Is Your Mobile Device Radiating Keys?

Similar documents
Electromagnetic-based Side Channel Attacks

The EM Side Channel(s)

Transform. Jeongchoon Ryoo. Dong-Guk Han. Seoul, Korea Rep.

Horizontal DEMA Attack as the Criterion to Select the Best Suitable EM Probe

Information Security Theory vs. Reality

Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit

When Electromagnetic Side Channels Meet Radio Transceivers

SIDE-CHANNEL attacks exploit the leaked physical information

Recommendations for Secure IC s and ASIC s

The EM Side Channel(s):Attacks and Assessment Methodologies

אני יודע מה עשית בפענוח האחרון : התקפות ערוצי צד על מחשבים אישיים

Side Channel Attacks on Smartphones and Embedded Devices using Standard Radio Equipment

A Design for Modular Exponentiation Coprocessor in Mobile Telecommunication Terminals

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

SUBTHRESHOLD DESIGN SPACE EXPLORATION FOR GAUSSIAN NORMAL BASIS MULTIPLIER

WirelessUSB LS Radio Module FCC Testing & Verification - AN4006

Power Analysis Attacks on SASEBO January 6, 2010

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

Differential Power Analysis Attack on FPGA Implementation of AES

2 GHz Licence-exempt Personal Communications Service Devices (LE-PCS)

Security Evaluation Against Electromagnetic Analysis at Design Time

AN4378 Application note

AN0509 swarm API Country Settings

CESEL: Flexible Crypto Acceleration. Kevin Kiningham Dan Boneh, Mark Horowitz, Philip Levis

Todd Hubing. Clemson Vehicular Electronics Laboratory Clemson University

FCC and ETSI Requirements for Short-Range UHF ASK- Modulated Transmitters

by Jim Philips, P.E. Pass Interference Ensuring the Electromagnetic Compatibility of Variable Frequency Drives

We are IntechOpen, the world s leading publisher of Open Access books Built by scientists, for scientists. International authors and editors

An on-chip glitchy-clock generator and its application to safe-error attack

When Failure Analysis Meets Side-Channel Attacks

Advanced Test Equipment Rentals ATEC (2832)

A Blueprint for Civil GPS Navigation Message Authentication

Lecture #2. EE 471C / EE 381K-17 Wireless Communication Lab. Professor Robert W. Heath Jr.

Debugging EMI Using a Digital Oscilloscope. Dave Rishavy Product Manager - Oscilloscopes

DPA Leakage Models for CMOS Logic Circuits

Emerging Standards for EMC Emissions & Immunity

Functional Description / User Manual

Evaluation of the Masked Logic Style MDPL on a Prototype Chip

EMI AND BEL MAGNETIC ICM

SERIES K: PROTECTION AGAINST INTERFERENCE

Maximizing MIMO Effectiveness by Multiplying WLAN Radios x3

Synchronization Method for SCA and Fault Attacks

Transmitter Module Equipment Authorization Guide

The number theory behind cryptography

A METHOD OF CERTIFICATION FOR LTE SMALL CELLS IN THE HFC NETWORK

Wireless Technology for Aerospace Applications. June 3 rd, 2012

Electromagnetic Compatibility. Wi-Fi Installations. Federal Aviation Administration. Administration. David B. Walen

Wireless Digital Nodes

Maximizing the hash function of authentication codes

User's Manual. WM-294-V2 WLAN 11n USB module (1T1R) Version: 1.2. 晶訊科技股份有限公司 CC&C Technologies, Inc. Version 1.2 1

Test Report. Product Name: Wireless 11g USB Adapter Model No. : MS-6826, UB54G FCC ID. : DoC

The LoRa Protocol. Overview. Interference Immunity. Technical Brief AN205 Rev A0

Estimation of keys stored in CMOS cryptographic device after baking by using the charge shift

Random Bit Generation and Stream Ciphers

AN4392 Application note

Practical Experiences with NFC Security on mobile Phones

Applying Defence-in-depth to counter RF interferences over GNSS

Understanding and Mitigating the Impact of Interference on Networks. By Gulzar Ahmad Sanjay Bhatt Morteza Kheirkhah Adam Kral Jannik Sundø

Normalized Site Attenuation Test Report

HD Radio FM Transmission. System Specifications

Don t Let EMI/EMC Compliance Certification Slow You Down TUTORIAL

Federal Communications Commission Office of Engineering and Technology Laboratory Division

