CRYPTOGRAPHY IN ITSEF · 2017-05-24 · | 2 • Several ITSEFs and several types of product • Software and networks • Electronic, microelectronic components and embedded software

Journée Codage & Cryptographie 2017 | Cécile Dumas | 24 avril 2017

CRYPTOGRAPHY IN ITSEF

| 2

• Several ITSEFs and several types of product

• Software and networks

• Electronic, microelectronic components and embedded software

• Hardware devices with security boxes

• Several ITSEFs and several types of product

• Software and networks

• Electronic, microelectronic components and embedded software

• Hardware devices with security boxes

Leti into CEA Grenoble: Hardware ITSEF

FRENCH CERTIFICATION SCHEME

ITSEF Information Technology Security Evaluation Facility

CESTI Centre d’Évaluation de la Sécurité des Technologies d’Information

ANSSI


| 6Journée Codage & Cryptographie 2017 | Cécile Dumas | 24 avril 2017

SMART CARD EVALUATION: THREATS

Source: Security IC Platform Protection Profile - BSI-PP-0084


SMART CARD EVALUATION: UNITS

• Hardware

• Software

• Open samples

• Applications

Source: Security IC Platform Protection Profile - BSI-PP-0084


• Functions

• Encryption / decryption

• Signature

• Authentication

• Key generation / exchange

• …

• Mechanisms

• Symmetrical algorithms

• Asymmetrical algorithms

• Hash functions

• Random number generator

Hardware / Software

SMART CARD EVALUATION: CRYPTOGRAPHY

• Conformity• Document analysis

• Code analysis

• Efficiency• Functional testing

• Statistical tests

• Penetration testing

• Standards & References• Common Criteria

• RGS (ANSSI)

• AIS31 (BSI)

• …


• Smart card

• Embedded software

• AES (hardware)

• RSA (hardware + software)

• Random Number Generator (hardware + software)

• Conformity

• RNG evaluation RGS and AIS31

• Efficiency

• RNG statistical tests

• Penetration testing on AES and RSA• Side channel analysis

• Fault injection

SMART CARD EVALUATION: EXAMPLE


RNG EVALUATION: ARCHITECTURE

RGS

AIS31 PTG.2

AIS31 PTG.3

TRNG

Online test

Post-

processing

Cryptographic

post-processing

Initialization

Output


RNG EVALUATION: RGS

TRNG

Online test

Post-

processing

Cryptographic

post-processing

Initialization

Output

Confidence in the cryptographic post-processing (and

the global evaluation)

Statistical tests: no default

(all tests, all conditions)

Design

analysis

Cryptanalysis

Forward secrecy

Backward secrecyRecommendation

Architecture analysis


RNG EVALUATION: AIS31

TRNG

Online test

Suitable test?

Efficiency

demonstration

Post-

processing

Cryptographic

post-processing

Stochastic

model

Initialization process

Alarm management

Initialization

Output

Cryptanalysis

Forward secrecy

Backward secrecy

(PTG.3)

Entropy analysis

Environment alteration

Attacks

Statistical tests: test suite


RNG EVALUATION: STOCHASTIC MODEL

• Definition

• mathematical description using random variables

• model of the reality under certain conditions and limitations

• Goals

• It supports the estimation of the entropy of the raw random numbers

• It allows to understand the factors that may affect the entropy

Stochastic model

Real TRNG

Total Failure test

Online testFactors

Entropy

Randomness

qualityStatistical

tests

Simulations


RNG EVALUATION: METHODOLOGY

• German scheme BSI

• AIS31

• More complete

• Stochastic model

• Restrictive statistical test suite

• French Scheme ANSSI

• RGS

• More general

• Architecture with a good

cryptographic post-processing

• Argumentation for randomness

• All statistical tests

• Design analysis

• Online test

• Conformity

• Efficiency

• …



• Smart card


• AES (hardware)



• Conformity

• RNG evaluation RGS or AIS31

• Efficiency


• Penetration testing on AES and RSA• Side channel analysis

• Fault injection


STATISTICAL TESTS: OVERVIEW

Small tests

• Monobit

• Pattern frequency

AIS31

Various tests

• FIPS140

• Graphical distribution studies

• …

TestU01 Characterization tests

• Randomness quality evaluation

• Good / bad result

• Characterization

• Highlight a specific default


STATISTICAL TESTS: EXAMPLE

• Biased source

• How to evaluate?

• Majority of statistical tests fail

• For example 𝑃1 = 0.46 before post-processing• AIS31: T1, T2, T3, T6, T8 fails

• TestU01: 49 / 56 tests fail

• How to find others defaults?

