of Modern Cryptography Josh Benaloh Brian LaMacchia Winter 2011 SideChannel Attacks Breaking a cryptosystem is a frontal attack but there may be easier access though a side or back door especially on embedded cryptographic devices such as ID: 142760
Download Presentation The PPT/PDF document "Practical Aspects" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Practical Aspects of Modern Cryptography
Josh BenalohBrian LaMacchia
Winter 2011Slide2
Side-Channel AttacksBreaking a cryptosystem is a frontal attack, but there may be easier access though a side or back door – especially on embedded cryptographic devices such as
SmartCards and RFIDs.January 27, 2011
Practical Aspects of Modern Cryptography
2Slide3
Side-Channel AttacksSome attack vectors …
January 27, 2011Practical Aspects of Modern Cryptography
3Slide4
Side-Channel AttacksSome attack vectors …
Fault AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography
4Slide5
Side-Channel AttacksSome attack vectors …
Fault AttacksTiming AttacksJanuary 27, 2011Practical Aspects of Modern Cryptography
5Slide6
Side-Channel AttacksSome attack vectors …
Fault AttacksTiming AttacksCache AttacksJanuary 27, 2011
Practical Aspects of Modern Cryptography
6Slide7
Side-Channel AttacksSome attack vectors …
Fault AttacksTiming AttacksCache AttacksPower AnalysisJanuary 27, 2011
Practical Aspects of Modern Cryptography
7Slide8
Side-Channel AttacksSome attack vectors …
Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsJanuary 27, 2011
Practical Aspects of Modern Cryptography
8Slide9
Side-Channel AttacksSome attack vectors …
Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsAcoustic Emissions
January 27, 2011
Practical Aspects of Modern Cryptography
9Slide10
Side-Channel AttacksSome attack vectors …
Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsAcoustic EmissionsInformation Disclosure
January 27, 2011
Practical Aspects of Modern Cryptography
10Slide11
Side-Channel AttacksSome attack vectors …
Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic EmissionsAcoustic EmissionsInformation Disclosure… others?
January 27, 2011
Practical Aspects of Modern Cryptography
11Slide12
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod error in RSA decryption/signatures discloses key.)
January 27, 2011
Practical Aspects of Modern Cryptography
12Slide13
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod error in RSA decryption/signatures discloses key.)Faults may be unintentional or induced by …
January 27, 2011
Practical Aspects of Modern Cryptography
13Slide14
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod error in RSA decryption/signatures discloses key.)Faults may be unintentional or induced by …Heat
January 27, 2011
Practical Aspects of Modern Cryptography
14Slide15
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod error in RSA decryption/signatures discloses key.)Faults may be unintentional or induced by …HeatCold
January 27, 2011
Practical Aspects of Modern Cryptography
15Slide16
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod error in RSA decryption/signatures discloses key.)Faults may be unintentional or induced by …HeatColdLow power
January 27, 2011
Practical Aspects of Modern Cryptography
16Slide17
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod error in RSA decryption/signatures discloses key.)Faults may be unintentional or induced by …HeatColdLow power
Microwaves
January 27, 2011
Practical Aspects of Modern Cryptography
17Slide18
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod error in RSA decryption/signatures discloses key.)Faults may be unintentional or induced by …HeatColdLow power
Microwaves
…etc.
January 27, 2011
Practical Aspects of Modern Cryptography
18Slide19
Timing AttacksHow long does it take to perform a decryption?
January 27, 2011Practical Aspects of Modern Cryptography
19Slide20
Timing AttacksHow long does it take to perform a decryption?
The answer may be data-dependent.January 27, 2011
Practical Aspects of Modern Cryptography
20Slide21
Timing AttacksHow long does it take to perform a decryption?
The answer may be data-dependent.For instance…January 27, 2011
Practical Aspects of Modern Cryptography
21Slide22
Timing Attacks
How long does it take to perform a decryption?The answer may be data-dependent.For instance…
January 27, 2011
Practical Aspects of Modern Cryptography
22Slide23
Timing Attacks
How long does it take to perform a decryption?The answer may be data-dependent.For instance…
Watch decryption times for
where
and where
.