Nemko-CCL, Inc West Alexander Street Salt Lake City, UT

Overview of Information Barrier Concepts

Cryptography, Number Theory, and RSA

TEST REPORT. Report Number: MPK-007 Project Number: Report Date: August 31, 2007

Finding the key in the haystack

A Novel Encryption System using Layered Cellular Automata

Combinational Circuit Obfuscation through Power Signature Manipulation

Information Leakage from Cryptographic Hardware via Common-Mode Current

Specific Absorption Rate (SAR) Overview Presented by Mark Jenkins and Vina Kerai. TÜV SÜD Product Service GmbH

How to Test A-GPS Capable Cellular Devices and Why Testing is Required

Standardisation and Immunity Tests regarding IEMI

Jan Blonk TNO ITSEF itsef.com

TMA4155 Cryptography, Intro

FCC CFR47 PART 15 SUBPART C INDUSTRY CANADA RSS-GEN AND RSS-210 CERTIFICATION TEST REPORT FOR BROADCOM BLUETOOTH MODULE MODEL NUMBER: BCM92046MD

Test Plan for Hearing Aid Compatibility

2310 to 2390 MHz, 3m distance MCS8 (MIMO) to 2500 MHz Restricted band MCS8 (MIMO)

Security Note. BBM Enterprise

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR. Pieter Robyns

Assembly Level Clock Glitch Insertion Into An XMega MCU

Tempestad en OSX. Pedro C. aka s4ur0n

EMC Overview. What is EMC? Why is it Important? Case Studies. Examples of calculations used in EMC. EMC Overview 1

Immunity Testing for the CE Mark

Investigations of Power Analysis Attacks on Smartcards

Dynamic Sciences International, Inc. Detection with Direction

ANALYZING SOFTWARE USING UNINTENTIONAL ELECTROMAGNETIC EMANATIONS FROM COMPUTING DEVICES

OASIS. Application Software for Spectrum Monitoring and Interference Analysis

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

AN4110 Application note

BluetoothMesh ModuleDatasheet

AN FPGA IMPLEMENTATION OF ALAMOUTI S TRANSMIT DIVERSITY TECHNIQUE

VIAVI VST. Data Sheet. 6 GHz RF Vector Signal Transceiver (VST)

Methodologies for power analysis attacks on hardware implementations of AES

This report contains the test setups and data required by the FCC for equipment authorization in accordance with Title 47 parts 2, and 87.

Covert Channels Using Mobile Device s Magnetic Field Sensors

Sigfox RF & Protocol Test Plan for RC2-UDL-ENC

Pseudorandom Number Generation and Stream Ciphers

Downloaded on T04:43:34Z

Transcription:

Is Your Mobile Device Radiating Keys? Benjamin Jun Gary Kenworthy Session ID: MBS-401 Session Classification: Intermediate Radiated Leakage You have probably heard of this before App Example of receiving radiated information - without even trying What kinds of secret information might be leaking from your mobile device? 2 1

Background 3 History of Electro-Magnetic (EM) Analysis Early work on EM Analysis was classified TEMPEST: Transient electromagnetic pulse emanation standard Parts of TEMPEST literature declassified Jan '01 under FOIA. http://www.cryptome.org. Electromagnetic, electrical, acoustic... Relevant TEMPEST literature: NACSIM 5000 tempest fundamentals. NACSEM 5112 NONSTOP evaluation techniques. NSTISSI no. 7000 TEMPEST countermeasures for facilities. 4 2

Power Analysis Discovered by Cryptography Research in mid-1990s Power consumption of a device leaks information Simple Power Analysis (SPA) and Differential Power Analysis (DPA) Low cost, non-invasive attacks on cryptographic implementations Analyzing power consumption reveals the key All cryptographic algorithms vulnerable Symmetric crypto: DES, AES, HMAC, Asymmetric crypto: RSA, DH, EC variants, Affects all types of hardware and software implementations, including: ASICs, FPGAs, smart cards, smart phones, Same techniques work for different side-channels such as EM and RF emissions 5 Advances in Cryptology Crypto 99 Proceedings, LNCS 1666, Springer Verlag, 1999 How side channel analysis works Integrated circuits contain transistors, which consume electricity as they operate. The total power consumption of an integrated circuit and its EM emissions depend on the activity of its individual transistors. NMOS (N Channel) Transistor Power Consumption (RSA operation) EM emission (RSA operation) 6 3

