Jef ~ Crypto Diary

This 'crypto diairy' aims to save and share the differents topics of crypto and aspects of my life of PhD student in Luxembourg. Thanks for the contributions and suggestions !

To content To menu To search

Thursday, January 6 2011

Error-Tolerance in Trace-Driven Cache Collision Attacks

By Jef on Thursday, January 6 2011, 17:24 - Side-channel attacks

To be presented at COSADE'11 in Darmstadt on February, 24th.

:-)

Can this attack defeat a protected implementation? Investigation in progress.

Edit: The answer is that this attack naturally defeats boolean masking when the input of the SubByte function is masked by the same value throughout the encryption, as in the scheme suggested by Oswald et al. in ACNS'06. However, the randomization suggested in this scheme makes the attack impossible, for instance because of the randomization of the Sbox lookups. For now.

Sunday, November 14 2010

Measurement setup of the electromagnetic leakage of an ARM7TDMI-based board.

By Jef on Sunday, November 14 2010, 20:31 - Side-channel attacks

EM leakage measurement setup

Tuesday, October 19 2010

Hardware Trojans for Inducing or Amplifying Side-Channel Leakage of Cryptographic Software

By Jef on Tuesday, October 19 2010, 14:32 - Side-channel attacks

To appear at INTRUST 2010.

:-)

Thursday, July 22 2010

Improved Trace-Driven Cache-Collision Attacks against Embedded AES Implementations

By Jef on Thursday, July 22 2010, 11:30 - Side-channel attacks

Extended abstract to appear at WISA'10.

The full version is available on ePrint: http://eprint.iacr.org/2010/408

:-)

Thursday, May 27 2010

Quantum cryptography

By Jef on Thursday, May 27 2010, 11:46 - Crypto

Today I had a (quick) look at quantum cryptography on Wikipedia. Quantum mechanics provide a way of generating a random bit string shared by two parties. At the same time, an eavesdropper on the key would need to measure the state, and from a quantum mechanics principle (Heisenberg incertitude principle?), the state would be modified and Alice and Bob hence would be aware of an eavesdrop attempt. The shared key produced can be used in any symmetric key cipher, the one-time pad is preferred because of its simplicity and provable security. Laurent pointed out: http://science.slashdot.org/story/10/05/17/212212/Commercial-Quantum-Cryptography-System-Hacked where a commercial application of quantum crypto from a Swiss company has been easily attacked.

Tuesday, December 1 2009

A known plaintext cache-based attack against AES

By Jef on Tuesday, December 1 2009, 13:05 - Side-channel attacks

Cache memory is now widely used on various devices implementing cryptographic algorithms, including smart cards, in order to speed up the execution of the procedures. This fast storage placed between the processor and the main memory makes the data stored in the Non Volatile Memory (Flash, EEPROM... ) more quickly accessible once they have been loaded into it. However, the use of a cache can possibly represent as explained here a threat to security, when the data fetched from the NVM to the cache is indexed by the bytes of the secret key.

Indeed, loading some data from the NVM into the cache takes more clock cycles and requires more energy than fetching the data from the cache. These differences of timing and energy consumption have an influence on the physical characteristics of the device while running a cryptographic primitive. As a consequence, the so-called \textbf{cache misses} (when a line of the NVM is loaded to the cache) and \textbf{cache hits} (when data is fetched right from the cache) can be distinguished on a power trace under certain conditions on the implementation and the measurement setup.

An adaptive approach taking advantage of the cache hits and misses occuring during an AES encryption has been described in Tu06. In the considered scenario, the \texttt{ByteSub} function is implemented as a lookup table with 256 entries, and the round keys pre-computed and pre-stored.

In this scenario, I describe here a non-adaptive approach, hence using non-chosen known plaintexts and the cache traces obtained from the power traces corresponding to the encryption of these plaintexts. This strategy allows an attacker to recover 60 bits of the target key out of 128 within a hundred acquisitions, using the first round of encryption. Without requiring any additional traces, this analysis may also be extended to the second round of encryption, hence allowing the recovery of the full AES key.

