www.crcs.cz/rsa @CRoCS_MUNI
PV204 Security technologies
Trust, trusted element, usage scenarios, side-channel attacks
Łukasz Chmielewski chmiel@fi.muni.cz
Centre for Research on Cryptography and Security, Masaryk University
Slides for comments (Thank you!)
https://drive.google.com/file/d/1ClRY35LQDpyKVGVe9Zn5gz26Sa62JaJV/
www.crcs.cz/rsa @CRoCS_MUNI2 | PV204 Side Channel 03/04/2023
What is untrusted, trusted and trustworthy
Trusted Element (TE)
Modes of usage of TE
Attacks against trusted element
Timing side-channels
Logical attacks Classical side-channel
Protections and testing
Power
Electromagnetic
Light, etc. …
www.crcs.cz/rsa @CRoCS_MUNI
Trusted system
• “…system that is relied upon to a specified extent to enforce a
specified security policy. As such, a trusted system is one whose
failure may break a specified security policy.” (TCSEC, Orange Book)
• Trusted subjects are those excepted from mandatory security policies
(Bell LaPadula model)
• User must trust (if wants to use the system)
– E.g., you and your bank
| PV204 Side Channel 03/04/20237
www.crcs.cz/rsa @CRoCS_MUNI
Trusted computing base (TCB)
• The set of all hardware, firmware, and/or software components that are critical
to its security
• The vulnerabilities inside TCB might breach the security properties of the
entire system
– E.g., server hardware + virtualization (VM) software
• The boundary of TCB is relevant to usage scenario
– TCB for datacentre admin is around HW + VM (to protect against compromise of underlying
hardware and services)
– TCB for web server client also contains Apache web server
• Very important factor is size and attack surface of TCB
– Bigger size implies more space for bugs and vulnerabilities
| PV204 Side Channel 03/04/2023
https://en.wikipedia.org/wiki/Trusted_computing_base
9
www.crcs.cz/rsa @CRoCS_MUNI
TRUSTED ELEMENT
| PV204 Side Channel 03/04/202314
www.crcs.cz/rsa @CRoCS_MUNI
What exactly can be trusted element (TE)?
• Recall: Anything user entity of TE is willing to trust ☺
– Depends on definition of “trust” and definition of “element”
– We will use narrower definition
• Trusted element is element (hardware, software or both) in the system
intended to increase security level w.r.t. situation without the presence of such
element
1. By storage of sensitive information (keys, measured values)
2. By enforcing integrity of execution of operation (firmware update)
3. By performing computation with confidential data (DRM)
4. By providing unforged reporting from untrusted environment (TPM)
5. …
| PV204 Side Channel 03/04/202315
www.crcs.cz/rsa @CRoCS_MUNI
Typical examples
• Payment smart card
– TE for issuing bank
• SIM card
– TE for phone carriers
• Trusted Platform Module (TPM)
– TE for user as storage of Bitlocker keys, TE for remote entity during attestation
• Trusted Execution Environment in mobile/set-top box
– TE for issuer for confidentiality and integrity of code
• Hardware Security Module for TLS keys
– TE for web admin
• Energy meter
– TE for utility company
• Server under control of service provider
– TE for user – private data, TE for provider – business operation
• Complex Scenarios: trusted element with (even more) trusted (crypto) hardware
– TE for device manufacturer – secure derived keys, TE for chip manufacturer – secure root keys
| PV204 Side Channel 03/04/202316
For whom is TE trusted?
www.crcs.cz/rsa @CRoCS_MUNI
ATTACKS AGAINST TRUSTED ELEMENT
26 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Trusted hardware (TE) is not panacea!
