tech talks @nsu: side channel attacks
TRANSCRIPT
Side channel attacksÀòàêè ïî ñòîðîííèì êàíàëàì íà êðèïòîñèñòåìû
Íèêèòà Ñåðãååâè÷ Âåùèêîâ
Îêòÿáðü 2014
Ââåäåíèå
2 / 51
Êòî çäåñü?
Êàðòèíêè [Wikipedia, ULB, QualSec, SideChannelPerspective, Family Guy, freedigitalphotos.net]
1 / 51
Î ÷åì ïîéäåò ðå÷ü?
2 / 51
Âñïîìíèòü âñ¼
3 / 51
Âñïîìíèòü âñ¼
4 / 51
Îò êóäà áåðóòñÿ ñòîðîííèå êàíàëû?
5 / 51
Îò êóäà áåðóòñÿ ñòîðîííèå êàíàëû?
6 / 51
Âèäû àòàê è ñáîð èíôîðìàöèè
7 / 51
Âèäû àòàê
8 / 51
À ÷òî ýòî âû òóò äåëàåòå?
[Lerman+2013]
10 / 51
À åñëè åãî âåíèêîì?
[Hutter2014]11 / 51
À åñëè åãî âåíèêîì?
[Hutter2014]
12 / 51
×òî òàì ñïðÿòàíî âíóòðè?
[Hutter2014] 13 / 51
×òî òàì ñïðÿòàíî âíóòðè?
[Batina2014]
14 / 51
Âàðâàðñòâî â âûñøåé ñòåïåíè
[Hutter2014]
15 / 51
Âàðâàðñòâî â âûñøåé ñòåïåíè
[Hutter2014]
16 / 51
Ïðèìåðû àòàê ïî ñòîðîííèì êàíàëàì
17 / 51
Çâóê
18 / 51
Àêóñòè÷åñêèé êðèïòîàíàëèç
[Genkin+2013] 19 / 51
Ñïåêòðîãðàììà
[Genkin+2013]
20 / 51
GPG - RSA
[Genkin+2013]
21 / 51
Ñâåò
22 / 51
Êàìåðà
[Kr�amer+2013]
23 / 51
Êàðòà óñòðîéñòâà
[Kr�amer+2013]24 / 51
Ðåãèñòðû
[Kr�amer+2013]25 / 51
Ïàìÿòü
[Kr�amer+2013]
26 / 51
Âðåìÿ
27 / 51
RSA
Require: M, n, expEnsure: C = Mexp mod n
if expk−1 = 1 then
C = M
else
C = 1
for i = k − 2 downto 0 do
C = C 2 mod n
if expi = 1 then
C = C ×M mod n
[Kocher1996]
28 / 51
OpenSSL
29 / 51
OpenSSL
[Canvel+2002] 30 / 51
Ýíåðãîïîòðåáëåíèå
31 / 51
RSA - SPA
[Batina2013]
32 / 51
RSA - SPA
[Batina2013]
33 / 51
RSA - SPA
34 / 51
RSA - SPA
[Kocher+1999]
35 / 51
Ýòî ÷òî çà ïîêåìîí àëãîðèòì?
[Batina2014]
36 / 51
AES - CPA
[Batina2014]
CPA idea
I Íàáîð (çàøèôðîâàííûõ / îòêðûòûõ) òåêñòîâ
I Íàáîð âðåìåííûõ ðÿäîâ (ñ îñöèëëîãðàôà)
correlation(Lf (Sbox(key [i ][j ]⊕msg [i ][j ])), Power)[Brier+2004]
37 / 51
AES - CPA
[Batina2014]
CPA idea
I Íàáîð (çàøèôðîâàííûõ / îòêðûòûõ) òåêñòîâ
I Íàáîð âðåìåííûõ ðÿäîâ (ñ îñöèëëîãðàôà)
correlation(Lf (Sbox(key [i ][j ]⊕msg [i ][j ])), Power)[Brier+2004]
38 / 51
CPA
[Batina2013]
39 / 51
AES - CPA/DPA
[Batina2014]
40 / 51
AES - CPA
0 50 100 150 200 250
0.00
0.05
0.10
0.15
Key byte value
abs(
corr
elat
ion)
●0x70
[DPALab]41 / 51
AES - CPA áàéòû
[DPALab] 42 / 51
AES - CPA êîëè÷åñòâî äàííûõ
[DPALab]43 / 51
Ñïîñîáû çàùèòû
44 / 51
×òî æå äåëàòü?
45 / 51
Çàêëþ÷åíèå
46 / 51
Çàêëþ÷åíèå
I Àòàêè ïî ñòîðîííèì êàíàëàì � ñåðü¼çíàÿ óãðîçà
I Íîâûå âèäû àòàê ïîÿâëÿþòñÿ ðåãóëÿðíî
I Íå ïèøèòå è íå ïðèäóìûâàéòå ñâîþ ñîáñòâåííóþêðèïòîãðàôèþ1
1åñëè âû íå êðèïòîãðàô47 / 51
Çàêëþ÷åíèå
I Àòàêè ïî ñòîðîííèì êàíàëàì � ñåðü¼çíàÿ óãðîçà
I Íîâûå âèäû àòàê ïîÿâëÿþòñÿ ðåãóëÿðíî
I Íå ïèøèòå è íå ïðèäóìûâàéòå ñâîþ ñîáñòâåííóþêðèïòîãðàôèþ1
1åñëè âû íå êðèïòîãðàô48 / 51
Çàêëþ÷åíèå
I Àòàêè ïî ñòîðîííèì êàíàëàì � ñåðü¼çíàÿ óãðîçà
I Íîâûå âèäû àòàê ïîÿâëÿþòñÿ ðåãóëÿðíî
I Íå ïèøèòå è íå ïðèäóìûâàéòå ñâîþ ñîáñòâåííóþêðèïòîãðàôèþ1
1åñëè âû íå êðèïòîãðàô49 / 51
Ñïèñîê ëèòåðàòóðû
S.Mangard et al., Power Analysis Attacks, 2007
P.C.Kocher, Timing Attacks on Implementations of Di�e-Hellman, RSA, DSS,and Other Systems, 1996
P.Kocher et al., Di�erential Power Analysis, 1999
B.Canvel et al., Password Interception in a SSL/TLS Channel, 2002
E.Brier et al., Correlation power analysis with a leakage model, 2004
D.Genkin et al., RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis,2013
J.Kr�amer et al., Di�erential Photonic Emission Analysis, 2013
L.Lerman, et al., Semi-Supervised Template Attack, 2013
L.Batina, Introduciton to implementation attacks (pres. Albena, 2013 & Sibenik,2014)
M.Hutter, Fault Attacks and Countermeasures (pres. Sibenik, 2014)
50 / 51
I Âîïðîñû?
I Êîììåíòàðèè?
I Ñìèðèòåëüíûå ðóáàøêè?
http://sidechannelperspective.com
http://qualsec.ulb.ac.be/
http://ulb.ac.be/di/dpalab/ [email protected]
51 / 51