• Is the post-processing sufficient?

• Need to know the statistical properties of the source

Adapted tests

post-processingsource

biased unbiased


STATISTICAL TESTS: ADAPTED TESTS

• Much tests are built under uniformity hypothesis

• But some of them can be adapted with the Bernouilli distribution

• Example poker test (FIPS140-1, AIS31 T2)

• 𝑋2 =16

5000× 𝑖=015 𝑓(𝑖)2 − 5000

• 20,000 bits• 𝑓(𝑖) occurrence number of 𝑖

• 𝑋2 follows a 2 distribution

with 15 degrees of freedom

• The test passes if 1.03 < 𝑋2 < 57.4



• With the biased sequence

𝑃1 = 0.46the test fails with high probability

• False expected frequency

𝑝 𝑖 =1

16

• Adapted probability

𝑝 𝑖 = 1 − 𝑃14−𝜋(𝑖)𝑃1

𝜋(𝑖)

where 𝜋(𝑖) is the Hamming weight of 𝑖

Examples

𝑝 0000 = 1 − 𝑃14

𝑝 0001 = 1 − 𝑃13𝑃1

𝑝 0011 = 1 − 𝑃12𝑃12



• Adapted test

• The test value:

𝑋′2 =

𝑖=0

15𝑓 𝑖 − 5000 × 𝑝 𝑖

2

5000 × 𝑝 𝑖

follows a 2 distribution with 15 degrees of freedom

• The test passes if

1.03 < 𝑋′2 < 57.4



Biased sequence

• 𝑃1 = 0.46

• AIS31: T1, T2, T3, T6, T8 fails


Biased sequence with another default

• 𝑃1 = 0.46• 1/10 pattern 0100 replaced by 0010

• AIS31: T1, T2, T3, T6, T8 fails


Adapted Poker test distribution compared to 2 distribution



• Smart card


• AES (hardware)



• Conformity

• RNG evaluation RGS or AIS31

• Efficiency


• Penetration testing on AES and RSA

• Side channel analysis

Template attack on AES

• Fault injection

Differential Fault Analysis on RSA


• Analysis of attack path

• Vulnerabilities• Code analysis

• Open sample

• Countermeasures• Known attacks

• Combined attacks

• New attacks

• Practicability of each steps

List of tests

• Tests

• Test bench setup

• Dedicated tools: benchmark, computations, …

• Multiple skills• physics, electronics, informatics, cryptographyics, statistics, …

• Attack rating

• Application of Attack Potential to Smartcards - v2.9 - Jan. 2013

PENETRATION TESTING: METHODOLOGY


PENETRATION TESTING: RATING TABLE

Factors Identification Exploitation

Elapsed time

< one hour 0 0

< one day 1 3

< one week 2 4

< one month 3 6

> one month 5 8

Not practical * *

Expertise

Layman 0 0

Proficient 2 2

Expert 5 4

Multiple Expert 7 6

Knowledge of the TOE

Public 0 0

Restricted 2 2

Sensitive 4 3

Critical 6 5

Very critical hardware

design 9 NA

Access to TOE

< 10 samples 0 0

< 30 samples 1 2

< 100 samples 2 4

> 100 samples 3 6

Not practical * *

Equipment

None 0 0

Standard 1 2

Specialized 3 4

Bespoke 5 6

Multiple Bespoke 7 8

Open samples

Public 0 NA

Restricted 2 NA

Sensitive 4 NA

Critical 6 NA


• Measure during cryptographic computation

• Power consumption

• Electromagnetic radiation

• …

• Leakage

• Two phases

• Profiling• Characterization of the leakage with respect to few bits of the key (learning)

• Attack• Retrieving the bits of an unknown key thanks to the leakage shape

TEMPLATE ATTACKS ON AES: PRINCIPLE

Plaintext Ciphertext



• Profiling phase: computation with several known keys

Existing command or Open sample

• Attack phase: computation with an unknown fixed key

Example: command for the AES encryption of a challenge

• Acquisition

• Measure of the power consumption

• Test scripts

TEMPLATE ATTACK ON AES: SETUP

Source: C. Giraud, Attaques de cryptosystèmes embarqués et contre-mesures associées, rapport de thèse - 2007


• Acquisition

• Resynchronisation

• Several signal processing methods depending of the signal waveform

TEMPLATE ATTACK ON AES: ACQUISITIONS


TEMPLATE ATTACK ON AES: NORMAL LAW

Introduction

Characterization of traces thanks to the

random vector L. At time u : L[u]

• L[u] follows a univariate normal law with

parameters µ and ²

• L follows a multivariate normal law with

parameters µ and

Probability densities for univariate normal

laws


TEMPLATE ATTACK ON AES: PROFILING PHASE

• Sending of N plaintexts: X = (x1, …, xN)

• Acquisition of N traces with known keys: L = (l1, …, lN)

• Choice of a computed data (target) Z = (z1, …, zN)

Each acquired trace li corresponds to a plaintext xi

and a target value zi = Sbox(xi k) where k is a key byte.

Assumption: The conditional law of L knowing Z = z is a multivariate normal law

with parameters µz and z.

The profiling phase characterizes the traces distribution for each value z of

the target with the parameters µz and z.

µ0 = 230 µ1 = 220

²0 = 11

²1 = 4


TEMPLATE ATTACK ON AES: ATTACK PHASE

• Sending of Na challenges: X = (x1, …, xNa)

• Acquisition of Na traces with unknown key: L = (l1, …, lNa)

• Same signal processing!

• For each key hypothesis k

• The trace li corresponds to zi = Sbox(xi k)

Pr[L = li | k] = Pr[L = li | Z = zi] = normpdf (µzi, zi

)

• Likelihood

Pr[L | k] = i normpdf (µzi, zi

)

The recovered key byte is given by the maximum of likelihood

| 31

• 256 possible values for Sbox(xi k)

• Likelihood (ordinate) for each key k (abscissa)

• Guessing entropymean of the right key ranking (ordinate) with the number of attack traces (abscissa)

1 byte of the key is retrieved from 300 attack traces


TEMPLATE ATTACK ON AES: RESULTS

Key byte 111


TEMPLATE ATTACK ON AES: RATING


Elapsed time < one week (2) < one month (6)

Expertise Expert (5) Proficient (2)

TOE Knowledge Restricted (2) Public (0)

Access to TOE < 10 samples (0) < 10 samples (0)

Equipment Specialized (3) Specialized (4)

Open samples Restricted (2) n/a

Total 14 12

26

• 16 bytes have to be retrieved (AES key)

• Case 1: Only 8 bytes


TEMPLATE ATTACK ON AES: RATING


Elapsed time < one week (2) < one day (3)

Expertise Expert (5) Proficient (2)




Open samples Restricted (2) n/a

Total 14 9

23

• 16 bytes have to be retrieved (AES key)

• Case 1: 16 bytes


• Differential Fault Analysis

Fault injection + Exploitation of erroneous results

• RSA

• N = p . q, e public parameters, d private exponent

• C = Md

mod N

• RSA CRT (Chinese Reminder Theorem)

• dp = d mod (p-1), dq = d mod (q-1), pinv = p-1

mod q,

• Sp = Mdp mod p

• Sq = Mdq mod q

• C = p . (pinv . (Sq - Sp) mod q) + Sp mod N

• Error in Sq Sq∗

• C* = p . (pinv . (Sq∗

- Sp) mod q) + Sp mod N

• gcd(C - C*, N) = gcd(p . A, N) = p

DFA ON RSA CRT: PRINCIPLE

| 35

DFA ON RSA CRT: SETUP


• Correct and erroneous results of RSA CRT with the private exponent

Example: command for the signature of a hash

• Source code analysis

• Fault injection

• Laser

• Double fault

• Recording of the erroneous results

…

sign = signatureRSACRT(hash)

verif = verificationRSA(sign)

If verif ≠ hash then exit error

return sign

…



DFA ON RSA CRT: RATING


Elapsed time < one month (3) < one day (3)

Expertise Expert (5) Expert (4)




Open samples Public (0) n/a

Total 13 11

24

• The key is retrieved with only one erroneous result

• Case 1: excellent repeatability


DFA ON RSA CRT: RATING


Elapsed time > one month (5) < one week (4)

Expertise Expert (5) Expert (4)




Open samples Public (0) n/a

Total 15 12

27

• With only one erroneous result, the key is retrieved

• Case 1: low repeatability


• Standards

• Common criteria

• AIS31

• Qualification process (ANSSI)

• Various products

• Various skills

• Hardware

• Software

• Cryptography

• Statistics

• …

• R & D

• New attacks

• Phd thesis

CONCLUSION

Leti, technology research institute

Commissariat à l’énergie atomique et aux énergies alternatives

Minatec Campus | 17 rue des Martyrs | 38054 Grenoble Cedex | France

www.leti.fr

erci

uestions ?

M

Q

Documents

CRYPTOGRAPHY IN ITSEF · 2017-05-24 · | 2 • Several ITSEFs and several types of product • Software and networks • Electronic, microelectronic components and embedded software