Side channel attacksÀòàêè ïî ñòîðîííèì êàíàëàì íà êðèïòîñèñòåìû

Íèêèòà Ñåðãååâè÷ Âåùèêîâ

Îêòÿáðü 2014

Ââåäåíèå

2 / 51

Êòî çäåñü?

Êàðòèíêè [Wikipedia, ULB, QualSec, SideChannelPerspective, Family Guy, freedigitalphotos.net]

1 / 51

Î ÷åì ïîéäåò ðå÷ü?

2 / 51

Âñïîìíèòü âñ¼

3 / 51

Âñïîìíèòü âñ¼

4 / 51

Îò êóäà áåðóòñÿ ñòîðîííèå êàíàëû?

5 / 51

Îò êóäà áåðóòñÿ ñòîðîííèå êàíàëû?

6 / 51

Âèäû àòàê è ñáîð èíôîðìàöèè

7 / 51

Âèäû àòàê

8 / 51

ß ïðîñòî ïîñìîòðåòü!

[sidechannelperspective.com]

9 / 51

À ÷òî ýòî âû òóò äåëàåòå?

[Lerman+2013]

10 / 51

À åñëè åãî âåíèêîì?

[Hutter2014]11 / 51

À åñëè åãî âåíèêîì?

[Hutter2014]

12 / 51

×òî òàì ñïðÿòàíî âíóòðè?

[Hutter2014] 13 / 51

×òî òàì ñïðÿòàíî âíóòðè?

[Batina2014]

14 / 51

Âàðâàðñòâî â âûñøåé ñòåïåíè

[Hutter2014]

15 / 51

Âàðâàðñòâî â âûñøåé ñòåïåíè

[Hutter2014]

16 / 51

Ïðèìåðû àòàê ïî ñòîðîííèì êàíàëàì

17 / 51

Çâóê

18 / 51

Àêóñòè÷åñêèé êðèïòîàíàëèç

[Genkin+2013] 19 / 51

Ñïåêòðîãðàììà

[Genkin+2013]

20 / 51

GPG - RSA

[Genkin+2013]

21 / 51

Ñâåò

22 / 51

Êàìåðà

[Kr�amer+2013]

23 / 51

Êàðòà óñòðîéñòâà

[Kr�amer+2013]24 / 51

Ðåãèñòðû

[Kr�amer+2013]25 / 51

Ïàìÿòü

[Kr�amer+2013]

26 / 51

Âðåìÿ

27 / 51

RSA

Require: M, n, expEnsure: C = Mexp mod n

if expk−1 = 1 then

C = M

else

C = 1

for i = k − 2 downto 0 do

C = C 2 mod n

if expi = 1 then

C = C ×M mod n

[Kocher1996]

28 / 51

OpenSSL

29 / 51

OpenSSL

[Canvel+2002] 30 / 51

Ýíåðãîïîòðåáëåíèå

31 / 51

RSA - SPA

[Batina2013]

32 / 51

RSA - SPA

[Batina2013]

33 / 51

RSA - SPA

34 / 51

RSA - SPA

[Kocher+1999]

35 / 51

Ýòî ÷òî çà ïîêåìîí àëãîðèòì?

[Batina2014]

36 / 51

AES - CPA

[Batina2014]

CPA idea

I Íàáîð (çàøèôðîâàííûõ / îòêðûòûõ) òåêñòîâ

I Íàáîð âðåìåííûõ ðÿäîâ (ñ îñöèëëîãðàôà)

correlation(Lf (Sbox(key [i ][j ]⊕msg [i ][j ])), Power)[Brier+2004]

37 / 51

AES - CPA

[Batina2014]

CPA idea

I Íàáîð (çàøèôðîâàííûõ / îòêðûòûõ) òåêñòîâ

I Íàáîð âðåìåííûõ ðÿäîâ (ñ îñöèëëîãðàôà)

correlation(Lf (Sbox(key [i ][j ]⊕msg [i ][j ])), Power)[Brier+2004]

38 / 51

CPA

[Batina2013]

39 / 51

AES - CPA/DPA

[Batina2014]

40 / 51

AES - CPA

0 50 100 150 200 250

0.00

0.05

0.10

0.15

Key byte value

abs(

corr

elat

ion)

●0x70

[DPALab]41 / 51

AES - CPA áàéòû

[DPALab] 42 / 51

AES - CPA êîëè÷åñòâî äàííûõ

[DPALab]43 / 51

Ñïîñîáû çàùèòû

44 / 51

×òî æå äåëàòü?

45 / 51

Çàêëþ÷åíèå

46 / 51

Çàêëþ÷åíèå

I Àòàêè ïî ñòîðîííèì êàíàëàì � ñåðü¼çíàÿ óãðîçà

I Íîâûå âèäû àòàê ïîÿâëÿþòñÿ ðåãóëÿðíî

I Íå ïèøèòå è íå ïðèäóìûâàéòå ñâîþ ñîáñòâåííóþêðèïòîãðàôèþ1

1åñëè âû íå êðèïòîãðàô47 / 51

Çàêëþ÷åíèå

I Àòàêè ïî ñòîðîííèì êàíàëàì � ñåðü¼çíàÿ óãðîçà

I Íîâûå âèäû àòàê ïîÿâëÿþòñÿ ðåãóëÿðíî

I Íå ïèøèòå è íå ïðèäóìûâàéòå ñâîþ ñîáñòâåííóþêðèïòîãðàôèþ1

1åñëè âû íå êðèïòîãðàô48 / 51

Çàêëþ÷åíèå

I Àòàêè ïî ñòîðîííèì êàíàëàì � ñåðü¼çíàÿ óãðîçà

I Íîâûå âèäû àòàê ïîÿâëÿþòñÿ ðåãóëÿðíî

I Íå ïèøèòå è íå ïðèäóìûâàéòå ñâîþ ñîáñòâåííóþêðèïòîãðàôèþ1

1åñëè âû íå êðèïòîãðàô49 / 51

Ñïèñîê ëèòåðàòóðû

S.Mangard et al., Power Analysis Attacks, 2007

P.C.Kocher, Timing Attacks on Implementations of Di�e-Hellman, RSA, DSS,and Other Systems, 1996

P.Kocher et al., Di�erential Power Analysis, 1999

B.Canvel et al., Password Interception in a SSL/TLS Channel, 2002

E.Brier et al., Correlation power analysis with a leakage model, 2004

D.Genkin et al., RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis,2013

J.Kr�amer et al., Di�erential Photonic Emission Analysis, 2013

L.Lerman, et al., Semi-Supervised Template Attack, 2013

L.Batina, Introduciton to implementation attacks (pres. Albena, 2013 & Sibenik,2014)

M.Hutter, Fault Attacks and Countermeasures (pres. Sibenik, 2014)

50 / 51

I Âîïðîñû?

I Êîììåíòàðèè?

I Ñìèðèòåëüíûå ðóáàøêè?

http://sidechannelperspective.com

http://qualsec.ulb.ac.be/

http://ulb.ac.be/di/dpalab/ nikita.veshchikov@ulb.ac.be

51 / 51