1300 david oswald id and ip theft with side-channel attacks
1. ID and IP Theft with
Side-Channel Attacks
David Oswald, Ruhr-Uni Bochum
david.oswald@rub.de
Breaking One-Time Password Tokens and
FPGA Bitstream Encryption
18. 18
Implementation Attacks: A Short History
Known for many decades (e.g. TEMPEST)
Poor understanding prior to 1996
(at least outside intelligence agencies)
End 1990s: „golden era“
– Fault attacks (RSA CRT), 1996
– Timing attacks, 1996
– SPA, DPA, 1998
Since 1999: hundreds of research papers
27. 28
Theory versus Practice
Academia
8-bit µC
Interfaces and
implementation
known / controlled
Ideal setup
White-box attack
Real World
HW / SW impl.
Interfaces and
implementation
unknown
Many unknown factors
Black-box attack
37. 38
Related Work
Bitstream encryption scheme of
several Xilinx product lines broken
– Virtex 2 (3DES)
– Virtex 4 & 5 (AES256)
– Spartan 6 (AES256)
Method: Side-Channel Analysis (SCA)
38. 39
What about Altera?
Target: Stratix II
Bitstream encryption („design security“)
uses AES w/ 128-bit key
Side-Channel Analysis possible?
Problem: Proprietary and undocumented
mechanisms for key derivation and for
encryption
42. 43
Why this key derivation?
Real key cannot be set directly
Key derivation is performed once when
programming the FPGA
Idea: When real key is extracted, KEY1 and
KEY2 cannot be found
Prevent cloning: real key of blank FPGA
cannot be set
44. 45
Good idea?
In principle: Yes
But: AES (in this form) is not one-way:
Pick any KEY1*
KEY2* = AES-1
KEY1*(real key)
This (KEY1*, KEY2*) leads to same real key
47. 48
Encrypted block i =
AES128real key(IVi) plain block i
Encryption method:
AES in Counter mode
48. 49
Reverse-Engineering: Summary
All „obscurity features“ reverse-engineered
Further details: file format, coding, ...
Black-box white box
Side-channel analysis possible
(target: 128-bit real key)
54. 56
... we recovered the 128-bit AES key with 30,000
traces (~ 3 hours of measurement)
Key Recovery
55. 57
... and came up with a hypothetical architecture
of the AES engine
Architecture Recovery
56. 58
Management Summary
Full 128-bit AES key of Stratix II can be
extracted using 30,000 traces (3 hours)
Key derivation does not prevent cloning
Proprietary security mechanisms can be
reverse-engineered from software
Software reverse-engineering enables
hardware attack
69. 71
Measurement Setup
Resistor in USB ground for power measurement
EM measurement with near-field probe
Connecting (capacitive) button to ground triggers
the Yubikey
70. 72
Power vs. EM Measurements
Trigger on falling edge (Yubikey's LED off)
EM yields better signal
AES rounds clearly visible
1 2 3 4 5 6 7 8 9 10
71. 73
Key Recovery (Power)
Attacking final AES round
Power model hi = HW(SBOX-1(Ci rk))
~ 7000 traces needed
~ 10.5 hours for data acquisition
Byte 1 Byte 2 Byte 8 Byte 9
72. 74
Key Recovery (EM)
Attacking final AES round
Power model hi = HW(SBOX-1(Ci rk))
~ 700 traces needed
~ 1 hour for data acquisition
Byte 1 Byte 2 Byte 8 Byte 9
73. 75
Implications
128-bit AES key of the Yubikey 2 can be recovered
(700 EM measurements = 1 hour physical access)
Attacker can compute OTPs w/o Yubikey
Impersonate user:
Username and password still needed
Denial-of-Service:
Send an OTP with highly increased useCtr
→ Improved FW version 2.4 for Yubikey 2
79. 81
Countermeasures
Implementation attacks: Practical threat, but:
First line of defense: Classical countermeasures
– Secure hardware (certified devices)
– Algorithmic level
Second line of defense: System level
– Detect: Shadow accounts, logging
– Minimize impact (where possible):
Key diversification
80. 82
Different Scenarios, different threats
Yubikey 2
Time per key: 1 h
Diversified keys (?)
Each token: One ID
→ Attack does not scale
FPGA
Time per key: 3 h
One key: All IP
Attack one FPGA
→ Attack scales
82. Thanks for your attention
Questions now?
or later: david.oswald@rub.de
http://fb.com/WorldBeatClubTanzenUndHelfen
Notas do Editor
2008: Nokia Werk dicht, ca. 3000 Mitarbeiter weg.
2015 Opel mit den restlichen (von damals 20.000) ca. 5000 Mitarbeitern
Uni ist wie schiff
An dieser Stelle Möglichkeit für Tafel: CMOS-Inverter malen (mit Lastkapazität) und umladen erklären -> Hamming Distance
HW: Pre-Charge busses etc.
Erfahrung aus Case Studies: Es ist nicht so...
Ende: Now lets go to the steps required in reality
Now, to put the analysis work I did in context -> core of IT security!
Now, to put the analysis work I did in context -> core of IT security!
Now, to put the analysis work I did in context -> core of IT security!
Typical login form
Give focus to yubikey field -> press button
Constant public ID
Appended ACTUAL OTP
Unique, secret ID
Use Counter, non-volatile, incremented at first OTP generation after power-up
Timestamp, 8Hz clock, random initialization
Session Counter, init 0, incremented each OTP
Random
CRC16 checksum
Modhey-encoding -> substitution for hex-character
How can the attacker get the key?
We were curious which microcontroller is in it.
We know the pcb from Youtube video about production
Opened the case with fuming nitric acid
Low cost Sunplus IT 8-bit microcontroller
To measure you need a reliable trigger -> LED off
Clear patterns occure 10 times
Low-pass characteristic
Peaks start of frame
Final round since we only know the ciphertext
First round input ist partially constant -> parts can not be attacked
Key candidate