Friday, October 9 2009

Random plaintext attacks using cache accesses

By Jef on Friday, October 9 2009, 17:15 - Side-channel attacks

Input : 90-100 pairs of plaintexts and the corresponding cache-traces

Output : ^(k_1 XOR k_i) for i=2:16

The number of traces is still high... But that's already something, and if ever there's a way to extend the attack to the second round.....

I'll write Dan ASAP and CC FYI. (playing with abbrev...)

Thursday, October 8 2009

Dans un email à Flo

By Jef on Thursday, October 8 2009, 15:12 - Crypto

RSA est bien un algorithme de chiffrement asymétrique, chaque utilisateur a donc une clé publique (accessible par tous dans par exemple un serveur de clés, sorte d'annuaire) et une clé secrète.

Chiffrement : Alice écrit un message, le chiffre avec la clé publique de Bob, l'envoie à Bob qui le déchiffre avec sa clé secrète. La confidentialité est assurée.

Signature : Alice calcule le 'haché' de son message, en utilisant une fonction de hachage (fonction à sens unique : il est 'difficile' de calculer l'antécédent à partir de l'image), et calcule la signature correspondante à l'aide de sa clé secrète : sigma = h(m)^(s_A) (mod N). N est le module publique, produit de 2 grands nombres premiers. Elle envoie sa signature à Bob, qui peut vérifier à l'aide de la clé publique d'Alice que Alice est bien l'auteur du message, au moyen de la formule : sigma^(p_A) (mod N) ?=? h(m). L'authenticité est assurée.

En crypto on parle de Alice et Bob comme de deux utilisateurs lambda, pour expliquer un protocole. On évoque aussi Charlie, pour désigner un attaquant... Quelle imagination !

Ensuite, oui pour l'instant les clés utilisées sur RSA sont assez grandes pour que nous puissions dormir sur nos 2 oreilles, quoique pour certaines applications où les enjeux ne sont pas grands, une sécurité moindre est plus intéressante car elle a un moindre coût et des performances accrues. Oui tu as compris, dans le design d'une solution cryptographique, il s'agit souvent de placer le curseur au milieu de ce triangle : Sécurité, Coût, Performance.

Pour un attaquant, il y a 2 questions essentielles :

1. De quels moyens dispose-t-il ? dans l'ordre croissant

il connait seulement la clé publique (attaque sans message)
il a connaissance de couples (message clair, message chiffré) (attaque par msg connus)
il a connaissance de couples de son choix (attaques par msg choisis)

2. Quel est son objectif ? dans l'ordre décroissant

trouver la clé secrète (cassage total)
signer tous les messages (forge universelle)
signer un message de son choix (forge sélective)
produire un couple (m, sigma) valide (forge existentielle)

La notion de sécurité, c'est donc la résistance à la forge existentielle face à une attaque à messages choisis, i. e. le plus petit objectif contre les plus gros moyens mis à sa disposition.

Ca c'est le schéma traditionnel en cryptographie. Il a été un peu secoué il y a une dizaine d'années quand sont apparues les attaques par canal auxiliaire (mon sujet de thèse). Ces attaques fonctionnent à partir de nouveaux moyens : les caractéristiques physiques de l'appareil cryptographique sur lequel est implémenté l'algorithme. Ca se déroule comme suit :

On choisit une valeur intermédiaire de l'algorithme
On enregistre le signal physique, un certain nombre de fois, pour un certain nombre de messages. On obtient par exemple des courbes de consommation électrique.
On imagine quelles sont les hypothétiques valeurs intermédiaires en fonction d'une partie du message et d'une partie de la clé (hypothétique). C'est une méthode diviser-pour-régner : on retrouve la clé partie par partie, ce qui ramène le problème a une complexité acceptable.
On applique à ces valeurs hypothétiques un modèle de consommation, pour obtenir d'hypothétiques valeurs de consommation (en mV) en fonction des parties de message et d'hypothétiques clés.
Au moyen d'une analyse statistique on choisit quelle hypothèse de clé colle le plus aux courbes de consommation obtenues à l'étape 2.

