nightingaleSide-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing♠
YongBin Zhou, DengGuo Feng
influence的用法State Key Laboratory of Information Security, Institute of Software,
Chine Academy of Sciences, Beijing, 100080, China
{zyb,feng}@is.iscas.ac
师德师风演讲稿
Abstract Side-channel attacks are easy-to-implement whilst powerful attacks against cryptographic implementations, and their targets range from primitives, protocols, modules, and devices to even systems. The attacks po a rious threat to the curity of cryptographic modules. In conquence, cryptographic implementations have to be evaluated for their resistivity against such attacks and the incorporation of different countermeasures has to be considered. This paper surveys the methods and techniques employed in the attacks, the destructive effects of such attacks, the countermeasures against such attacks and evaluation of their feasibility and applicability. Finally, the necessity and feasibility of adopting this kind of physical curity testing and evaluation in the develop
ment of FIPS 140-3 standard are explored. This paper is not only a survey paper, but also more a position paper.
curity,bootycall
Keywords information
side channel attack, cryptographic module, curity testing, FIPS 140
1. Introduction
Security has long been a major concern in computing and communications systems, and substantial rearch effort has been devoted to addressing it. Cryptographic algorithms, including symmetric ciphers, public-key ciphers, and hash functions, form a t of primitives that can be ud as building blocks to construct curity mechanisms that target specific objectives [115]. For example, network curity protocols, such as SSH and TLS, combine the primitives to provide authentication between communicating entities, and ensure the confidentiality and integrity of communicated data. In practice, the curity mechanisms only specify what functions are to be performed, irrespective of how the functions are implemented. For example, the specification of a curity protocol is usua
lly independent of whether the encryption algorithms are implemented in software running on an general processor, or using custom hardware units, and whether the memory ud to store intermediate data during the computations is on the same chip as the computing unit or on a parate chip.
This kind of “paration of concerns” between curity mechanisms and their implementation has enabled (and is, arguably, necessary for) rigorous theoretical analysis and design of cryptosystems and curity protocols. However, in the process, various assumptions are made about the implementation of curity mechanisms. For example, it is typically assumed that the implementations of cryptographic computations are ideal “black-boxes” who internals can neither be obrved nor interfered with by any malicious entity. Aided by the assumptions, the level of curity is widely quantified in terms of the mathematical properties of the cryptographic
♠
The work of this paper is funded by the National Natural Science Foundation of P.R. China under the Grant No. 60503014 & No. 60273027 & No. 60373039.
algorithms and their key sizes.
In practice, however, the curity mechanisms alone are far from being complete curity solutions [42]. It is unrealistic to assume that attackers will attempt to directly take on the computational complexity of breaking the cryptographic primitives employed in curity mechanisms. An interesting analogy can be drawn in this regard between strong cryptographic algorithms and a highly cure lock on the front door of a hou [114]. Burglars attempting to break into a hou will rarely try all combinations necessary to pick such a lock; they may break in through windows, break a door at its hinges, or rob owners of a key as they are trying to enter the hou. Similarly, almost all known curity attacks on cryptographic systems target weakness in the implementation and deployment of mechanisms and their cryptographic algorithms. The weakness can allow attackers to completely bypass, or significantly weaken, the theoretical strength of curity solutions.
For a cryptographic system to remain cure it is imperative that the cret keys, that it us to perform the required curity rvices, are not revealed in any way. Since cryptographic algorithms themlves have been studied for a long time by a large number of experts, hackers are more likely to try to attack the hardware and system within which the cryptographic unit is houd.
A new class of attacks has been developed in the last few years by Kocher [49,59]. The attacks work becau there is a correlation between the physical measurements taken at different points dur
ing the computation and the internal state of the processing device, which is itlf related to the cret key.japane teen 19 20
Actually, in reality, cryptographic algorithms are always implemented in software or hardware on physical devices which interact with and are influenced by their environments. The physical interactions can be instigated and monitored by adversaries, like Eve, and may result in information uful in cryptanalysis. This type of information is called side-channel information, and the attacks exploiting side-channel information are called side-channel attacks (SCA in the quel). The underlying idea of SCA attacks is to look at the way cryptographic algorithms are implemented, rather than at the algorithm itlf.
It is not difficult to e that conventional cryptanalysis treats cryptographic algorithms as purely mathematical objects, whilst side-channel cryptanalysis also takes the implementations of the algorithms into account. Hence, SCA attacks are also called implementation attacks. Even any cryptographic algorithm must be encoded in order to function properly, such encoded algorithms must not reveal the private key information ud, despite the adversary’s ability to obrve and manipulate the running algorithm.
sweet是什么意思
The first official information related to SCA attack dates back to the year 1965. P. Wright (a scientist with GCHQ at that time) reported in [113] that MI5, the British intelligence agency, was trying to break a cipher ud by the Egyptian Embassy in London, but their efforts were stymied by the limits of their computational power. Wright suggested placing a microphone near the rotor-cipher machine ud by the Egyptian to spy the click-sound the machine produced. By listening to the clicks of the rotors as cipher clerks ret them each morning, MI5 successfully deduced the core position of 2 or 3 of the machine’s rotors. This additional information reduced the computation effort needed to break the cipher, and MI5 could spy on the embassy’s communication for years.
On the other hand, the original minal works, as well as many subquent pioneering ideas, on SCA attacks in public cryptography rearch community are all due to Paul Kocher [49,59,64].
The main principles of SCA attacks are very easy to catch by. SCA attacks work becau there is a correlation between the physical measurements taken during computations (e.g., power consumption, computing time, EMF radiation, etc.) and the internal state of the processing device, which is itlf related to the cret key. It is the correlation between the side channel information and the operation related to the cret key that the SCA attack tries to find.
SCA attacks have been proven to be veral orders of magnitude more effective than the conventional mathematical analysis bad attacks and are much more practical to mount. In the area of protocol design or even software construction, one can apply a range of formal techniques to model the device in question, to model the range of adversarial actions, and then to reason about the correctness properties the device is suppod to provide nonetheless. One can thus obtain at least some assurance that, within the abstraction of the model, the device may resist adversarial attacks.
However, when we move from an abstraction notion of curity to its instantiation as a real process in the physical world, things become harder. All the real-world nuances that the abstraction hid become significant. What is the boundary of this cryptographic device, in the real world? What are the outputs that an adversary may obrve, and the inputs an adversary may manipulate in order to act on the device? The answers are hard to articulate, but designing an architecture to defend against arbitrary attacks requires necessarily an attempt to articulate them.
Moreover, the physical action of computation can often result in physical effects an adversary can obrve; the obrvations can sometimes betray nsitive internal data the cryptographic module architecture was suppod to protect. This style attack of is also called side-channel analysis, since tmezz
he module or device leaks information via channels other than its main intended interfaces.
By physically attacking a cryptographic device, the adversary hopes to subvert its curity correctness properties somehow, usually by extracting some cret the device was not suppod to reveal. At first glance, the natural way to achieve this goal is the direct approach: somehow bypass the cryptographic modules’ protections and read the data. To be fortunate, in design practice, this direct attack can be easily thwarted by so called tamper-resistant techniques. Even though this direct approach can often prove rather successful, a rather sophisticated family of indirect approaches has emerged, where the adversary instead tries to induce an error into the modules’ operation via some physical failure; if the module continues to operate despite the error, it may end up revealing enough information for the adversary to reconstruct the cret. Rearchers at Bellcore originally described this attack, in a theoretical context of inducing errors in cryptographic hardware that carried out the CRT implementation of RSA [90]. This result generated a flurry of follow-on results, some of which became known as differential fault analysis. The theoretical attacks eventually became practical and demonstrable, and eventually earned the name Bellcore attacks after the authors of their original paper [90].
One of the most popular jargons of system curity today may be the Trusted Platform Module (TPM
in the quel). TPM usually takes the form of a cryptographically cure module and is the core of the trusted computing platform [131,169]. A key component of such cryptographic modules is that they keep and u crets, despites attempts by an adversary — perhaps with direct physical access — to extract them.
style是什么意思中文Single-chip devices — particularly smart cards — have received much attention in the attacker community, perhaps due to the ubiquity of smart cards in low-end commerce applications
rode(providing motivation), and the low cost (making experiment and destructive analysis feasible for a larger population). Anderson and Kuhn’s work [2,3,7] provides an enlightening (and entertaining) survey of the various techniques they found effective in practice.
Recently, two advents related to SCA rearch in Europe should better catch the eyes of the cryptography community worldwide, especially tho who are interested in the rearch of SCA attacks: SCARD (Side Channel Analysis Resistant Design Flow) project [120] and ECRYPT (European Network of Excellence for Cryptology) project [121]. Both of the two projects are international joint project plans among European rearch members from both cryptography rearch institutes and relevant industries.
In SCARD, it is propod to enhance the typical micro-chip design flow — from high level system description over register transfer layer description down to gate level net lists, and finally placement and routing of the micro-chip — in order to provide means for designing side-channel analysis resistant circuits and systems. Moreover, it is intended to study the whole phenomenon of side-channel analysis in a consistent manner, and also to provide appropriate analysis tools and to design tools for the designer of cure systems. In fact, the additional ingredients of the traditional design flow of microchips are considered to be necessary in order to enable the design of the next generation of cure and dependable devices. ECRYPT is a 4-year network of excellence funded within the Information Societies Technology Programme of the European Commission. It falls under the action line towards a global dependability and curity framework and its objective is to intensify the collaboration of European rearchers in information curity, and more in particular in cryptology and digital watermarking. In order to reach this goal, 32 leading players integrate their rearch capabilities within five virtual labs focud on different core rearch areas, with one being cure and efficient implementations (V AMPIRE). One of the four Working Groups of V AMPIRE is the rearch group on SCA analysis.
From the two advents alone, it is roughly estimated that the Europe, in our own opinion, is likely o
ne step further over the other continents in the internationally collaborative rearch on SCA attacks.
It is an interesting story that SCA attacks evaluation was already explicitly suggested many years ago to be encompasd in cryptographic algorithm evaluation in many international standards bodies, such as 3GPP curity architecture [8]. However, due to lack of testable methods and practical tools, this insightful suggestion virtually is like vacant shapes in sight. So it is very easy to understand that the final evaluation report of the standard bodies draw the conclusion at that time that “in the design process it was concluded not to be feasible to design a general algorithm framework that by itlf would not be vulnerable to side channel attacks” [119].
Recently, Tiri and Verbauwhede prented a digital VLSI design flow to create cure, side-channel attack resistant integrated circuits (IC in the quel) [66]. Even though this is the first significant attempt in the cure design of IC, they only considered the power analysis attack in the comprehensive top-down automated synchronous VLSI design flow that pursues a constant power dissipation. Kocher et al. [64] propod the point of view that curity should be treated as a intrinsic dimension in embedded system design. Ravi et al. [63] discusd the general tamper resistant mechanisms for cure embedded systems. They developed a preliminary systematic curity embedded system design approach. In their ca study, the concept of trusted code ba was introd
uced, which rembles the trusted computing ba in the context of cure operating system.
The threat of SCA attacks also caught the attention from NoC rearch community [11]. Gebotys et al. prented a framework for curity of NoCs by providing network level symmetric key cryptography for key distribution and at the core level by illustrating modification of software with extremely low overheads for added curity against power attacks [11].
Clearly, a cryptographic algorithm which is strong with respect to conventional cryptanalytic attacks is uless if it cannot be implemented curely on a broad range of platforms. Already during the AES and NESSIE process, the cryptographic community has come to this conclusion.
Some motivations of this paper are as follows: to understand the history of SCA attacks; to recognize the rious threats of SCA attacks; to acknowledge the various countermeasures against SCA attacks; to evaluate the impacts of SCA attacks on the curity testing of cryptographic modules; to identify the possible rearch trends in this area and so on.
The remainder of this paper is organized as follows. In ction 2, we prent the models for side channel attacks. FIPS 140 standard is briefly recalled in ction 3, and then some problems about the current version of this standard are identified. In Section 4, classification of SCA attacks is discus
d. In ction 5, we prent concrete side-channels discovered so far and the relevant countermeasures. In ction 6, we give out some thoughts about the possible impacts of SCA attacks on cryptographic module curity testing. Concluding remarks are given in Section 7.
2. Models of Side Channel Attacks
A cryptographic primitive can be considered from at least two points of views: on the one hand, it can be viewed as an abstract mathematical object (a transformation, possibly parameterized by a key, turning some input into some output); on the other hand, this primitive will in fine have to be implemented in a program that will run on a given processor, in a given environment, and will therefore prent specific characteristics. The first point of view is that of “classical” cryptanalysis; the cond one is that of side-channel cryptanalysis. Side-channel cryptanalysis takes advantage of implementation-specific characteristics to recover the cret parameters involved in the computation. It is therefore much less general — since it is specific to a given implementation — but often much more powerful than classical cryptanalysis, and is considered very riously by cryptographic devices’ implementors.
我们结婚了中秋特辑In traditional cryptanalysis, when asssing the curity of a cryptographic protocol, one usually ass
umes that the adversary has a complete description of the protocol, is in posssion of all public keys, and is only lacking knowledge of the cret keys. In addition, the adversary may have intercepted some data exchanged between the legitimate participants, and may even have some control over the nature of this data (e.g., by lecting the messages in a chon-message attack on a signature scheme, or by lecting the ciphertext in a chon-ciphertext attack on a public-key encryption scheme). The adversary then attempts to compromi the protocol goals by either solving an underlying problem assumed to be intractable, or by exploiting some design flaw in the protocol.
In this process, mathematical abstraction can be a very uful tool in the study of cryptographic primitives. Cryptographers often evaluate the curity of ciphers by considering them as mathematical functions ud in the scenario similar to the one described in Figure 1.
Traditionally, cure cryptographic algorithms provide curity against an adversary who has only black-box access to the cret information of honest parties. However, such models are not always adequate. In particular, the curity of the algorithms may completely break under
(feasible) attacks that try to tamper with the cret key.
Figure 1: The traditional cryptographic model
The attacks considered in this traditional curity model exploit the mathematical specification of the protocol. In recent years, rearchers have become increasingly aware of the possibility of attacks that exploit specific properties of the implementation and operating environment. Such SCA attacks utilize information leaked during the protocol’s execution and are not considered in traditional curity models. For example, the adversary may be able to monitor the power consumed or the electromagnetic radiation emitted by a smart card while it performs private-key operations such as decryption and signature generation. The adversary may also be able to measure the time it takes to perform a cryptographic operation, or analyze how a cryptographic device behaves when certain errors are encountered. Side-channel information may be easy to gather in practice, and therefore it
is esntial that the threat of SCA attacks be quantified when asssing the overall curity of a system, e the scenario illustrated in Figure 2.
Figure 2: The cryptographic model including side-channel
Side Channels are defined to be unintended output channels from a system. Paul Kocher in 1996 published the minal paper “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems” showing that non-constant running time of ciphers can leak information about the key. When implementations take advantage of optimizations, the problem may become more pronounced.
It should be emphasized that a particular side-channel attack may not be a realistic threat in some environments. For example, attacks that measure power consumption of a cryptographic device can be considered very plausible if the device is a smart card that draws power from an external, untrusted source. On the other hand, if the device is a workstation located in a cure