1. Can be physically attacked
– Christopher Tarnovsky, BlackHat 2010
– Infineon SLE 66 CL PE TPM chip, bus read by tiny probes
– 9 months to carry the attack, $200k
– https://www.youtube.com/watch?v=WXX00tRKOlw (great video with details)
2. Attacked via vulnerable API implementation
– IBM 4758 HSM (Export long key under short DES one)
3. Provides trusted anchor != trustworthy system
– Weakness can be introduced later
– E.g., bug in newly updated firmware
| PV204 Side Channel 03/04/202327
www.crcs.cz/rsa @CRoCS_MUNI
Motivation: Bell’s Model 131-B2 / Sigaba
• Encryption device intended for US army, 1943
– Oscilloscope patterns detected during usage
– 75 % of plaintexts intercepted from 80 feets
– Protection devised (security perimeter), but forgot after the war
• CIA in 1951 – recovery over ¼ mile of power lines
• Other countries also discovered the issue
– Russia, Japan…
• More research in use of (eavesdropping) and defense against
(shielding) → TEMPEST
| PV204 Side Channel 03/04/202328
www.crcs.cz/rsa @CRoCS_MUNI
Common and realizable attacks on Trusted Element
1. Non-invasive attacks
– API-level attacks
• Incorrectly designed and implemented application
• Malfunctioning application (code bug, faulty generator)
– Communication-level attacks
• Observation and manipulation of communication channel
– (Remote) timing attacks
2. Semi-invasive attacks
– Passive side-channel attacks
• Timing (local) / power / EM / acoustic / cache-usage / error… analysis attacks
– Active side-channel attacks: fault injection
• Power/light/clock glitches…
3. Invasive attacks
– Dismantle chip, microprobes…
| PV204 Side Channel 03/04/202329
Break Once, Run Everywhere (BORE)
?
www.crcs.cz/rsa @CRoCS_MUNI
Where are the frequent problems with crypto algs nowadays?
• Security mathematical algorithms
– OK, we have very strong ones (AES, SHA-3, RSA…) (but quantum computers)
• Post-quantum algorithms
– Too “young”, many schemes broken or questioned recently, e.g., Rainbow, SIKE
• Implementation of algorithm
– Problems → implementation attacks
• Randomness for keys
– Problems → achievable brute-force attacks
• Key distribution
– Problems → old keys, untrusted keys, key leakage
• Operation security
– Problems → where we are using crypto, key leakage
31 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
NON-INVASIVE LOGICAL ATTACKS
| PV204 Side Channel 03/04/202332
www.crcs.cz/rsa @CRoCS_MUNI
Non-complete list
• Algorithmic flaw in Infineon’s RSALib (CVE-2017-15361)
– RSA public / private key generation on many Infineon cards (huge impact)
– https://keychest.net/roca, https://github.com/crocs-muni/roca/
• Not enforcing secure memory protections
– A complete exploit on Set-top Boxes
– Presented for two ST chips, but with impact on other ST chips too
– https://www.youtube.com/watch?v=WF1wSzTTqdg&ab_channel=HackInTheBoxSecurityConference
• Shortening Key (against hardware key stores or key ladders):
– Using half of an AES key as a DES key or using 3DES with half of the key (i.e., single DES key)
• TEE (e.g., ARM Trustzone) issues
– Configuration, Memory Ranges, Boot ROM…
– https://www.slideshare.net/CristofaroMune/euskalhack-2017-secure-initialization-of-tees-when-secure-
boot-falls-short
– …
33 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
SIDE-CHANNEL ANALYSIS
Passive Side-Channel
| PV204 Side Channel 03/04/202340
www.crcs.cz/rsa @CRoCS_MUNI
Basic setup for power analysis
| PV204 Side Channel 03/04/2023
Smart card
Smart card
reader
Inverse card
connector
Oscilloscope
Resistor
20-80 ohm
Probe
41
www.crcs.cz/rsa @CRoCS_MUNI
More advanced setup for power analysis
| PV204 Side Channel 03/04/2023
Ethernet
Tested smartcard
External power
supply
SCSAT04 measurement
board
42
www.crcs.cz/rsa @CRoCS_MUNI
Even more advanced setup for EM analysis
43 | PV204 Side Channel 03/04/2023
Target
Batteries
Com. Isolator
Isolator
PS
Power Isolator
Amplifier
PS
Laptop:
acquisition +
analysis
Oscilloscope
EM Probe
Amplifier
FTDI Cable Trigger
Low Pas
Analog Filter
www.crcs.cz/rsa @CRoCS_MUNI
Simple (Cheap) Power Fault Injection setup
44 | PV204 Side Channel 03/04/2023
https://github.com/noopwafel/iceglitch
More on that in two weeks
www.crcs.cz/rsa @CRoCS_MUNI
Simple vs. differential power analysis
1. Simple power analysis
– Direct observation of single /
few power traces
– Visible operation => reverse engineering
– Visible patterns => data dependency
2. Differential power analysis
– Statistical processing of many power traces
– More subtle data dependencies found
45 | PV204 Side Channel 03/04/2023
https://www.riscure.com/uploads/2018/11/201708_Riscure_Whitepaper_Side_Channel_Patterns.pdf
www.crcs.cz/rsa @CRoCS_MUNI
Reverse engineering of JavaCard bytecode
• Goal: obtain code back from smart card
– JavaCard defines around 140 bytecode instructions
– JVM fetch instruction and execute it
(source code)
m_ram1[0] = (byte) (m_ram1[0] % 1);
(bytecode)
getfield_a_this 0;
sconst_0;
baload;
sconst_1;
srem;
bastore;
(power trace)
compiler oscilloscope
www.crcs.cz/rsa @CRoCS_MUNI
Conditional jumps
• may reveal sensitive info
• keys, internal branches, …
47 | PV204 Side Channel 03/04/2023
(bytecode)
sload_1;
ifeq_w L2;
L1: getfield_a_this 0;
sconst_0;
sconst_0;
bastore;
goto L3;
L2: getfield_a_this 0;
sconst_0;
sconst_1;
bastore;
goto L3;
L3: …
(source code)
if (key == 0) m_ram1[0] = 1;
else m_ram1[0] = 0;
compiler
oscilloscope
(power trace, k != 0)
(power trace, k == 0)
Can you use
timing attack?
www.crcs.cz/rsa @CRoCS_MUNI
Simple power analysis – data leakage
• Data revealed directly when processed
– e.g., Hamming weight of instruction argument
• hamming weight of separate bytes of key (256→ 238), how severe it is?
| PV204 Side Channel 03/04/202348
www.crcs.cz/rsa @CRoCS_MUNI
Differential power analysis (DPA)
• DPA attack recovers secret key (e.g., AES)
• Requires large number of power traces (102-106)
– Every trace measured on AES key invocation with different input data
• Key recovered iteratively
– One recovered byte at the time Sbox(KEYi  INPUT_DATAi)
– Guess possible key byte value (0-255), group measurements,
compute average, determine match
49 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Differential power analysis
50
| PV204 Side Channel 03/04/2023
• Very Powerful attack on secret values (keys)
– E.g., Sbox(KEY  INPUT_DATA)
1. Obtain multiple power traces with (fixed) key usage
and variable data
– 103-106 traces with known I/O data => S(n)
– Sbox(KEY  KNOWN_DATA)
2. Guess key byte-per-byte
– All possible values of single byte tried (256)
– D = HammWeight(Sbox(KEY  KNOWN_DATA)) > 4
– Correct guess reveals correlation with traces
– Incorrect guess not
3. Divide and test approach
– Traces divided into 2 groups
– Groups are averaged A0 and A1 (noise reduced)
– Subtract group’s averaged signals T(n)
– Significant peaks if guess was correct
• No need for knowledge of exact implementation
– big advantage
www.crcs.cz/rsa @CRoCS_MUNI
Timing attack: principle
52 | PV204 Side Channel 03/04/2023
+ → 57ms
+ → 49ms
www.crcs.cz/rsa @CRoCS_MUNI
Timing attacks
• Execution of crypto algorithm takes different time to process input data with
some dependence on secret value (secret/private key, secret operations…)
1. Due to performance optimizations (developer, compiler)
2. Due to conditional statements (branching)
3. Due to cache misses or other microarchitectural effects
4. Due to operations taking different number of CPU cycles
• Measurement techniques
1. Start/stop time (aggregated time, local/remote measurement)
2. Power/EM trace (very precise if operation can be located)
| PV204 Side Channel 03/04/202353
www.crcs.cz/rsa @CRoCS_MUNI
Naïve modular exponentiation (modexp) (RSA/DH…)
• M = Cd mod N
• M = C * C * C * … * C mod N
• Easy, but extremely slow for large d (e.g., >1000s bits for RSA)
– Faster algorithms exist
54 | PV204 Side Channel 03/04/2023
d-times
Is there any dependency
of time on secret value?
www.crcs.cz/rsa @CRoCS_MUNI
Faster modexp: Square and multiply algorithm
• How to measure?