Voilà, à peu près, le déroulement d'une attaque par canal auxiliaire. Le canal auxiliaire le plus courant est la consommation électrique du device, mais ça peut aussi être le champ électromagnétique, ou d'autres mais moins répandus (le rapport signal-to-noise est plus petit, c'est donc moins intéressant... )

Bon, ça fait déjà un bon petit topo ça...

Tuesday, September 15 2009

News from mid-September

By Jef on Tuesday, September 15 2009, 17:26 - Crypto

Summer has gone a long time ago already (at least in Lux), students are back to school, so let's go, jump, dive into this new academic year.

Volker asked me to TA the Calculus course he will teach to first year CS students. TA begins next week.

From November 12th to 15th will take place the Festival de la Science at the Musee national d'histoire naturelle. Alex, Ralf and David asked me to help them to present cryptography to kids on Thursday and Friday and to general public on Saturday and Sunday. This can be quite interesting !

The next Vampire research retreat will take place at TU Graz on the 28th and 29th September. Highly interesting.

On Thursday is the deadline for the WISSec workshop which will take place on the 19-20th of November. I shall try to submit something there.

Tuesday, August 25 2009

The third tool in the Clarisse procedure

By Jef on Tuesday, August 25 2009, 15:55 - Side-channel attacks

Because of the Chasles relation that holds in the XOR differences equalities : (k_i XOR k_j) XOR (k_j XOR k_l) = k_i XOR k_l, there is as much information in the edge of the matrix containing the differences k_1 XOR k_2, k_1 XOR k_3, ... as in the entire matrix, namely 60 bits.

Hence, the Chasles relation reduces the size of the output, but also provides a third tool along with the caches HITs and MISSes to reduce the output matrix to a set of singletons.

Irrelevant note : the name of the procedure comes from the french calendar : 12th of August (cf. previous post) is the sainte Clarisse.. My imagination is sometimes limited...

Wednesday, August 12 2009

One step beyond !

By Jef on Wednesday, August 12 2009, 17:57 - Side-channel attacks

New approach in modelling the information provided by the cache accesses generated by several encryptions.

The goal with this strategy is to work mainly with AND relations, by eliminating step by step the wrong hypothesis for the nibble difference between two key bytes. At the same time, XOR relations are stored and then eventually used.

Notes :

The cache hits give rise to XOR relations, which are difficult to handle.
The cache misses give rise to AND relations, simpler to handle.
Both types relations should be considered separetely, until they can help the other side.

When does a MISS help a HIT ?

It does, when a MISS finally reduces the set of hypotheses for a nibble difference to a singleton. It then eventually allows us to reduce to one single equality a XOR system produced by a HIT. Thus to eliminate at most as many nibble difference possibilities in the triangular matrix. However, it is more likely that, before being reduced to a singleton, a set of difference nibble possibilities allows us to choose an equation among the XOR system produced by a cache HIT.

When does a HIT help a MISS ?

It does, when the XOR system produced by a cache HIT is reduced to one equation. It thus reduces to a singleton the set of nibble difference possibilities in the triangular matrix.

Input of the procedure :

'q' pairs of plaintexts and the corresponding cache-traces.

Output of the procedure :

A triangular matrix containing only singletons, each one initially being the set of the nibble difference possibilities.

Tuesday, April 7 2009

(Non-adaptative) random plaintext strategy

By Jef on Tuesday, April 7 2009, 16:41 - Side-channel attacks

I'm now trying to describe and implement an attack using the cache accesses resulting from the encryption of a random plaintext. For this I refer to the tree of possibilities I described 3 weeks ago. This strategy takes advantage of every cache or miss, at least during the first round of encryption. In other words, more information is gleanned from the cache trace.

The key space would be reduced to a size of 2^68 faster than with the previous (adaptative) strategy, although the average number of acquisitions has yet to be computed.

The algorithm is designed, I'm now writing the code in C or C++, and that's not the smallest piece of the cake.

Once this is done, I will modify it to also take into account cache hits and misses of the second round of computation.

