their static nature and dependence on details of the processor targeted during the compilation. This paper presents a dynamic compiler approach based on offline profiles and JIT compiler strategies. This approach reduces overhead significantly and enables a trade-off between provided protection and overhead. Furthermore, it supports adaptive policies in which the protection adapts to run-time changes in the requirements. A prototype implementation in the Jikes Research VM is evaluated on RSA encryption, HMAC key verification, and IDEA encryption

120.147 Efficient Electromagnetic Side Channel Analysis by Probe Positioning using Multi-Layer Perceptron

In this work, we investigate a practical consideration for Electromagnetic (EM) side-channel analysis, namely, positioning EM probe at the best location for an efficient attack, requiring fewer traces to reveal the secret key of cryptographic engines. We present Multi-Layer Perceptron (MLP) based probe positioning and EM analysis method, defining it as a classification problem by dividing the chip surface scanned by the EM probe into virtual grids, and identifying each grid location by a class label. The MLP, trained to identify the location given a single EM trace, achieves $99.55\%$ accuracy on average for traces captured during different acquisition campaigns

Efficient and Secure Implementations of Lightweight Symmetric Cryptographic Primitives

This thesis is devoted to efficient and secure implementations of lightweight symmetric cryptographic primitives for resource-constrained devices such as wireless sensors and actuators that are typically deployed in remote locations. In this setting, cryptographic algorithms must consume few computational resources and withstand a large variety of attacks, including side-channel attacks. The first part of this thesis is concerned with efficient software implementations of lightweight symmetric algorithms on 8, 16, and 32-bit microcontrollers. A first contribution of this part is the development of FELICS, an open-source benchmarking framework that facilitates the extraction of comparative performance figures from implementations of lightweight ciphers. Using FELICS, we conducted a fair evaluation of the implementation properties of 19 lightweight block ciphers in the context of two different usage scenarios, which are representatives for common security services in the Internet of Things (IoT). This study gives new insights into the link between the structure of a cryptographic algorithm and the performance it can achieve on embedded microcontrollers. Then, we present the SPARX family of lightweight ciphers and describe the impact of software efficiency in the process of shaping three instances of the family. Finally, we evaluate the cost of the main building blocks of symmetric algorithms to determine which are the most efficient ones. The contributions of this part are particularly valuable for designers of lightweight ciphers, software and security engineers, as well as standardization organizations. In the second part of this work, we focus on side-channel attacks that exploit the power consumption or the electromagnetic emanations of embedded devices executing unprotected implementations of lightweight algorithms. First, we evaluate different selection functions in the context of Correlation Power Analysis (CPA) to infer which operations are easy to attack. Second, we show that most implementations of the AES present in popular open-source cryptographic libraries are vulnerable to side-channel attacks such as CPA, even in a network protocol scenario where the attacker has limited control of the input. Moreover, we describe an optimal algorithm for recovery of the master key using CPA attacks. Third, we perform the first electromagnetic vulnerability analysis of Thread, a networking stack designed to facilitate secure communication between IoT devices. The third part of this thesis lies in the area of side-channel countermeasures against power and electromagnetic analysis attacks. We study efficient and secure expressions that compute simple bitwise functions on Boolean shares. To this end, we describe an algorithm for efficient search of expressions that have an optimal cost in number of elementary operations. Then, we introduce optimal expressions for first-order Boolean masking of bitwise AND and OR operations. Finally, we analyze the performance of three lightweight block ciphers protected using the optimal expressions