– Exact detection from simple power trace
– Extraction from overall time of multiple measurements
| PV204 Side Channel 03/04/202355
Gilbert Goodwill, http://www.embedded.com/print/4408435 (dead link)
// M = C^d mod N
// Square and multiply algorithm
x = C // start with ciphertext
for j = 1 to n { // process all bits of private exponent
x = x*x mod N // shift to next bit by x * x (always)
if (dj == 1) { // j-th bit of private exponent d
x = x*C mod N // if 1 then multiple by Ciphertext
}
}
return x // plaintext M
Executedonly
whendj==1
Executed always
www.crcs.cz/rsa @CRoCS_MUNI
Faster and more secure modexp: Montgomery ladder
• Computes xd mod N
• Create binary expansion of d as d = (dk-1...d0) with dk-1=1
• Be aware: timing leakage still possible via cache side channel, nonconstant
time CPU instructions, variable k-1…
56 | PV204 Side Channel 03/04/2023
x0=x; x1=x2
for j=k-2 to 0 {
if dj=0
x1=x0*x1; x0=x0
2
else
x0=x0*x1; x1=x1
2
x1=x1 mod N
x0=x0 mod N
}
return x0
Both branches with the same
number and type of operations
(unlike square and multiply on
previous slide)
www.crcs.cz/rsa @CRoCS_MUNI
Faster and more secure modexp: Montgomery ladder
• Computes xd mod N
• Create binary expansion of d as d = (dk-1...d0) with dk-1=1
• Is it constant time?
– Solution: conditional swap or conditional move, arithmetic-based procedures
57 | PV204 Side Channel 03/04/2023
x0=x; x1=x2
for j=k-2 to 0 {
b=dj
x(1-b)=x0*x1; xb=xb
2
x1=x1 mod N
x0=x0 mod N
}
return x0
Memory access often is not
constant time!
Especially in the presence of
caches.
www.crcs.cz/rsa @CRoCS_MUNI
Faster and more secure modexp: Montgomery ladder
• Computes xd mod N
• Create binary expansion of d as d = (dk-1...d0) with dk-1=1
• Does it work?
• But is it constant time?
58 | PV204 Side Channel 03/04/2023
x0=x; x1=x2; sw = 0
for j=k-2 to 0 {
b=dj
cswap(x0,x1,b⊕sw)
sw = b
x1=x0*x1; x0=x0
2
x1=x1 mod N
x0=x0 mod N
}
cswap(x0,x1,sw)
return x0
Depends on the cswap…
but it can be ☺
Do an example with 10110 with pen and paper ☺
www.crcs.cz/rsa @CRoCS_MUNI
Cswap based on arithmetic of field operands
59 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
More advanced attacks
(template, deep learning, and clustering attacks)
60 | PV204 Side Channel 03/04/2023
For more read: https://github.com/sca-secure-library-sca25519/sca25519
www.crcs.cz/rsa @CRoCS_MUNI
Gather data → Analyse → Bias found → Impact
Run ECC operations → MSB/time → Bias found in ECDSA → CVE-2019-15809
| PV204 Side Channel 03/04/202361
Nonce MSB value
Signaturetime(µs)
www.crcs.cz/rsa @CRoCS_MUNI62 | PV204 Side Channel 03/04/2023
vulnerability CVE-2019-15809 (10/2019)
• Discovered by ECTester (https://github.com/crocs-muni/ECTester)
• Athena IDProtect smartcard (CC EAL 4+)
– FIPS140-2 #1711, ANSSI-CC-2012/23
– Inside Secure AT90SC28872 Microcontroller
– (possibly also SafeNet eToken 4300…)
• Libgcrypt, wolfSSL, MatrixSSL, Crypto++
• SunEC/OpenJDK/Oracle JDK
• Small time difference leaking few top bits of nonce
• Enough to extract whole ECC private key in 20-30 min
– ~thousands of signatures + lattice-based attack
https://minerva.crocs.fi.muni.cz/
www.crcs.cz/rsa @CRoCS_MUNI
Example: Remote extraction OpenSSL RSA
• Brumley, Boneh, Remote timing attacks are practical
– https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
• Scenario: OpenSSL-based TLS with RSA on remote server
– Local network, but multiple routers
– Attacker submits multiple ciphertexts and observe processing time (client)
• OpenSSL’s RSA CRT implementation
– Square and multiply with sliding windows exponentiation
– Modular multiplication in every step: x*y mod q (Montgomery alg.)