Wednesday, April 1 2009

Non-linear equations

By Jef on Wednesday, April 1 2009, 10:05 - Mathematics

I'm looking for an efficient way to find the unique solution (x1,x2,...,x6), xi in 0..15 provided with 6 non-linear equations. The space of of possibilities has 2^24 6-uplets.

Damn...

edit: No brighter idea than the exhaustive search, it's actually running on my computer...

Tuesday, March 31 2009

Bug

By Jef on Tuesday, March 31 2009, 17:26 - Side-channel attacks

I spent two days looking for a bug in my scripts. It came from a difference of indexation of the AES state matrices in the litterature.

Inevitably I made one confusion. Only one, but still I had to find it ! Ok, now let's continue.

Oh btw last friday I received my computer from the lab : a brand new Optiplex 740, with a quad-core AMD Phenom processor, 4 GB RAM, 22" wide screen... It makes a great difference with my good old laptop !

Monday, March 23 2009

OpenSSL

By Jef on Monday, March 23 2009, 14:44 - Side-channel attacks

I've met Volker today, though we didn't go into details because he wanted first to read what I've produced so far. Next meeting on thursday.

He asked me wether a strategy based on cache accesses could allow an attack against OpenSSL. Although I don't know much about OpenSSL, i think that a remote attack must be difficult to conduct, because the timings observed from a remote computer must be too noisy : in particular they contains noise from the server and noise caused by the network traffic. This seems unpredictable. There is also the problem of making sure that cache does not contain AES pre-computed elements. But fortunately (for an attacker), this can be done by sending garbage data and computations to the server in order to put such elements out of the stack.

Mike and Ralf-Philipp must have their answers to that.

I forgot, Volker thinks it would be nice to give a presentation to some members of LACS : him, Jean-Sébastien, Alex, Ralf, Ilya... in about six weeks. Yup !

Thursday, March 19 2009

Recursive function for probability computation

By Jef on Thursday, March 19 2009, 13:51 - Side-channel attacks

The cache trace simulator works fine, but only on one specific implementation of AES.

Back to C programming, I've implemented a function that computes the expected number of hypotheses for the high nibble of every key byte, provided with one acquisition from a random plaintext.

Weird results though... Meeting with Volker on monday, let's finish writing this paper.

Friday, March 13 2009

Cache-Trace Simulator !

By Jef on Friday, March 13 2009, 10:15 - Side-channel attacks

I'm trying to modify an AES script for Matlab such that a simulated cache-trace is produced. This simulates the case of pre-generated and stored keys, though this is not observed on devices such as smart cards, due to the big amount of space needed. That way, I could try these attacks in a simpler way than with a CHIP, oscilloscope, measement setups...

Wednesday, March 11 2009

Sweet home, and sweet cache attacks !

By Jef on Wednesday, March 11 2009, 15:05 - Side-channel attacks

I moved in yesterday, in the Rue de Neudorf, 500 meters far from Uni at bird's eye, but 3 km far by bike, due to the cliff and JFK avenue... Uni is located on the Kirchberg plateau, my place is located down below.

I'm still working on this overview, actually i try to understand how could it be possible to grab information from the whole acquisition trace, excluding the hypotheses based on the previous cache accesses. Is it really possible ?? ...

Wednesday, March 4 2009

First day as a member of L.A.C.S

By Jef on Wednesday, March 4 2009, 20:32 - Side-channel attacks

My PhD position has begun. As discussed with my advisor Volker Müller, I will first get a good overview of cache-based power analysis attacks. That's the topic proposed by Mike Tunstall (Bristol, UK) and these attacks are interesting. They allow an attacker to significantly reduce the size of the key space with a few acquisitions. The main drawback for an attacker to my point of view is that they strongly depend on many details of the implementation which have to be known, or at least guessed by an attacker.

Secondly, I will present to Volker an outline of my knowledges on cache-based PA attacks, and aspects that I would like to investigate.

The environment seems excellent, I believe I will enjoy myself at LACS !

Thursday, February 26 2009

Here we go !!

By Jef on Thursday, February 26 2009, 20:54 - Perso

I'll be on the train on tuesday at 8.30am !

The adventure begins...

« previous entries - page 1 of 2