אני יודע מה עשית בפענוח האחרון : התקפות ערוצי צד על מחשבים אישיים

Similar documents
אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

Information Security Theory vs. Reality

Stealing Keys from PCs by Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation

Electromagnetic-based Side Channel Attacks

Side Channel Attacks on Smartphones and Embedded Devices using Standard Radio Equipment

Local and Direct EM Injection of Power into CMOS Integrated Circuits.

Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit

Current Probe. Inspector Data Sheet. Low-noise, high quality measurement signal for side channel acquisition on embedded devices.

Is Your Mobile Device Radiating Keys?

Debugging EMI Using a Digital Oscilloscope. Dave Rishavy Product Manager - Oscilloscopes

Comparison of Electromagnetic Side-Channel Energy Available to the Attacker from Different Computer Systems

A Design for Modular Exponentiation Coprocessor in Mobile Telecommunication Terminals

Chapter-15. Communication systems -1 mark Questions

SEMS SHIELDING EFFECTIVENESS MEASUREMENT SYSTEM IN MRI AND SHIELDED ENVIRONMENT. ELECTRIC AND MAGNETIC FIELD FROM 10 khz TO 300 MHz*

When Electromagnetic Side Channels Meet Radio Transceivers

Application Note # 5438

Todd Hubing. Clemson Vehicular Electronics Laboratory Clemson University

One&Done: A Single-Decryption EM-Based Attack on OpenSSL s Constant-Time Blinded RSA

Investigation of a Voltage Probe in Microstrip Technology

SEMS SHIELDING EFFECTIVENESS MEASUREMENT SYSTEM IN MRI AND SHIELDED ENVIRONMENT. ELECTRIC AND MAGNETIC FIELD FROM 10 khz TO 300 MHz*

EM Noise Mitigation in Electronic Circuit Boards and Enclosures

The number theory behind cryptography

How EMxpert Diagnoses Board-Level EMC Design Issues

AN-1011 APPLICATION NOTE

EMC Seminar Series All about EMC Testing and Measurement Seminar 1

Determining The Size Of Cabinet Apertures For Effectively Mitigating Radiated Emissions. By David Norte Thursday, April 7 th, 2005

Overview. Lecture 3. Terminology. Terminology. Background. Background. Transmission basics. Transmission basics. Two signal types

Investigation of Electromagnetic Field Coupling from DC-DC Buck Converters to Automobile AM/FM Antennas

ITG Electronics, Inc.

AC/DC Power Supply Series APPLICATION NOTE

ROD ANTENNA TESTING Complete article download from: EMI TESTING. Basic RE102 test (2-30 MHz)

Horizontal DEMA Attack as the Criterion to Select the Best Suitable EM Probe

Reconfigurable Hardware Implementation and Analysis of Mesh Routing for the Matrix Step of the Number Field Sieve Factorization

EMI AND BEL MAGNETIC ICM

Suppression Techniques using X2Y as a Broadband EMI Filter IEEE International Symposium on EMC, Boston, MA

Balanced Line Driver & Receiver

An on-chip glitchy-clock generator and its application to safe-error attack

ElGamal Public-Key Encryption and Signature

Device Pairing at the Touch of an Electrode

EEE 432 Measurement and Instrumentation

CHAPTER -15. Communication Systems

Chapter 12 Digital Circuit Radiation. Electromagnetic Compatibility Engineering. by Henry W. Ott

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

Advanced Test Equipment Rentals ATEC (2832)

LISN UP Application Note

2620 Modular Measurement and Control System

SignalOn Series WHITE PAPER. Impact of CCAP on RF Management Isolation. Pat. #s U.S. 6,842,348; 7,043,236; Cdn. 2,404,840; 2,404,844

The EM Side Channel(s)

COMMUNICATION SYSTEMS -I

EMC Near-field Probes + Wideband Amplifier

QUICK START GUIDE FOR DEMONSTRATION CIRCUIT 678A 40MHZ TO 900MHZ DIRECT CONVERSION QUADRATURE DEMODULATOR

Stephen Plumb National Instruments

Measurement & Control of energy systems. Teppo Myllys National Instruments

Keysight Technologies 8 Hints for Making Better Measurements Using RF Signal Generators. Application Note

Green ADVANTAGES. Spectrum Analyzer Two models available: 24 GHz and 8 GHz SPECTRUM ANALYZER. Antenna Panel Inputs. Auxiliary Antenna Inputs OSCOR

EMC ASPECTS IN DC BUS POWER-LINE COMMUNICATIONS

Testing Upstream and Downstream DOCSIS 3.1 Devices

11 Myths of EMI/EMC ORBEL.COM. Exploring common misconceptions and clarifying them. MYTH #1: EMI/EMC is black magic.

Ileana-Diana Nicolae ICMET CRAIOVA UNIVERSITY OF CRAIOVA MAIN BUILDING FACULTY OF ELECTROTECHNICS

SHF Communication Technologies AG

Lock in Amplifier. Introduction. Motivation. Liz Schell and Allan Sadun Project Proposal

