Electromagnetic-based Side Channel Attacks

Similar documents
The EM Side Channel(s)

Security Evaluation Against Electromagnetic Analysis at Design Time

When Electromagnetic Side Channels Meet Radio Transceivers

A Simulation Methodology for Electromagnetic Analysis and Testing on Synchronous and Asynchronous Processors

Is Your Mobile Device Radiating Keys?

Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit

The EM Side Channel(s):Attacks and Assessment Methodologies

Transform. Jeongchoon Ryoo. Dong-Guk Han. Seoul, Korea Rep.

Inspector Data Sheet. EM-FI Transient Probe. High speed pulsed EM fault injection probe for localized glitches. Riscure EM-FI Transient Probe 1/8

Information Security Theory vs. Reality

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

אני יודע מה עשית בפענוח האחרון : התקפות ערוצי צד על מחשבים אישיים

Comparison of Electromagnetic Side-Channel Energy Available to the Attacker from Different Computer Systems

An on-chip glitchy-clock generator and its application to safe-error attack

Analysis of the Wireless Covert Channel Attack: Carrier Frequency Selection

ANALYZING SOFTWARE USING UNINTENTIONAL ELECTROMAGNETIC EMANATIONS FROM COMPUTING DEVICES

Technician License Course Chapter 2. Lesson Plan Module 2 Radio Signals and Waves

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

Todd Hubing. Clemson Vehicular Electronics Laboratory Clemson University

Covert Channels Using Mobile Device s Magnetic Field Sensors

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

Design of an Integrated OLED Driver for a Modular Large-Area Lighting System

Physics of RFID. Pawel Waszczur McMaster RFID Applications Lab McMaster University

Frequency/Phase Movement Analysis by Orthogonal. Demodulation. Part 4. ODM Application by Wide-band Waveform Sampler

Side Channel Attacks on Smartphones and Embedded Devices using Standard Radio Equipment

Horizontal DEMA Attack as the Criterion to Select the Best Suitable EM Probe

T/R Switches, Baluns, and Detuning Elements in MRI RF coils Xiaoyu Yang 1,2, Tsinghua Zheng 1,2 and Hiroyuki Fujita 1,2,3.

Instructions for Use: DSP-523 True-RMS 3 Axis DSP Gaussmeter Magnii Technologies

Functional Description / User Manual

EVALUATION OF THE NEAR-FIELD INJECTION METHOD AT INTEGRATED CIRCUIT LEVEL

EMI AND BEL MAGNETIC ICM

Preface to the Third Edition. List of Abbreviations

EMI Modeling of a 32-bit Microcontroller in Wait Mode

Rohde & Schwarz EMI/EMC debugging with modern oscilloscope. Ing. Leonardo Nanetti Rohde&Schwarz

Synchronization Method for SCA and Fault Attacks

Recommendations for Secure IC s and ASIC s

Wireless systems. includes issues of

CHAPTER. delta-sigma modulators 1.0

Twelve voice signals, each band-limited to 3 khz, are frequency -multiplexed using 1 khz guard bands between channels and between the main carrier

Investigations of Power Analysis Attacks on Smartcards

EMC Overview. What is EMC? Why is it Important? Case Studies. Examples of calculations used in EMC. EMC Overview 1

Chapter 2 Direct-Sequence Systems

Device Detection and Monitoring of Unintentional Radiated Emissions

Optical Modulation and Frequency of Operation

4 FSK Demodulators. 4.1 FSK Demodulation Zero-crossing Detector. FSK Demodulator Architectures Page 23

How I Got Real Time + Big Workstation Mathematical Performance in a Single System

Session 3. CMOS RF IC Design Principles

A Design for Modular Exponentiation Coprocessor in Mobile Telecommunication Terminals

Effect of Aging on Power Integrity of Digital Integrated Circuits

Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

Estimation of keys stored in CMOS cryptographic device after baking by using the charge shift

EXPERIMENT 1: Amplitude Shift Keying (ASK)

NEW WIRELESS applications are emerging where

DTE Power via MDI Task Force P802.3af

Information Leakage from Cryptographic Hardware via Common-Mode Current

Trees, vegetation, buildings etc.

RF Integrated Circuits

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR. Pieter Robyns

Smart Rocks and Wireless Communication Systems for Real- Time Monitoring and Mitigation of Bridge Scour (Progress Report No. 2)

EMC of Analog Integrated Circuits

Introduction to Receivers

The figures and the logic used for the MATLAB are given below.

ECE 476/ECE 501C/CS Wireless Communication Systems Winter Lecture 9: Multiple Access, GSM, and IS-95

High Frequency Measurements and Noise in Electronic Circuits

Digital microcontroller for sonar waveform generator. Aleksander SCHMIDT, Jan SCHMIDT

Digital Communication

Voice Transmission --Basic Concepts--

DPA Leakage Models for CMOS Logic Circuits

A low-if 2.4 GHz Integrated RF Receiver for Bluetooth Applications Lai Jiang a, Shaohua Liu b, Hang Yu c and Yan Li d

Investigation of a Voltage Probe in Microstrip Technology

Jamming Wireless Networks: Attack and Defense Strategies

ISSCC 2004 / SESSION 21/ 21.1

Threshold Implementations. Svetla Nikova

12/31/11 Analog to Digital Converter Noise Testing Final Report Page 1 of 10

SC5407A/SC5408A 100 khz to 6 GHz RF Upconverter. Datasheet. Rev SignalCore, Inc.

Studying the Sensitivity of Remote-Field Testing Signals when Faced with Pulling Speed Variations

Design and FPGA Implementation of an Adaptive Demodulator. Design and FPGA Implementation of an Adaptive Demodulator

Neural Blind Separation for Electromagnetic Source Localization and Assessment

Ad hoc and Sensor Networks Chapter 4: Physical layer. Holger Karl

Digital Image Watermarking by Spread Spectrum method

A New Approach for Measuring Electromagnetic Side-Channel Energy Available to the Attacker in Modern Processor-Memory Systems

Constant Power Reconfigurable Computing

ElectroMagnetic Fault Injection Characterization

Lecture 9: Spread Spectrum Modulation Techniques

Design of Adaptive RFID Reader based on DDS and RC522 Li Yang, Dong Zhi-Hong, Cong Dong-Sheng

What are we looking at?

Microwave & RF Device Characterization Solutions

Tempestad en OSX. Pedro C. aka s4ur0n

QUICK START GUIDE FOR DEMONSTRATION CIRCUIT 678A 40MHZ TO 900MHZ DIRECT CONVERSION QUADRATURE DEMODULATOR

Length and Position Measurement

Assembly Level Clock Glitch Insertion Into An XMega MCU

Local and Direct EM Injection of Power into CMOS Integrated Circuits.

A Low-Noise Frequency Synthesizer for Infrastructure Applications

LIMITATIONS IN MAKING AUDIO BANDWIDTH MEASUREMENTS IN THE PRESENCE OF SIGNIFICANT OUT-OF-BAND NOISE

Signal Integrity, Part 1 of 3

Techniques to reduce electromagnetic noise produced by wired electronic devices

Enhancing FPGA-based Systems with Programmable Oscillators

Test Apparatus for Side-Channel Resistance Compliance Testing

Comparison Between two Single-Switch Isolated Flyback and Forward High-Quality Rectifiers for Low Power Applications

Fully integrated UHF RFID mobile reader with power amplifiers using System-in-Package (SiP)

Transcription:

Electromagnetic-based Side Channel Attacks Yasmine Badr 10/28/2015

What is Side Channel Attack Any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms. [Wikipedia] Example: using timing information, power consumption, electromagnetic leaks or even sound EM side channels are easier because usually there is no direct access to power line 2

Defense These attacks depend on information from physical behavior and secret data. Countermeasures: make the leaked physical info and the secret date uncorrelated or eliminate/reduce the leak of the physical information 3

Examples 4

Electromagnetic Side Channel Attack [1] Using EM emanation from devices to recover info First demonstrated in 1985 EM emanations from monitor captured from a distance and used to reconstruct the display Defense: fonts which have reduced EM leakage characteristicà hard to recover 5

Types of EM emanations [1] Direct (Intentional): Result from intentional current flows Simple example: using coils to capture the timevarying magnetic fields created by current Usually difficult to isolate direct emanations due to interference from other signals 6

Types of EM emanations [1] Unintentional: Minor Electrical and Electromagnetic couplings between components in a device These emanations act as modulations of carrier signals (already present or injected into device) Amplitude or angle or more complex modulation EM receiver, tuned to the carrier frequency, demodulates the signal (if captured) 7

Exploiting Emanations Strongest EM emanations are generated by sharp-rising waveforms of short duration Exploiting direct emanations requires close proximity Unintentional emanations can be captured from distance without invasive techniques Modulated carriers are stronger and can travel longer than direct emanations Carrier can be the clock 8

EM Capturing Equipment A tunable receiver/demodulator which can be tuned to various modulated carriers and can perform demodulation to extract the sensitive signal. 9

Current Amplitude: 3 rounds of DES on power line of smart card 10

Example: Amplitude Modulation [1] Smart Card operating on a 3.68MHz external clock, performing these instructions (13 cycles) Read specific value from Ram (5 cycles) Check for external condition (5 cycles) Jump back to start of loop (3 cycles) 11

Raw Signal Raw signal obtained by a near-field EM sensor placed behind the smart card for 26 clock cycles Regular Signal structure repeated 26 times 12

Raw Signal (cont d) Can t tell that smart card is operating in a loop or to know of the operations being performed Shown signal is the differential of the clock Clock signal is so dominant such that all other info about other currents is washed out Clock is Direct Emanation 13

With FFTà anything discerned? Again, dominant signal is the clock signal, which consists of strong components at the fundamental frequency and at odd harmonics as well as some even harmonics. Nothing yet about the smart card operagons 14

At higher frequency.. But clock harmonics die at higher frequency AM demodulagng the raw signal with a center frequency of around 150MHz 15

Demodulated Signal from Smart card doing 16 rounds of DES 16

2 Rounds only.. Better look 17

DES on smart card: EM signal with two different and same bit values (one output bit of an S-box) 18

References [1] Rohatgi, Pankaj. "Electromagnetic attacks and countermeasures." Cryptographic Engineering. Springer US, 2009. 407-430. [2] Longo, Jake, et al. "SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip." Cryptographic Hardware and Embedded Systems--CHES 2015. Springer, 2015. 19

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback