73 research outputs found
On Borrowed Time -- Preventing Static Power Side-Channel Analysis
In recent years, static power side-channel analysis attacks have emerged as a
serious threat to cryptographic implementations, overcoming state-of-the-art
countermeasures against side-channel attacks. The continued down-scaling of
semiconductor process technology, which results in an increase of the relative
weight of static power in the total power budget of circuits, will only improve
the viability of static power side-channel analysis attacks. Yet, despite the
threat posed, limited work has been invested into mitigating this class of
attack. In this work we address this gap. We observe that static power
side-channel analysis relies on stopping the target circuit's clock over a
prolonged period, during which the circuit holds secret information in its
registers. We propose Borrowed Time, a countermeasure that hinders an
attacker's ability to leverage such clock control. Borrowed Time detects a
stopped clock and triggers a reset that wipes any registers containing
sensitive intermediates, whose leakages would otherwise be exploitable. We
demonstrate the effectiveness of our countermeasure by performing practical
Correlation Power Analysis attacks under optimal conditions against an AES
implementation on an FPGA target with and without our countermeasure in place.
In the unprotected case, we can recover the entire secret key using traces from
1,500 encryptions. Under the same conditions, the protected implementation
successfully prevents key recovery even with traces from 1,000,000 encryptions
Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack
We illustrate a vulnerability introduced to elliptic curve cryptographic protocols when implemented using a function of the OpenSSL cryptographic library. For the given implementation using an elliptic curve E over a binary field with a point G \in E, our attack recovers the majority of the bits of a scalar k when kG is computed using the OpenSSL implementation of the Montgomery ladder. For the Elliptic Curve Digital Signature Algorithm (ECDSA) the scalar k is intended to remain secret. Our attack recovers the scalar k and thus the secret key of the signer and would therefore allow unlimited forgeries. This is possible from snooping on only one signing process and requires computation of less than one second on a quad core desktop when the scalar k (and secret key) is around 571 bits
The Impostor Among US(B): Off-Path Injection Attacks on USB Communications
USB is the most prevalent peripheral interface in modern computer systems and
its inherent insecurities make it an appealing attack vector. A well-known
limitation of USB is that traffic is not encrypted. This allows on-path
adversaries to trivially perform man-in-the-middle attacks. Off-path attacks
that compromise the confidentiality of communications have also been shown to
be possible. However, so far no off-path attacks that breach USB communications
integrity have been demonstrated.
In this work we show that the integrity of USB communications is not
guaranteed even against off-path attackers.Specifically, we design and build
malicious devices that, even when placed outside of the path between a victim
device and the host, can inject data to that path. Using our developed
injectors we can falsify the provenance of data input as interpreted by a host
computer system. By injecting on behalf of trusted victim devices we can
circumvent any software-based authorisation policy defences that computer
systems employ against common USB attacks. We demonstrate two concrete attacks.
The first injects keystrokes allowing an attacker to execute commands. The
second demonstrates file-contents replacement including during system install
from a USB disk. We test the attacks on 29 USB 2.0 and USB 3.x hubs and find 14
of them to be vulnerable.Comment: To appear in USENIX Security 202
Time Protection: the Missing OS Abstraction
Timing channels enable data leakage that threatens the security of computer
systems, from cloud platforms to smartphones and browsers executing untrusted
third-party code. Preventing unauthorised information flow is a core duty of
the operating system, however, present OSes are unable to prevent timing
channels. We argue that OSes must provide time protection in addition to the
established memory protection. We examine the requirements of time protection,
present a design and its implementation in the seL4 microkernel, and evaluate
its efficacy as well as performance overhead on Arm and x86 processors
Modifying an Enciphering Scheme after Deployment
Assume that a symmetric encryption scheme has been deployed and used with a secret key. We later must change the encryption scheme in a way that preserves the ability to decrypt (a subset of) previously encrypted plaintexts. Frequent real-world examples are migrating from a token-based encryption system for
credit-card numbers to a format-preserving encryption (FPE) scheme, or extending the message space of an already deployed FPE. The ciphertexts may be stored in systems for which it is not easy or not efficient to retrieve them (to re-encrypt the plaintext under the new scheme). We introduce methods for functionality-preserving modifications to encryption, focusing particularly on deterministic, length-preserving ciphers such as those used to perform format-preserving encryption. We provide a new technique, that we refer to as the Zig-Zag construction, that allows one to combine two ciphers using different domains in a way that results in a secure cipher on one domain. We explore its use in the two settings above, replacing token-based systems and extending message spaces. We develop appropriate security goals and prove security relative to them assuming the underlying ciphers are themselves secure as strong pseudorandom permutations
Exploiting Transformations of the Galois Configuration to Improve Guess-and-Determine Attacks on NFSRs
Guess-and-determine attacks are based on guessing a subset of internal state bits and subsequently using these guesses together with the cipher\u27s output function to determine the value of the remaining state. These attacks have been successfully employed to break NFSR-based stream ciphers. The complexity of a guess-and-determine attack is directly related to the number of state bits used in the output function. Consequently, an opportunity exits for efficient cryptanalysis of NFSR-based stream ciphers if NFSRs used can be transformed to derive an equivalent stream cipher with a simplified output function.
In this paper, we present a new technique for transforming NFSRs. We show how we can use this technique to transform NFSRs to equivalent NFSRs with simplified output functions. We explain how such transformations can assist in cryptanalysis of NFSR-based ciphers and demonstrate the application of the technique to successfully cryptanalyse the lightweight cipher Sprout. Our attack on Sprout has a time complexity of 2^70.87, which is 2^3.64 times better than any published non-TMD attack, and requires only 164 bits of plaintext-ciphertext pairs
- …