Effectively Using the EM 6992 Near Field Probe Kit to Troubleshoot EMI Issues

Transmission Medium/ Media

Prisma II Optical Receivers

An Introduction to EMC Testing (what can be done with scopes) Vincent Lascoste EMC Product Manager - RSF

HAMEG EMI measurement tools

RADAR: An In-Building RF-based User Location and Tracking System

ENGINEERING COMMITTEE Interface Practices Subcommittee AMERICAN NATIONAL STANDARD

UNDERSTANDING AND MITIGATING

Collision-based Power Analysis of Modular Exponentiation Using Chosen-message Pairs

CHAPTER 6 EMI EMC MEASUREMENTS AND STANDARDS FOR TRACKED VEHICLES (MIL APPLICATION)

Sunlight Supply, Inc.

Design for Guaranteed EMC Compliance

Power Analysis Attacks on SASEBO January 6, 2010

Radio ETI031 Laboratory Experiments 2: VECTOR NETWORK ANALYSER, ANTENNA and RECEIVER MEASUREMENTS

Testing for EMC Compliance: Approaches and Techniques October 12, 2006

Trees, vegetation, buildings etc.

TF TF Analyzer 2000 Measurement System

Valon Synthesizer RFI Test Report

Schlöder GmbH - EMC Test and Measurement Systems Model #

Device Detection and Monitoring of Unintentional Radiated Emissions

Introduction to Envelope Tracking. G J Wimpenny Snr Director Technology, Qualcomm UK Ltd

Diffie-Hellman key-exchange protocol

Antenna Matching Within an Enclosure Part II: Practical Techniques and Guidelines

COUPLING / DECOUPLING NETWORK (CDN) CDN AF TYPE, CDN CAN

Course Introduction. Content 16 pages. Learning Time 30 minutes

Box Level Troubleshooting and Quick Look Engineering. Bruce C. Gabrielson PhD Security Engineering Services P.O. 550 Chesapeake Beach.

Course Introduction Purpose Objectives Content Learning Time

Spectrum Analyzer. Spectrum Analyzer. Antenna Panel Inputs. Auxiliary Antenna Inputs. Two models available: 24 GHz and 8 GHz OSCOR

Reducing Motor Drive Radiated Emissions

ANALYZING SOFTWARE USING UNINTENTIONAL ELECTROMAGNETIC EMANATIONS FROM COMPUTING DEVICES

On-Wafer Measurement and Analysis of Flicker Noise and Random Telegraph Noise

TS-850: Installing the Inrad Roofing Filter Mod

Understanding and Optimizing Electromagnetic Compatibility in Switchmode Power Supplies

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Electromagnetic Compatibility

APPLICATION NOTE. System Design for RF Immunity

Common myths, fallacies and misconceptions in Electromagnetic Compatibility and their correction.

BIODEX MULTI- JOINT SYSTEM

Transcription:

אני יודע מה עשית בפענוח האחרון : התקפות ערוצי צד על מחשבים אישיים I Know What You Did Last Decryption: Side Channel Attacks on PCs Lev Pachmanov Tel Aviv University Daniel Genkin Technion and Tel Aviv University joint work with Itamar Pipman Adi Shamir Tel Aviv University Weizmann Institute of Science Eran Tromer Tel Aviv University Cryptoday 2014 30 December 2014 1

Side channel attacks 2 probing CPU architecture optical power electromagnetic acoustic

3 Acoustic emanations

4 ENGULF [Peter Wright, pycatcher, p. 84] In 1956, a couple of Post Office engineers fixed a phone at the Egyptian embassy in London.

ENGULF (cont.) 5 The combined MI5/GCHQ operation enabled us to read the Egyptian ciphers in the London Embassy throughout the Suez Crisis.

Acoustic emanations from PCs 6 Noisy electrical components in the voltage regulator Bzzzzzz Commonly known as coil-whine but also originates from capacitors

Experimental setup (example) 7 attacker amplifier microphone target digitizer

8 Demo: distinguishing instructions

time 9 Distinguishing various CPU operations [Shamir Tromer 04] frequency 280kHz 1sec

Traditional side channel attacks methodology 1. Grab/borrow/steal device 2. Find key-dependent instruction 3. Record emanations using high-bandwidth equipment (> clock rate, PC: >2GHz) 4. Obtain traces 5. Signal and cryptanalytic analysis 6. Recover key for i=1 2048 sqr( ) if key[i]=1 mul( ) Hard for PCs 10

Traditional side channel attacks methodology 1. Grab/borrow/steal device 2. Find key-dependent instruction 3. Record emanations using high-bandwidth equipment (> clock rate, PC: >2GHz) 4. Obtain traces 5. Signal and cryptanalytic analysis 6. Recover key 11 Complex electronics running complicated software Hard for (in PCs parallel) vs. Not handed out vs. Measuring a 2GHz PC requires expansive and bulky equipment (compared to a 100 MHz smart card) 100,000$ vs. 1,000$

