Josh Benaloh Brian LaMacchia Winter 2011. Side-Channel Attacks Breaking a cryptosystem is a frontal...
56
Practical Aspects of Modern Cryptography Josh Benaloh Brian LaMacchia Winter 2011
Josh Benaloh Brian LaMacchia Winter 2011. Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side
Side-Channel Attacks Breaking a cryptosystem is a frontal
attack, but there may be easier access though a side or back door
especially on embedded cryptographic devices such as SmartCards and
RFIDs. January 27, 2011Practical Aspects of Modern
Cryptography2
Slide 3
Side-Channel Attacks Some attack vectors January 27,
2011Practical Aspects of Modern Cryptography3
Slide 4
Side-Channel Attacks Some attack vectors Fault Attacks January
27, 2011Practical Aspects of Modern Cryptography4
Slide 5
Side-Channel Attacks Some attack vectors Fault Attacks Timing
Attacks January 27, 2011Practical Aspects of Modern
Cryptography5
Slide 6
Side-Channel Attacks Some attack vectors Fault Attacks Timing
Attacks Cache Attacks January 27, 2011Practical Aspects of Modern
Cryptography6
Slide 7
Side-Channel Attacks Some attack vectors Fault Attacks Timing
Attacks Cache Attacks Power Analysis January 27, 2011Practical
Aspects of Modern Cryptography7
Slide 8
Side-Channel Attacks Some attack vectors Fault Attacks Timing
Attacks Cache Attacks Power Analysis Electromagnetic Emissions
January 27, 2011Practical Aspects of Modern Cryptography8
Slide 9
Side-Channel Attacks Some attack vectors Fault Attacks Timing
Attacks Cache Attacks Power Analysis Electromagnetic Emissions
Acoustic Emissions January 27, 2011Practical Aspects of Modern
Cryptography9
Slide 10
Side-Channel Attacks Some attack vectors Fault Attacks Timing
Attacks Cache Attacks Power Analysis Electromagnetic Emissions
Acoustic Emissions Information Disclosure January 27, 2011Practical
Aspects of Modern Cryptography10
Slide 11
Side-Channel Attacks Some attack vectors Fault Attacks Timing
Attacks Cache Attacks Power Analysis Electromagnetic Emissions
Acoustic Emissions Information Disclosure others? January 27,
2011Practical Aspects of Modern Cryptography11
Slide 12
Fault Attacks January 27, 2011Practical Aspects of Modern
Cryptography12
Slide 13
Fault Attacks January 27, 2011Practical Aspects of Modern
Cryptography13
Slide 14
Fault Attacks January 27, 2011Practical Aspects of Modern
Cryptography14
Slide 15
Fault Attacks January 27, 2011Practical Aspects of Modern
Cryptography15
Slide 16
Fault Attacks January 27, 2011Practical Aspects of Modern
Cryptography16
Slide 17
Fault Attacks January 27, 2011Practical Aspects of Modern
Cryptography17
Slide 18
Fault Attacks January 27, 2011Practical Aspects of Modern
Cryptography18
Slide 19
Timing Attacks How long does it take to perform a decryption?
January 27, 2011Practical Aspects of Modern Cryptography19
Slide 20
Timing Attacks How long does it take to perform a decryption?
The answer may be data-dependent. January 27, 2011Practical Aspects
of Modern Cryptography20
Slide 21
Timing Attacks How long does it take to perform a decryption?
The answer may be data-dependent. For instance January 27,
2011Practical Aspects of Modern Cryptography21
Slide 22
Timing Attacks January 27, 2011Practical Aspects of Modern
Cryptography22
Slide 23
Timing Attacks January 27, 2011Practical Aspects of Modern
Cryptography23
Slide 24
Timing Attacks January 27, 2011Practical Aspects of Modern
Cryptography24
Slide 25
Cache Attacks If you can run code on the same device where a
decryption is being performed, you may be able to selectively force
certain cache lines to be flushed. January 27, 2011Practical
Aspects of Modern Cryptography25
Slide 26
Cache Attacks If you can run code on the same device where a
decryption is being performed, you may be able to selectively force
certain cache lines to be flushed. Decryption times may vary in a
key-dependent manner based upon which lines have been flushed.
January 27, 2011Practical Aspects of Modern Cryptography26
Slide 27
Power Analysis Power usage of a device may vary in a key-
dependent manner. January 27, 2011Practical Aspects of Modern
Cryptography27
Slide 28
Power Analysis Power usage of a device may vary in a key-
dependent manner. Careful measurement and analysis of power
consumption can be used to determine the key. January 27,
2011Practical Aspects of Modern Cryptography28
Slide 29
Electromagnetic Emissions One can record electromagnetic
emissions of a device often at a distance. January 27,
2011Practical Aspects of Modern Cryptography29
Slide 30
Electromagnetic Emissions One can record electromagnetic
emissions of a device often at a distance. Careful analysis of the
emissions may reveal a secret key. January 27, 2011Practical
Aspects of Modern Cryptography30
Slide 31
Acoustic Emissions Modular exponentiation is using done with
repeated squaring and conditional side multiplications. January 27,
2011Practical Aspects of Modern Cryptography31
Slide 32
Acoustic Emissions Modular exponentiation is using done with
repeated squaring and conditional side multiplications. It can
actually be possible to hear whether or not these conditional
multiplications are performed. January 27, 2011Practical Aspects of
Modern Cryptography32
Slide 33
Information Disclosures (N.B. Bleichenbacher Attack) January
27, 2011Practical Aspects of Modern Cryptography33
Slide 34
Information Disclosures (N.B. Bleichenbacher Attack) A protocol
may respond differently to properly and improperly formed data.
January 27, 2011Practical Aspects of Modern Cryptography34
Slide 35
Information Disclosures (N.B. Bleichenbacher Attack) A protocol
may respond differently to properly and improperly formed data.
Careful manipulation of data may elicit responses which disclose
information about a desired key or decryption value. January 27,
2011Practical Aspects of Modern Cryptography35
Slide 36
Certificate Revocation January 27, 2011Practical Aspects of
Modern Cryptography36
Slide 37
Certificate Revocation Every reasonable certification should
include an expiration. January 27, 2011Practical Aspects of Modern
Cryptography37
Slide 38
Certificate Revocation Every reasonable certification should
include an expiration. It is sometimes necessary to revoke a
certificate before it expires. January 27, 2011Practical Aspects of
Modern Cryptography38
Slide 39
Certificate Revocation Reasons for revocation January 27,
2011Practical Aspects of Modern Cryptography39
Slide 40
Certificate Revocation Reasons for revocation Key Compromise
January 27, 2011Practical Aspects of Modern Cryptography40
Slide 41
Certificate Revocation Reasons for revocation Key Compromise
False Issuance January 27, 2011Practical Aspects of Modern
Cryptography41
Slide 42
Certificate Revocation Reasons for revocation Key Compromise
False Issuance Role Modification January 27, 2011Practical Aspects
of Modern Cryptography42
Slide 43
Certificate Revocation Two primary mechanisms January 27,
2011Practical Aspects of Modern Cryptography43
Slide 44
Certificate Revocation Two primary mechanisms Certificate
Revocation Lists (CRLs) January 27, 2011Practical Aspects of Modern
Cryptography44
Slide 45
Certificate Revocation Two primary mechanisms Certificate
Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP)
January 27, 2011Practical Aspects of Modern Cryptography45
Slide 46
Certificate Revocation Lists A CA revokes a certificate by
placing the its identifying serial number on its Certificate
Revocation List (CRL) Every CA issues CRLs to cancel out issued
certs A CRL is like anti-matter when it comes into contact with a
certificate it lists it cancels out the certificate Think
1970s-style credit-card blacklist Relying parties are expected to
check the most recent CRLs before they rely on a certificate The
cert is valid unless you hear something telling you otherwise
January 27, 2011Practical Aspects of Modern Cryptography46
Slide 47
The Problem with CRLs Blacklists have numerous problems They
can grow very large because certs cannot be removed until they
expire. They are not issued frequently enough to be effective
against a serious attack. Their size can make them expensive to
distribute (especially on low-bandwidth channels). They are
vulnerable to simple DOS attacks. (What do you do if you cant get
the current CRL?) January 27, 2011Practical Aspects of Modern
Cryptography47
Slide 48
More Problems with CRLs January 27, 2011Practical Aspects of
Modern Cryptography48
Slide 49
Yet More Problems with CRLs Revoking a cert used by a CA to
issue other certs is even harder since this may invalidate an
entire set of certs. Self-signed certificates are often used as a
syntactic convenience. Is it meaningful for a cert to revoke
itself? January 27, 2011Practical Aspects of Modern
Cryptography49
Slide 50
Even More Problems with CRLs CRLs cant be revoked. If a cert
has been mistakenly revoked, the revocation cant be reversed. CRLs
cant be updated. Theres no mechanism to issue a new CRL to relying
parties early even if theres an urgent need to issue new
revocations. January 27, 2011Practical Aspects of Modern
Cryptography50
Slide 51
Short-Lived Certificates If you need to go to a CA to get a
fresh CRL, why not just go to a CA to get a fresh cert? January 27,
2011Practical Aspects of Modern Cryptography51
Slide 52
CRLs vs. OCSP Responses Aggregation vs. Freshness CRLs combine
revocation information for many certs into one long-lived object
OCSP Responses designed for real-time responses to queries about
the status of a single certificate Both CRLs & OCSP Responses
are generated by the issuing CA or its designate. (Generally this
is not the relying party.) January 27, 2011Practical Aspects of
Modern Cryptography52
Slide 53
Online Status Checking OCSP: Online Certificate Status Protocol
A way to ask is this certificate good right now? Get back a signed
response from the OCSP server saying, Yes, cert C is good at time t
Response is like a freshness certificate OCSP response is like a
selective CRL Client indicates the certs for which he wants status
information OCSP responder dynamically creates a lightweight
CRL-like response for those certs January 27, 2011Practical Aspects
of Modern Cryptography53
Slide 54
January 27, 2011Practical Aspects of Modern Cryptography54 OCSP
in Action End-entity CA Relying Party Cert CertRequest OCSP Request
OCSPForCert OCSP Response Transaction Response Cert +
Transaction
Slide 55
Final thoughts on Revocation From a financial standpoint, its
the revocation data that is valuable, not the issued certificate
itself. For high-valued financial transactions, seller wants to
know your cert is good right now. This is similar to credit cards,
where the merchant wants the card authorized right now at the
point-of-sale. Card authorizations transfer risk from merchant to
bank thus theyre worth $$$. January 27, 2011Practical Aspects of
Modern Cryptography55
Slide 56
Design Charrette How would you design a transit fare card
system? January 27, 2011Practical Aspects of Modern
Cryptography56
Slide 57
Fare Card System Elements An RFID card for each rider Readers
on each vehicle and/or transit station (Internet connected?) Card
purchase/payment machines A web portal for riders to manage and/or
enrich their cards January 27, 2011Practical Aspects of Modern
Cryptography57