– From timing can be said if normal or Karatsuba was used
• If x and y has unequal size, normal multiplication is used (slower)
• If x and y has equal size, Karatsuba multiplication is used (faster)
• Attacker learns bits of prime by adaptively chosen ciphertexts
– About 300k queries needed
64 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Defense introduced by OpenSSL
• RSA blinding: RSA_blinding_on()
– https://www.openssl.org/news/secadv_20030317.txt
• Decryption without protection: M = cd mod N
• Blinding of ciphertext c before decryption
1. Generate random value r and compute re mod N
2. Compute blinded ciphertext b = c * re mod N
3. Decrypt b and then divide result by r
• r is removed and only decrypted plaintext remains
65 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Is RSA_blinding_on sufficient?
• No, more advanced attacks are possible
– Cross-correlation attack on OpenSSL,
• https://www.youtube.com/watch?v=Ah98QlPT8Y4&ab_channel=SHA2017
• What about adding RSA blinding: 𝐜 = 𝒎 𝒅+𝒓∗𝝋(𝒏)
𝒎𝒐𝒅 𝒏 ?
• That is better but not sufficient either, more advanced attacks:
– Template Attacks,
– Deep Learning, and
– Clustering attacks.
• For every countermeasure there is / will be an attack and vice versa…
66 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Example: Practical TEMPEST for $3000
• ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
– https://eprint.iacr.org/2016/129.pdf
• E-M trace captured (across a wall)
67 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Example: Practical TEMPEST for $3000
• ECDH implemented in latest GnuPG's Libgcrypt
• Single chosen ciphertext – used operands directly visible
68 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Example: How to evaluate attack severity?
• What was the cost?
– Not particularly high: $3000
• What was the targeted implementation?
– Widely used implementation: latest GnuPG's Libgcrypt
• What were preconditions?
– Local physical presence, but behind the wall
• Is it possible to mitigate the attack?
– Yes: fix in library, physical shielding of device, perimeter…
– What is the cost of mitigation?
69 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Example: Acoustic side channel in GnuPG
• RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
– Insecure RSA computation in GnuPG
– https://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf
• Acoustic emanation used as side-channel
– 4096-bit key extracted in one hour
– Acoustic signal picked by mobile phone microphone up to 4 meters away
| PV204 Side Channel 03/04/202370
www.crcs.cz/rsa @CRoCS_MUNI
Example: Cache-timing attack on AES
• Attacks not limited to asymmetric cryptography
– Daniel J. Bernstein, http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
• Scenario: Operation with secret AES key on remote server
– Key retrieved based on response time variations of table lookups cache hits/misses
– 225 x 600B + 227 x 400B random packets + one minute brute-force search
• Very difficult to write high-speed but constant-time AES
– Problem: table lookups are not constant-time
– Not recognized / required by NIST during AES competition
• Cache-time attacks now more relevant due to processes co-location (cloud)
| PV204 Side Channel 03/04/202371
www.crcs.cz/rsa @CRoCS_MUNI
Other types of side-channel attacks
• Acoustic emanation
– Keyboard clicks, capacitor noise
– Speech eavesdropping based on high-speed camera
• Cache-occupation side-channel
– Cache miss has impact on duration of operation
– Other process can measure own cache hits/misses if cache is shared
– https://github.com/defuse/flush-reload-attacks
– http://software.imdea.org/projects/cacheaudit/
• Branch prediction side-channel (Meltdown, Spectre)
– (separate short course running now)
| PV204 Side Channel 03/04/202372
www.crcs.cz/rsa @CRoCS_MUNI
MITIGATIONS
73 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Generic protection techniques
1. Do not leak
– Constant-time crypto, bitslicing…
2. Shielding - preventing leakage outside
– Acoustic shielding, noisy environment
3. Creating additional “noise”
– Parallel software load, noisy power consumption circuits
4. Compensating for leakage
– Perform inverse computation/storage
5. Prevent leaking exploitability
– Ciphertext and key blinding, key regeneration, masking of the operations
75 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Example: NaCl (“salt”) library
• Relatively new cryptographic library (2012)
– Designed for usable security and side-channel resistance (mostly time!)
– D. Bernstein, T. Lange, P. Schwabe
– https://cr.yp.to/highspeed/coolnacl-20120725.pdf
– Actively developed fork is libsodium https://github.com/jedisct1/libsodium
• Also check μNaCl for embedded devices: https://munacl.cryptojedi.org/
• Designed for usable security (hard to misuse)
– Fixed selection of good algorithms (AE: Poly1305, Sign: EC Curve25519)
– C = crypto_box(m,n,pk,sk), m = crypto_box_open(c,n,pk,sk)
• Implemented to have constant-time execution
– No data flow from secrets to load addresses
– No data flow from secrets to branch conditions
– No padding oracles (recall CBC padding oracle in PA193)
– Centralizing randomness and avoiding unnecessary randomness
• Extra side-channel and fault injection protections: https://github.com/sca-secure-library-sca25519/sca25519
76 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
How to test real implementation?
1. Be aware of various side-channels
2. Obtain measurement for given side-channel
– Many times (103 - 107), compute statistics; is it enough?
– Same input data and key; group A
– Same key and different data; group B
– Different keys and same data…
3. Compare groups of measured data
– Is difference visible? => potential leakage
– Is distribution uniform? Is distribution normal?
– More advanced methods, for example: Test Vector Leakage Assessment:
• https://docplayer.net/45501976-Test-vector-leakage-assessment-tvla-methodology-in-practice.html
4. Try to measure again with better precision ☺
77 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
FAULT INJECTION ATTACKS
Active Side-Channel
| PV204 Side Channel 03/04/202379
www.crcs.cz/rsa @CRoCS_MUNI
Semi-invasive attacks
• “Physical” manipulation (but card still working)
• Micro probes placed on the bus
– After removing epoxy layer
• Fault induction
– liquid nitrogen, power glitches, light flashes…
– modify memory (RAM, EEPROM), e.g., PIN counter
– modify instruction, e.g., conditional jump
| PV204 Side Channel 03/04/202380
www.crcs.cz/rsa @CRoCS_MUNI
PIN verification procedure
81 | PV204 Side Channel 03/04/2023
• [Decrease counter, verify, increase]
= correct
• [Verify, decrease/increase]
www.crcs.cz/rsa @CRoCS_MUNI
Fault induction
• Attacker can induce bit faults in memory locations
– power glitch, flash light, radiation...
– harder to induce targeted then random fault
• Protection with shadow variable
– every variable has shadow counterpart
– shadow variable contains inverse value
– consistency is checked every read/write to memory
• Robust protection, but cumbersome for developer
| PV204 Side Channel 03/04/2023
01011010
10100101
01011010
10100101
if (a != ~a_inv) Exception();
a = 0x55;
a_inv = ~0x55;
01010101
10101010
01010000 if (a != ~a_inv) Exception();
a = 0x13;
a
a_inv
82
More in “Programming in the presence of side-channels /
faults” in PV286/PA193 or
https://riscureprodstorage.blob.core.windows.net/production/
2017/08/Riscure_Whitepaper_Side_Channel_Patterns.pdf
www.crcs.cz/rsa @CRoCS_MUNI
FI Example: the “unlooper” device
83 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
CONCLUSIONS
| PV204 Side Channel 03/04/202384
www.crcs.cz/rsa @CRoCS_MUNI
Morale
1. Preventing implementation attacks is extra difficult
– Naïve code is often vulnerable
• Not aware of existing problems/attacks
– Optimized code is often vulnerable
• Time/power/acoustic… dependency on secret data
• Dangerous optimizations (Roca: Infineon primes)
2. Use well-known libraries instead of own code
– And follow security advisories and patch quickly
3. Security / mitigations are complex issues
– Underlying hardware can leak information as well
– Try to prevent large number of queries
85 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Mandatory reading
• Constant-time crypto: https://bearssl.org/constanttime.html
• Focus on:
– What can cause a cryptographic implementation to be non-constant?
– Is there any impact by the compiler?
– How is bitslicing technique improving the situation?
– What particular techniques are used by BearSSL?
86 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Optional reading
• Why Trust is Bad for Security, D. Gollman, 2006
– http://www.sciencedirect.com/science/journal/15710661/157/3
• Focus on:
– Which definition of Trust Gollman uses?
– Why Gollman claims that Trust is bad for security?
88 | PV204 Side Channel 03/04/2023
www.crcs.cz/rsa @CRoCS_MUNI
Conclusions
• Trusted element is secure anchor in a system
– Understand why it is trusted and for whom
• Trusted element can be attacked
– Non-invasive, semi-invasive, invasive methods
• Side-channel attacks are very powerful techniques
– Attacks against particular implementation of algorithm
– Attack possible even when algorithm is secure (e.g., AES)
• Use well-know libraries instead own implementation
| PV204 Side Channel 03/04/202389
www.crcs.cz/rsa @CRoCS_MUNI
In two weeks…
| PV204 Side Channel 03/04/202390