12 Acoustic Leakage of RSA

Definitions (RSA) 13

time GnuPG RSA key distinguishability [Shamir Tromer 04] frequency mod p mod q sound of the keys (after frequency downshifting and filtering) 14

15 Key Extraction

Our results: acoustic RSA key extraction Low-bandwidth cryptanalytic attacks 50 khz bandwidth to attack a 2 GHz CPU Inexpensive equipment Common cryptographic software GnuPG 1.4.15 (CVE 2013-4576) Worked with GnuPG developers to mitigate the attack Applicable to various laptop models 16

Amplifying the key dependency Difficulties when attacking RSA 2GHz CPU speed vs. 50kHz measurements Cannot rely on a single key-dependent instruction New idea: leakage self-amplification abuse algorithm s own code to amplify its own leakage! Craft suitable cipher-texts to affect the code inside inner-most loop Small differences in repeated inner-most loops cause a big overall difference in code behavior Measure acoustic leakage 17

18 An adaptive chosen-ciphertext attack 1111...1 Bit-distinguisher oracle 1000 0 10

An adaptive chosen-ciphertext attack 19 Bit distinguisher oracle Error correction Just q Coppersmith lattice reduction: half the bits suffice send chosen ciphertexts using

20 modular_exponentiation(c,d,q){ karatsuba_mult(a,c) } karatsuba_mult(a,c){ basic_mult(x,y) } basic_mult(x,y){ if (y[j]==0) return 0 else return y[j]*x } x7 Grand total: 272384 times ~0.5 sec of measurements x19 x2048

Modular exponentiation 21 no key dependent operation to measure

22

23

24 Multiplication is repeated 2048 times (0.5 sec of data) Single multiplication is way too fast for us to measure

25 Empirical Results

time Distinguishing a key bit by a spectral signature 26 time frequency frequency mod p mod p mod q mod q

27 Demo: key extraction

Results 28 RSA 4096-bit key extraction from 1 meter away using a microphone

Results RSA 4096-bit key extraction from 10 meters away using a parabolic microphone 29

Results 30 RSA 4096-bit key extraction from 30cm away using a smartphone

Karatsuba multiplication 31

Basic multiplication 32 Repeated for a total of 8 times in this call and for a total of up to ~300,000 times!, allowing for the leakage to be detectable using low bandwidth means (such as sound).

33 Electric Channels

34 Power analysis Power analysis: measure device s power consumption RSA 4096-bit key extraction is possible in a few seconds

Ground-potential analysis Attenuating EMI emanations Unwanted currents or electromagnetic fields? Dump them to the circuit ground! (Bypass capacitors, RF shields, ) Device is grounded, but its ground potential fluctuates relative to the mains earth ground. affects dumped to connected to Computation currents and EM fields device ground conductive chassis Key = 101011 35

36 Demo: key extraction

RSA and ElGamal key extraction in a few seconds using direct chassis measurement (non-adaptive attack) 37 Key = 101011

RSA and ElGamal key extraction in a few seconds using human touch (non-adaptive attack) 38 Key = 101011

Ground-potential analysis 39 Attenuating EMI emanations Unwanted currents or electromagnetic fields? Dump them to the circuit ground! (Bypass capacitors, RF shields, ) Device is grounded, but its ground potential fluctuates relative to the mains earth ground. affects connected to connected to Computation device ground conductive chassis shielded cables Even when no data, or port is turned off. Key = 101011

40 Demo: key extraction

RSA and ElGamal key extraction in a few seconds using the far end of 10 meter network cable (non-adaptive attack) 41 works even if a firewall is present, or port is turned off Key = 101011

Key extraction on far side of Ethernet cable using a mobile phone 42

Electromagnetic key extraction Currents inside the target create electromagnetic waves. Can be detected using an electromagnetic probe (e.g., a loop of wire). 43

Electromagnetic key extraction Currents inside the target create electromagnetic waves. Can be detected using an electromagnetic probe (e.g., a loop of wire). 44

45 Countermeasures (class discussion)

Ineffective countermeasures 46 1. Shielding

Ineffective countermeasures (cont.) 2. Adding noise (play loud music while decrypting) 3. Concurrent software load 47

Countermeasures (ciphertext randomization) 48

cs.tau.ac.il/~tromer/acoustic CRYPTO 14 CVE 2013-4576 cs.tau.ac.il/~tromer/handsoff CHES 14 CVE-2014-5270 cs.tau.ac.il/~tromer/radioexp CHES 15 CVE-2014-3591 49

cs.tau.ac.il/~tromer/acoustic CRYPTO 14 CVE 2013-4576 cs.tau.ac.il/~tromer/handsoff CHES 14 CVE-2014-5270 cs.tau.ac.il/~tromer/radioexp CHES 15 CVE-2014-3591 50

cs.tau.ac.il/~tromer/acoustic CRYPTO 14 CVE 2013-4576 cs.tau.ac.il/~tromer/handsoff CHES 14 CVE-2014-5270 cs.tau.ac.il/~tromer/radioexp CHES 15 CVE-2014-3591 51

52

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback