SlideShare uma empresa Scribd logo

Defeating RSA: Cross Correlation Attack Reveals Private Exponent

Riscure
Riscure

This document discusses a new side channel attack called cross correlation that can defeat RSA implementations. It works by analyzing power traces from an RSA device executing signatures to reveal the private exponent. The attack preprocessing compresses and reveals modular operations in traces. It then uses cross correlation analysis to observe operand sharing between operations, allowing retrieval of the full private key. Countermeasures like exponent blinding and randomizing the operation order can prevent this attack.

Tecnologia
1 de 24
Baixar para ler offline
Marc Witteman Riscure Defeating RSA Multiply-Always and Message Blinding Countermeasures Session ID: CRYP-201 Session Classification: Advanced
Agenda 2 Introduction Preprocessing modular operations Cross correlation Conclusion
3 Introduction • About the authors • Side Channel Analysis • RSA background • Countermeasures • Attack concepts
About The Authors  Marc F. Witteman  CTO, Riscure  Jasper G. J. van Woudenberg  Senior Security Analyst, Riscure  Federico Menarini  Security Analyst, Riscure 4
Side Channel Analysis  Analyze secret leakage from crypto implementations  Example power trace of DES on smart card  Leaks hamming weight of processed data 5
RSA background  Exponentiation is sequence of square and multiply operations  Naïve implementations do for each key bit  Always square  Conditional multiplication (if key bit equals ‘1’)  Distinction of square and multiply operations may reveal key (SPA) 1 000 11 0 0 8
Countermeasures  noise  multiply-always discard multiplication results after processing a zero bit  message blinding multiply message with random number, and multiply signature with a matching inverse that removes the mask  exponent blinding add random multiples of φ to the exponent 9 Some common countermeasures against side channel analysis of RSA
Attack concepts  Cross correlation is an attack class  Comparable to high-order DPA  No clear text/cipher text needed  Attack demonstrated on RSA smart card implementation with several countermeasures  Procedure with two innovative steps  Preprocess modular operations  Cross correlation analysis 10
11 Preprocessing modular operations • Compression • Revealing • Position finding
Compressing modular operations  Modular operation execution typically increases power consumption due to switching of many bits in parallel  Old smart cards have easily recognizable modular operations  Compression involves selection of threshold, and averaging all sequential samples above a threshold  Low pass filtering may be needed if signals are noisy 12
Revealing hidden modular operations  New smart cards hide or scramble power signal (may need EMA)  Modular operations may be recognized by alignment and averaging  Pattern recognition works only for first operations (clock jitter) 13
• One averaged pattern is used to identify and locate modular operations in the noisy traces • Correlate the pattern with the trace, and the peaks indicate the starting points of the modular operations Position finding of shifted modular operations 14
15 Cross Correlation • Operand sharing • Principle • Matrix • Effect of multiply-always • Neighboring samples
Operand sharing  RSA uses two similar operations (intermediate signature S, message M, modulus N)  Square: S’ := S * S mod N  Multiply: S’ := S * M mod N  Subsequent square operations usually do not share operands  Multiply operations do share an operand (M)  Operand sharing may be observed if order of square and multiply operations identical for repetitive encryptions 16
Cross correlation principle  Consider a set of k traces with n samples as a matrix  Compute correlation between each pair of sample vectors 17
Cross correlation matrix  Correlation matrix represented in colored dots, where a lighter color corresponds to a higher correlation  Multiply operations light up like a Christmas tree  Can recognize naïve binary exponentiation key: 111101011000101 18
Cross correlation with multiply always  High frequency of correlating pairs reveals multiply always variant  Incidental correlation of square operation with predecessor reveals discarded multiply: S’ = S * M S’’ = S * S  Can recognize key: 11110101100 19
Cross correlating neighboring samples  Compute and display correlation only between adjacent vectors 1 1 11 0 0 0 0 High and low correlation values correspond to key bits set to zero and one Complete key can be retrieved in short time 20
21 Conclusion • Apply • Countermeasures • Future research • Summary • Q&A
Apply  This attack can be applied to any RSA implementation under the following conditions  Power consumption or EM radiation can be measured (with minimal S/N)  Several thousand crypto operations (signatures) can be executed  Implementation uses a fixed sequence of modular operations  No data requirements  No chosen messages needed  No known messages or signatures needed  Attack applies to  RSA-Straight and RSA-CRT  Naïve and Montgomery multiplication  Any hashing or padding scheme  Attack yields private exponent 22
Countermeasures  Countermeasures that do NOT work  Message blinding  Multiply always, Montgomery ladder, or BRIP  Countermeasures that are NOT enough  Noise  Signal reduction  Random delays / variable clocks  Countermeasures that work  Exponent blinding  Random bit group size  Any randomization method that makes the order of square and multiply operations unpredictable 23
Future research Cross correlation attack applies well to RSA, but the method is not restricted to RSA We study application of the concepts to  ECC  Symmetric algorithms 24
Attack summary  New side channel attack class developed and demonstrated  Applies to many different RSA implementations  Defeats several countermeasures  Effective countermeasures are possible 25
Q&A Need help? contact Marc Witteman CTO witteman@riscure.com Riscure Inc. 901 Mariners Island Blvd Suite 595 San Mateo, CA 94404 USA Phone: +1 650 425 7327 www.riscure.com 26 Complete article can be downloaded from: http://www.riscure.com/tech-corner/publications.html

Recomendados

Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsRiscure
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisRiscure
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Side Channel Attacks on AES
Side Channel Attacks on AESSide Channel Attacks on AES
Side Channel Attacks on AESRavi Prakash Giri
 
Jp
Jp Jp
Jp vijaydeepakg
 
Lecture 5
Lecture 5Lecture 5
Lecture 5Chamila Fernando
 

Recomendados

Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsRiscure
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisRiscure
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Side Channel Attacks on AES
Side Channel Attacks on AESSide Channel Attacks on AES
Side Channel Attacks on AESRavi Prakash Giri
 
Jp
Jp Jp
Jp vijaydeepakg
 
Lecture 5
Lecture 5Lecture 5
Lecture 5Chamila Fernando
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your InputsAlexander Bolshev
 
Practical file
Practical filePractical file
Practical filerajeevkr35
 
Functions for Nano 5 Card
Functions for Nano 5 CardFunctions for Nano 5 Card
Functions for Nano 5 CardOmar Sanchez
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
Fpga creating counter with external clock
Fpga creating counter with external clockFpga creating counter with external clock
Fpga creating counter with external clockPoliteknik Elektronika Negeri Surabaya
 
Senzations’15: Secure Internet of Things
Senzations’15: Secure Internet of ThingsSenzations’15: Secure Internet of Things
Senzations’15: Secure Internet of ThingsSenZations Summer School
 
FPGA Tutorial - LCD Interface
FPGA Tutorial - LCD InterfaceFPGA Tutorial - LCD Interface
FPGA Tutorial - LCD InterfacePoliteknik Elektronika Negeri Surabaya
 
Scan Based Side Channel Attack on Data Encryption Standard
Scan Based Side Channel Attack on Data Encryption StandardScan Based Side Channel Attack on Data Encryption Standard
Scan Based Side Channel Attack on Data Encryption StandardLei Hsiung
 
Computers or something
Computers or somethingComputers or something
Computers or somethingdattmamon
 
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...Tim Vidas
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 
Verilog VHDL code Decoder and Encoder
Verilog VHDL code Decoder and EncoderVerilog VHDL code Decoder and Encoder
Verilog VHDL code Decoder and EncoderBharti Airtel Ltd.
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGADesign, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGAVivek Venugopalan
 
Cryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using VerilogCryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using Verilogijcncs
 
ARM Boards for DSP Applications
ARM Boards for DSP ApplicationsARM Boards for DSP Applications
ARM Boards for DSP ApplicationsGreeshma S
 
The Most Important Algorithms
The Most Important AlgorithmsThe Most Important Algorithms
The Most Important Algorithmswensheng wei
 
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks Muhammad Jawad Ikram
 
Machine learning and linear regression programming
Machine learning and linear regression programmingMachine learning and linear regression programming
Machine learning and linear regression programmingSoumya Mukherjee
 
Navigation Control of Agent Automobiles Using Wireless Sensor Network
Navigation Control of Agent Automobiles Using Wireless Sensor NetworkNavigation Control of Agent Automobiles Using Wireless Sensor Network
Navigation Control of Agent Automobiles Using Wireless Sensor NetworkMohammad Samadi Gharajeh
 
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...mabualsh
 

Mais conteúdo relacionado

Mais procurados

Practical file
Practical filePractical file
Practical filerajeevkr35
 
Functions for Nano 5 Card
Functions for Nano 5 CardFunctions for Nano 5 Card
Functions for Nano 5 CardOmar Sanchez
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
Scan Based Side Channel Attack on Data Encryption Standard
Scan Based Side Channel Attack on Data Encryption StandardScan Based Side Channel Attack on Data Encryption Standard
Scan Based Side Channel Attack on Data Encryption StandardLei Hsiung
 
Computers or something
Computers or somethingComputers or something
Computers or somethingdattmamon
 
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...Tim Vidas
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 
Verilog VHDL code Decoder and Encoder
Verilog VHDL code Decoder and EncoderVerilog VHDL code Decoder and Encoder
Verilog VHDL code Decoder and EncoderBharti Airtel Ltd.
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGADesign, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGAVivek Venugopalan
 

Mais procurados (15)

Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
 
Practical file
Practical filePractical file
Practical file
 
Functions for Nano 5 Card
Functions for Nano 5 CardFunctions for Nano 5 Card
Functions for Nano 5 Card
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
Fpga creating counter with external clock
Fpga creating counter with external clockFpga creating counter with external clock
Fpga creating counter with external clock
 
Senzations’15: Secure Internet of Things
Senzations’15: Secure Internet of ThingsSenzations’15: Secure Internet of Things
Senzations’15: Secure Internet of Things
 
FPGA Tutorial - LCD Interface
FPGA Tutorial - LCD InterfaceFPGA Tutorial - LCD Interface
FPGA Tutorial - LCD Interface
 
Scan Based Side Channel Attack on Data Encryption Standard
Scan Based Side Channel Attack on Data Encryption StandardScan Based Side Channel Attack on Data Encryption Standard
Scan Based Side Channel Attack on Data Encryption Standard
 
Computers or something
Computers or somethingComputers or something
Computers or something
 
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...
Cyber Security Forum: DARPA's Cyber Grand Challenge. What Happened and What'...
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical File
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gates
 
Verilog VHDL code Decoder and Encoder
Verilog VHDL code Decoder and EncoderVerilog VHDL code Decoder and Encoder
Verilog VHDL code Decoder and Encoder
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGADesign, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
 

Semelhante a Defeating RSA: Cross Correlation Attack Reveals Private Exponent

Cryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using VerilogCryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using Verilogijcncs
 
ARM Boards for DSP Applications
ARM Boards for DSP ApplicationsARM Boards for DSP Applications
ARM Boards for DSP ApplicationsGreeshma S
 
The Most Important Algorithms
The Most Important AlgorithmsThe Most Important Algorithms
The Most Important Algorithmswensheng wei
 
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks Muhammad Jawad Ikram
 
Machine learning and linear regression programming
Machine learning and linear regression programmingMachine learning and linear regression programming
Machine learning and linear regression programmingSoumya Mukherjee
 
Navigation Control of Agent Automobiles Using Wireless Sensor Network
Navigation Control of Agent Automobiles Using Wireless Sensor NetworkNavigation Control of Agent Automobiles Using Wireless Sensor Network
Navigation Control of Agent Automobiles Using Wireless Sensor NetworkMohammad Samadi Gharajeh
 
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...mabualsh
 
Models and approaches for Differential Power Analysis
Models and approaches for Differential Power AnalysisModels and approaches for Differential Power Analysis
Models and approaches for Differential Power AnalysisAndrej Šimko
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystemSamdish Arora
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
 
ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptch09_rsa_nemo.ppt
ch09_rsa_nemo.pptChandraB15
 
Audio Processing
Audio ProcessingAudio Processing
Audio Processinganeetaanu
 
ANN ARIMA Hybrid Models for Time Series Prediction
ANN ARIMA Hybrid Models for Time Series PredictionANN ARIMA Hybrid Models for Time Series Prediction
ANN ARIMA Hybrid Models for Time Series PredictionM Baddar
 
Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012
Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012
Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012Florent Renucci
 
A Sphere Decoding Algorithm for MIMO
A Sphere Decoding Algorithm for MIMOA Sphere Decoding Algorithm for MIMO
A Sphere Decoding Algorithm for MIMOIRJET Journal
 
Analysis and reactive measures on the blackhole attack
Analysis and reactive measures on the blackhole attackAnalysis and reactive measures on the blackhole attack
Analysis and reactive measures on the blackhole attackJyotiVERMA176
 

Semelhante a Defeating RSA: Cross Correlation Attack Reveals Private Exponent (20)

Cryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using VerilogCryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using Verilog
 
ARM Boards for DSP Applications
ARM Boards for DSP ApplicationsARM Boards for DSP Applications
ARM Boards for DSP Applications
 
The Most Important Algorithms
The Most Important AlgorithmsThe Most Important Algorithms
The Most Important Algorithms
 
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
 
Machine learning and linear regression programming
Machine learning and linear regression programmingMachine learning and linear regression programming
Machine learning and linear regression programming
 
Navigation Control of Agent Automobiles Using Wireless Sensor Network
Navigation Control of Agent Automobiles Using Wireless Sensor NetworkNavigation Control of Agent Automobiles Using Wireless Sensor Network
Navigation Control of Agent Automobiles Using Wireless Sensor Network
 
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...
Applications of Markov Decision Processes (MDPs) in the Internet of Things (I...
 
Models and approaches for Differential Power Analysis
Models and approaches for Differential Power AnalysisModels and approaches for Differential Power Analysis
Models and approaches for Differential Power Analysis
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
 
Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipher
 
ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptch09_rsa_nemo.ppt
ch09_rsa_nemo.ppt
 
Audio Processing
Audio ProcessingAudio Processing
Audio Processing
 
Pseudo Random Number
Pseudo Random NumberPseudo Random Number
Pseudo Random Number
 
Ch9
Ch9Ch9
Ch9
 
ANN ARIMA Hybrid Models for Time Series Prediction
ANN ARIMA Hybrid Models for Time Series PredictionANN ARIMA Hybrid Models for Time Series Prediction
ANN ARIMA Hybrid Models for Time Series Prediction
 
slide1-1.ppt
slide1-1.pptslide1-1.ppt
slide1-1.ppt
 
Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012
Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012
Manifold Blurring Mean Shift algorithms for manifold denoising, report, 2012
 
A Sphere Decoding Algorithm for MIMO
A Sphere Decoding Algorithm for MIMOA Sphere Decoding Algorithm for MIMO
A Sphere Decoding Algorithm for MIMO
 
Analysis and reactive measures on the blackhole attack
Analysis and reactive measures on the blackhole attackAnalysis and reactive measures on the blackhole attack
Analysis and reactive measures on the blackhole attack
 
Unit --3.ppt
Unit --3.pptUnit --3.ppt
Unit --3.ppt
 

Mais de Riscure

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsRiscure
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure IntroductionRiscure
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passportsRiscure
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCERiscure
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionRiscure
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Riscure
 

Mais de Riscure (15)

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCE
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 

Último

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Último (20)

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Defeating RSA: Cross Correlation Attack Reveals Private Exponent

  • 1. Marc Witteman Riscure Defeating RSA Multiply-Always and Message Blinding Countermeasures Session ID: CRYP-201 Session Classification: Advanced
  • 3. 3 Introduction • About the authors • Side Channel Analysis • RSA background • Countermeasures • Attack concepts
  • 4. About The Authors  Marc F. Witteman  CTO, Riscure  Jasper G. J. van Woudenberg  Senior Security Analyst, Riscure  Federico Menarini  Security Analyst, Riscure 4
  • 5. Side Channel Analysis  Analyze secret leakage from crypto implementations  Example power trace of DES on smart card  Leaks hamming weight of processed data 5
  • 6. RSA background  Exponentiation is sequence of square and multiply operations  Naïve implementations do for each key bit  Always square  Conditional multiplication (if key bit equals ‘1’)  Distinction of square and multiply operations may reveal key (SPA) 1 000 11 0 0 8
  • 7. Countermeasures  noise  multiply-always discard multiplication results after processing a zero bit  message blinding multiply message with random number, and multiply signature with a matching inverse that removes the mask  exponent blinding add random multiples of φ to the exponent 9 Some common countermeasures against side channel analysis of RSA
  • 8. Attack concepts  Cross correlation is an attack class  Comparable to high-order DPA  No clear text/cipher text needed  Attack demonstrated on RSA smart card implementation with several countermeasures  Procedure with two innovative steps  Preprocess modular operations  Cross correlation analysis 10
  • 9. 11 Preprocessing modular operations • Compression • Revealing • Position finding
  • 10. Compressing modular operations  Modular operation execution typically increases power consumption due to switching of many bits in parallel  Old smart cards have easily recognizable modular operations  Compression involves selection of threshold, and averaging all sequential samples above a threshold  Low pass filtering may be needed if signals are noisy 12
  • 11. Revealing hidden modular operations  New smart cards hide or scramble power signal (may need EMA)  Modular operations may be recognized by alignment and averaging  Pattern recognition works only for first operations (clock jitter) 13
  • 12. • One averaged pattern is used to identify and locate modular operations in the noisy traces • Correlate the pattern with the trace, and the peaks indicate the starting points of the modular operations Position finding of shifted modular operations 14
  • 13. 15 Cross Correlation • Operand sharing • Principle • Matrix • Effect of multiply-always • Neighboring samples
  • 14. Operand sharing  RSA uses two similar operations (intermediate signature S, message M, modulus N)  Square: S’ := S * S mod N  Multiply: S’ := S * M mod N  Subsequent square operations usually do not share operands  Multiply operations do share an operand (M)  Operand sharing may be observed if order of square and multiply operations identical for repetitive encryptions 16
  • 15. Cross correlation principle  Consider a set of k traces with n samples as a matrix  Compute correlation between each pair of sample vectors 17
  • 16. Cross correlation matrix  Correlation matrix represented in colored dots, where a lighter color corresponds to a higher correlation  Multiply operations light up like a Christmas tree  Can recognize naïve binary exponentiation key: 111101011000101 18
  • 17. Cross correlation with multiply always  High frequency of correlating pairs reveals multiply always variant  Incidental correlation of square operation with predecessor reveals discarded multiply: S’ = S * M S’’ = S * S  Can recognize key: 11110101100 19
  • 18. Cross correlating neighboring samples  Compute and display correlation only between adjacent vectors 1 1 11 0 0 0 0 High and low correlation values correspond to key bits set to zero and one Complete key can be retrieved in short time 20
  • 19. 21 Conclusion • Apply • Countermeasures • Future research • Summary • Q&A
  • 20. Apply  This attack can be applied to any RSA implementation under the following conditions  Power consumption or EM radiation can be measured (with minimal S/N)  Several thousand crypto operations (signatures) can be executed  Implementation uses a fixed sequence of modular operations  No data requirements  No chosen messages needed  No known messages or signatures needed  Attack applies to  RSA-Straight and RSA-CRT  Naïve and Montgomery multiplication  Any hashing or padding scheme  Attack yields private exponent 22
  • 21. Countermeasures  Countermeasures that do NOT work  Message blinding  Multiply always, Montgomery ladder, or BRIP  Countermeasures that are NOT enough  Noise  Signal reduction  Random delays / variable clocks  Countermeasures that work  Exponent blinding  Random bit group size  Any randomization method that makes the order of square and multiply operations unpredictable 23
  • 22. Future research Cross correlation attack applies well to RSA, but the method is not restricted to RSA We study application of the concepts to  ECC  Symmetric algorithms 24
  • 23. Attack summary  New side channel attack class developed and demonstrated  Applies to many different RSA implementations  Defeats several countermeasures  Effective countermeasures are possible 25
  • 24. Q&A Need help? contact Marc Witteman CTO witteman@riscure.com Riscure Inc. 901 Mariners Island Blvd Suite 595 San Mateo, CA 94404 USA Phone: +1 650 425 7327 www.riscure.com 26 Complete article can be downloaded from: http://www.riscure.com/tech-corner/publications.html