January 27, 2011
Practical Aspects of Modern Cryptography
23Slide24
Timing Attacks
How long does it take to perform a decryption?The answer may be data-dependent.For instance…
Watch decryption times for
where
and where
.
If there is a minute difference,
can be determined with binary search.
January 27, 2011
Practical Aspects of Modern Cryptography
24Slide25
Cache AttacksIf you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed.
January 27, 2011Practical Aspects of Modern Cryptography
25Slide26
Cache AttacksIf you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed.
Decryption times may vary in a key-dependent manner based upon which lines have been flushed.January 27, 2011
Practical Aspects of Modern Cryptography
26Slide27
Power Analysis
Power usage of a device may vary in a key-dependent manner.January 27, 2011Practical Aspects of Modern Cryptography
27Slide28
Power Analysis
Power usage of a device may vary in a key-dependent manner.Careful measurement and analysis of power consumption can be used to determine the key.January 27, 2011
Practical Aspects of Modern Cryptography
28Slide29
Electromagnetic Emissions
One can record electromagnetic emissions of a device – often at a distance.January 27, 2011Practical Aspects of Modern Cryptography
29Slide30
Electromagnetic Emissions
One can record electromagnetic emissions of a device – often at a distance.Careful analysis of the emissions may reveal a secret key.January 27, 2011
Practical Aspects of Modern Cryptography
30Slide31
Acoustic Emissions
Modular exponentiation is using done with repeated squaring and conditional “side” multiplications.January 27, 2011Practical Aspects of Modern Cryptography
31Slide32
Acoustic Emissions
Modular exponentiation is using done with repeated squaring and conditional “side” multiplications.It can actually be possible to hear whether or not these conditional multiplications are performed.January 27, 2011
Practical Aspects of Modern Cryptography
32Slide33
Information Disclosures(N.B.
Bleichenbacher Attack)January 27, 2011Practical Aspects of Modern Cryptography
33Slide34
Information Disclosures(N.B.
Bleichenbacher Attack)A protocol may respond differently to properly and improperly formed data.January 27, 2011
Practical Aspects of Modern Cryptography
34Slide35
Information Disclosures(N.B.
Bleichenbacher Attack)A protocol may respond differently to properly and improperly formed data.Careful manipulation of data may elicit responses which disclose information about a desired key or decryption value.
January 27, 2011
Practical Aspects of Modern Cryptography
35Slide36
Certificate RevocationJanuary 27, 2011
Practical Aspects of Modern Cryptography36Slide37
Certificate RevocationEvery “reasonable” certification should include an expiration.
January 27, 2011Practical Aspects of Modern Cryptography
37Slide38
Certificate RevocationEvery “reasonable” certification should include an expiration.
It is sometimes necessary to “revoke” a certificate before it expires.January 27, 2011
Practical Aspects of Modern Cryptography
38Slide39
Certificate RevocationReasons for revocation …
January 27, 2011Practical Aspects of Modern Cryptography
39Slide40
Certificate RevocationReasons for revocation …
Key CompromiseJanuary 27, 2011Practical Aspects of Modern Cryptography
40Slide41
Certificate RevocationReasons for revocation …
Key CompromiseFalse IssuanceJanuary 27, 2011Practical Aspects of Modern Cryptography
41Slide42
Certificate RevocationReasons for revocation …
Key CompromiseFalse IssuanceRole ModificationJanuary 27, 2011
Practical Aspects of Modern Cryptography
42Slide43
Certificate RevocationTwo primary mechanisms …
January 27, 2011Practical Aspects of Modern Cryptography
43Slide44
Certificate RevocationTwo primary mechanisms …
Certificate Revocation Lists (CRLs)January 27, 2011
Practical Aspects of Modern Cryptography
44Slide45
Certificate RevocationTwo primary mechanisms …
Certificate Revocation Lists (CRLs)Online Certificate Status Protocol (OCSP)January 27, 2011
Practical Aspects of Modern Cryptography
45Slide46
Certificate Revocation ListsA CA revokes a certificate by placing the its identifying serial number on its Certificate Revocation List (CRL)
Every CA issues CRLs to cancel out issued certsA CRL is like anti-matter – when it comes into contact with a certificate it lists it cancels out the certificateThink “1970s-style credit-card blacklist”Relying parties are expected to check the most recent CRLs before they rely on a certificate“The cert is valid unless you hear something telling you otherwise”
January 27, 2011
Practical Aspects of Modern Cryptography
46Slide47
The Problem with CRLsBlacklists have numerous problems
They can grow very large because certs cannot be removed until they expire.They are not issued frequently enough to be effective against a serious attack.Their size can make them expensive to distribute (especially on low-bandwidth channels).They are vulnerable to simple DOS attacks. (What do you do if you can’t get the current CRL?)
January 27, 2011
Practical Aspects of Modern Cryptography
47Slide48
More Problems with CRLs
Poor CRL design has made the problem worse.CRLs can contain retroactive invalidity datesA CRL issued today can say a cert was invalid as of last week. Checking that something was valid at time
wasn’t sufficient!
Back-dated CRLs can appear at any time in the future.
CAs can even change the CRL rules retroactively.
January 27, 2011
Practical Aspects of Modern Cryptography
48Slide49
Yet More Problems with CRLs
Revoking a cert used by a CA to issue other certs is even harder since this may invalidate an entire set of certs.“Self-signed” certificates are often used as a syntactic convenience. Is it meaningful for a cert to revoke itself?January 27, 2011
Practical Aspects of Modern Cryptography
49Slide50
Even More Problems with CRLs
CRLs can’t be revoked.If a cert has been mistakenly revoked, the revocation can’t be reversed.CRLs can’t be updated.There’s no mechanism to issue a new CRL to relying parties early – even if there’s an urgent need to issue new revocations.
January 27, 2011
Practical Aspects of Modern Cryptography
50Slide51
Short-Lived CertificatesIf you need to go to a CA to get a fresh CRL, why not just go to a CA to get a fresh cert?
January 27, 2011Practical Aspects of Modern Cryptography
51Slide52
CRLs vs. OCSP ResponsesAggregation vs. Freshness
CRLs combine revocation information for many certs into one long-lived objectOCSP Responses designed for real-time responses to queries about the status of a single certificateBoth CRLs & OCSP Responses are generated by the issuing CA or its designate. (Generally this is not the relying party.)January 27, 2011
Practical Aspects of Modern Cryptography
52Slide53
Online Status CheckingOCSP: Online Certificate Status Protocol
A way to ask “is this certificate good right now?Get back a signed response from the OCSP server saying, “Yes, cert C is good at time t”Response is like a “freshness certificate”OCSP response is like a selective CRLClient indicates the certs for which he wants status informationOCSP responder dynamically creates a lightweight CRL-like response for those certs
January 27, 2011
Practical Aspects of Modern Cryptography
53Slide54
January 27, 2011Practical Aspects of Modern Cryptography
54OCSP in Action
End-entity
CA
Relying
Party
Cert
Cert
Request
OCSP Request
OCSP
For
Cert
OCSP Response
Transaction Response
Cert
+
Transaction
①
②
③
④
⑤
⑥Slide55
Final thoughts on RevocationFrom a financial standpoint, it’s the revocation data that is valuable, not the issued certificate itself.
For high-valued financial transactions, seller wants to know your cert is good right now.This is similar to credit cards, where the merchant wants the card authorized “right now” at the point-of-sale.Card authorizations transfer risk from merchant to bank – thus they’re worth $$$.
January 27, 2011
Practical Aspects of Modern Cryptography
55Slide56
Design Charrette
How would you design a transit fare card system?January 27, 2011Practical Aspects of Modern Cryptography
56Slide57
Fare Card System ElementsAn RFID card for each rider
Readers on each vehicle and/or transit station (Internet connected?)Card purchase/payment machinesA web portal for riders to manage and/or enrich their cardsJanuary 27, 2011
Practical Aspects of Modern Cryptography
57