Simple Power Analysis (SPA) Keys can be extracted from a single trace Example RSA Implementation For each bit i of secret d perform Square if (bit i == 1) perform Multiply endif endfor SSMSSMSSSSSSS MSSMSSMSSSMSSMSM Similar analysis also applies to EM 7 DPA: Statistical techniques for analyzing data with low signal/noise ratios Signal / noise ratio may be very small However, statistical influence remains Prob. density 1 0.5 Register 7, bit 1=0 Register 7, bit 1=1 Signal Amplitude 0 0 100 200 300 400 t0 Power signal amplitude at time t0 Eg. At time t0, mean of signals where register 7 bit 1= 0 is different from mean of signals where register 7 bit 0 = 0 DPA: Using statistical methods to analyze minute differences in power measurements due to the data being manipulated Similar analysis applies to EM measurements 8 4

EM Analysis Early published results J.-J. Quisquater & David Samyde E-smart 2001 Using m-field probes Gemplus: CHES 2001 Carefully positioned E and M-field probes on chip surface to isolate signals. Best results required "decapsulating" the chip SEMA and DEMA IBM: CHES 2002 Used antennas, E and M-field probes Use of receivers, demodulation and signal processing allowed SEMA/DEMA from a distance near field probes raw EM signal dominated by clock Information about computation available after AM demodulation 9 Demonstrations 10 5

Overview Increased usage of cryptography in smart phones Payments, encrypted storage, VPNs, SSL, content protection, etc Security requirements in financial, enterprise, govt (FIPS), content space CPUs in smart phones emit electromagnetic (EM) radiation during data processing Emissions contain information about data being processed Side channel analysis of smart phone emissions reveal secrets and cryptographic keys being used Attacks possible from a few inches to several feet away Applications and OS libraries using crypto are vulnerable 11 Capturing EM from PDA s/smartphones Simple EM attack with a radio Usable signals even at 10 feet away Devices Antennas far field near field Signal Processing (demodulation, filtering) Receiver ($350) DPAWS TM side channel analysis software Digitizer, GNU Radio peripheral ($1000) 12 6

App security Demo 1: M-field attack on RSA Android app with simple RSA CRT implementation on HTC Evo 4G phone Magnetic field pickup coil placed behind phone Measurements collected during computation of M d mod N CF = 36.99 MHz Acq BW = 500 KHz Filt BW = 250 KHz Smoothing = 10 Mp dp mod p Mq dq mod q RSA CRT 13 RSA: Key extraction Focus on Mp dp mod p calculation (Mq dq mod q similar) For each bit i of secret dp perform Square if (bit i == 1) perform Multiply endif endfor SM S SSSSSSSM S SM SM S SSSM SM S SSSSSSSS 14 7

App Security Demo 2 Simple EM attack on ECC from 10 feet away ECC (Elliptic Curve Cryptography) App on PDA Point multiplication (m * Q) over P 571 using open source crypto library For each bit iof secret m perform Double if (bit i== 1) perform Add endif endfor Double and add algorithm to compute m*q In ECC, double and add are very different operations The double/add execution sequence yields m! C r y p t o g r a p h y R e s e a r c h : L e a d e r I n A d v a n c e d C r y p t o s y s t e m s 15 ECC Signal: Extracting Secret M CF = 972.177 MHz Acq BW = 200 KHz Filt BW = 140 KHz Smoothing = 10 D D D D D D D D D A D A D A D A D A D A m = 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 16 8

DPA: Statistical techniques for analyzing data with low signal/noise ratios Signal / noise ratio may be very small However, statistical influence remains Prob. density 1 0.5 Register 7, bit 1=0 Register 7, bit 1=1 Signal Amplitude 0 0 100 200 300 400 t0 Power signal amplitude at time t0 Eg. At time t0, mean of signals where register 7 bit 1= 0 is different from mean of signals where register 7 bit 0 = 0 DPA: Using statistical methods to analyze minute differences in power measurements due to the data being manipulated Similar analysis applies to EM measurements 17 Bulk AES Example Bulk AES encryption on another Android phone App invokes the Bouncy Castle AES provider Baseband m-field trace capture on a sampling scope Baseband Acq LPF = 100 MHz Filt BW = 60 MHz Bulk AES AES 1 AES 2 AES 3 18 9

Efficient Leakage Testing Testing for all DPA leakage possibilities can be very a labor intensive, time consuming process Fortunately, we can test for leakage without actually doing full DPA key recovery Developed standardized test: Statistical analysis of operations to reveal presence of leakage 19 Bulk AES: Information leakage assessment Results of standardized leakage test (t-test) Substantial DPA leakages are present t statistic t statistic > 40 + 4.5 4.5 + 4.5 4.5 Control Group: t test comparing average signal from Set 1 (random AES) with average signal from Set 2 (random AES ) Test Group: t test comparing average signal from Set 1 (random AES ) with average signal from Set 3( fixed AES) 20 10

What About FCC Testing? 21 FCC Part 15 Overview Covers nearly every electronics device sold in the US (similar regulations for other markets worldwide) Devices must be either verified or certified to not cause harmful interference Intentional transmitters go through a more complex process to receive device Certification Unintentional radiators get a Declaration of Conformity through a simpler process of verification Most mobile devices contain wireless links, and therefore need more difficult to obtain Certification 22 11

FCC Example with Numbers FCC part 15.109 (a) the field strength of radiated emissions from unintentional radiators at a distance of 3 meters shall not exceed the following values: Above 960 MHz: 500 microvolts/meter Received Power (dbm) = Field Strength (dbuv/m) [ 54.0 ] - 20 log Frequency (MHz) [ - 60.0 ] + Antenna Gain (dbi) [ +10.0 ] - 77.2 [ - 77.2 ] = -73.2 dbm Well above noise floor! 23 Does FCC Certification Prevent Radiating Secrets? No! Note all demonstrations use unmodified devices which are commercially sold presumed FCC Certified Even GSM buzz doesn t meet FCC definition of harmful interference 24 12

Countermeasures 25 DPA Countermeasures SPA/DPA immunity is possible and practical But very different from a simple bug fix Security can involve a mix of countermeasures At hardware, software and protocol layers CRI invented the fundamental solutions to DPA, licenses patents, and assists licensees implement countermeasures in products Countermeasure overheads depends on Algorithms being protected, leakage characteristics of the device, desired level of immunity, engineering constraints and design flexibility Performance overhead can range from ~10% (e.g., RSA w/out CRT), ~25% (AES protocol countermeasures) to >400% (general purpose AES, other symmetric) 26 13

SPA / DPA Countermeasures SPA/DPA countermeasures: fundamental categories Obfuscation Leak Reduction Balanced HW / SW Amplitude & Temporal Noise Incorporating Randomness Protocol Level CM Cryptography Research has patented the fundamental solutions to DPA! A license is required to make, use, sell or issue DPA resistant devices 27 Example of a SW-Friendly Countermeasure: Masking Block ciphers can be implemented in ways that use random information to Split key into two (or more) randomized parts Split message into two (or more) randomized parts E.g., Key = Key Part A Key Part B Compute the block cipher using the two randomized, unpredictable parts Correct answer is obtained, but no internal variable is correlated to the input and key Key Part A Key Part B Part A Message Block cipher computed using split data representations Result Part A Result Part B Result Part B 28 14

Protocol Level Countermeasures Problem: Protocols may allow attacker unlimited traces with a fixed key O(2 40 ) traces: 10-10 bits leaking/transaction is too much Solution: Build protocols that survive information leakage Design crypto with realistic assumptions about the hardware Hardware has to be fairly good, but assumed to leak Can obtain provable security against DPA with reasonable assumptions and significant safety margin Examples: symmetric key transactions, challenge response, authenticated encryption/decryption f0() K ROOT,0 (TR Hardware) K ROOT f1() K ROOT,1 Key Use key to secure transaction Increment transaction counter Hash Key f0() f1() f0() f1() K ROOT,00 K ROOT,01 K ROOT,10 K ROOT,11. 29 Conclusions / Application Actions 30 15

Summary Electronic devices radiate information Shielding may not be sufficient nor appropriate for mobile devices with wireless capabilities Some platforms have effective HW & OS-level countermeasures On other platforms, users need to mitigate using software and protocol countermeasures Testing must be part of any security design 31 Apply Slide Application developers should understand how side channel information leaks affect critical applications. If no HW or OS-level platform countermeasures, examine the use of application and protocol countermeasures 32 16

Contact Information Benjamin Jun (ben@cryptography.com) Gary Kenworthy (gary.kenworthy@cryptography.com) Cryptography Research, Inc. www.cryptography.com 33 17

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback